feat(inputs.dns_query): Allow ignoring errors of specific types

[powersj]

Summary

Allows the user to specify ignoring certain error types from printing in the logs.

Checklist

• No AI generated code was used in this PR

Related issues

fixes: #14941

[powersj]

@srebhan thoughts on this method of letting the user ignore errors in the logs? The user would still get a metric as expected indicating the error, but would hide it from the logs?

[srebhan]

@powersj the error in the original issue is NXDOMAIN i.e. non-existing domain. I think this is a valid and usual response given that we want to query the DNS server. So the question is more, should we generate a different metric here in case the operation was not successful.

[powersj]

I think this is a valid and usual response given that we want to query the DNS server

I agree and we currently return the following metric with an error result and the return code of NXDOMAIN:

dns_query,domain=qwe.example.com,rcode=NXDOMAIN,record_type=A,result=error,server=1.1.1.1 query_time_ms=101.723123,result_code=2i,rcode_value=3i 1709918720000000000

should we generate a different metric here in case the operation was not successful.

See above, as we already do return a metric with the error message. The reporter's request was to hide error messages in logs, not modify or change any metric.

[srebhan]

@powersj sorry to be so ambiguous! What I want to say is that a NXDOMAIN answer is valid for an A request (and probably others) and should not cause an error at all! The check and error is there to handle cases where we get some completely unexpected, unrelated and thus invalid answer to the query...

[powersj]

Ahh thanks for the clarification. So how would we determine "completely unexpected"? Would we ignore NXDOMAIN status and log an error for other issues like "SERVFAIL", "BADCOOKIE", "BADALG"?

[powersj]

@srebhan updated PR to omit nxdomain, I'm not sure about the others (maybe YXDOMAIN?) as they do seem to be server or request related:

• FORMERR (Format Error): Indicates that the DNS query was not formatted correctly by the client. The DNS server cannot process the request due to a syntax error.

• SERVFAIL (Server Failure): The DNS server was unable to process the request due to a problem with the server itself. This could be due to a variety of issues, including server overload, network connectivity problems, or configuration errors.

• NXDOMAIN (Non-Existent Domain): The domain name referenced in the query does not exist. This means the DNS server cannot find a corresponding IP address for the queried hostname.

• NOTIMP (Not Implemented): The DNS server does not support the requested type of query. This error is returned when a DNS server or resolver receives a request for a feature or operation that it does not support.

• REFUSED: The DNS server refused to answer for the query. This can be due to several reasons, such as administrative policies where the server is configured to deny certain requests from specific clients or due to rate limiting.

• YXDOMAIN (Name Exists when it should not): Indicates that a name that should not exist, does exist. This error is used in dynamic DNS updates and signifies a failed precondition for an update request.

• XRRSET (RR Set Exists when it should not): Similar to YXDOMAIN, but it specifies that a resource record set that should not exist, does exist. This is also related to dynamic DNS updates.

• NOTAUTH (Not Authorized): The server is not authoritative for the zone specified in the query, or it is not authorized to answer queries for the specified name. This can also indicate a problem with DNSSEC validation.

• NOTZONE (Not in Zone): The name specified in the query is not within the zone that the server is authoritative for. This typically occurs in dynamic DNS updates.

• BADSIG (Bad Signature): Indicates a problem with the DNSSEC signature. The server was unable to verify the signature on the DNS data due to a mismatch or corruption.

• BADKEY (Key not recognized): The server cannot recognize the key used for DNSSEC or TSIG authentication, indicating a possible configuration or communication error.

• BADTIME (Signature out of time window): This error is related to DNSSEC or TSIG and indicates that the signature's timestamp is outside the allowed time window, suggesting a possible replay attack or clock skew.

• BADMODE (Bad TKEY Mode): An incorrect mode field was used in a TKEY query, which is part of a mechanism for establishing shared secret keys.

• BADNAME (Duplicate key name): A request was made to create a key with a name that already exists.

• BADALG (Bad algorithm): The algorithm specified in a DNSSEC or TSIG query is not supported or is unrecognized by the server.

• BADTRUNC (Bad truncation): This error indicates that a truncated response was received, but the truncation was not handled correctly, leading to potential data loss or communication failure.

• BADCOOKIE (Bad/missing server cookie): Part of the DNS Cookies mechanism, this error occurs when there's an issue with the cookie exchanged between the client and server, used to mitigate DNS amplification attacks and other issues.

[telegraf-tiger]

Download PR build artifacts for linux_amd64.tar.gz, darwin_arm64.tar.gz, and windows_amd64.zip.
Downloads for additional architectures and packages are available below.

☺️ This pull request doesn't significantly change the Telegraf binary size (less than 1%)

📦 Click here to get additional PR build artifacts

Artifact URLs

DEB	RPM	TAR GZ	ZIP
amd64.deb	aarch64.rpm	darwin_amd64.tar.gz	windows_amd64.zip
arm64.deb	armel.rpm	darwin_arm64.tar.gz	windows_arm64.zip
armel.deb	armv6hl.rpm	freebsd_amd64.tar.gz	windows_i386.zip
armhf.deb	i386.rpm	freebsd_armv7.tar.gz
i386.deb	ppc64le.rpm	freebsd_i386.tar.gz
mips.deb	riscv64.rpm	linux_amd64.tar.gz
mipsel.deb	s390x.rpm	linux_arm64.tar.gz
ppc64el.deb	x86_64.rpm	linux_armel.tar.gz
riscv64.deb		linux_armhf.tar.gz
s390x.deb		linux_i386.tar.gz
		linux_mips.tar.gz
		linux_mipsel.tar.gz
		linux_ppc64le.tar.gz
		linux_riscv64.tar.gz
		linux_s390x.tar.gz

[srebhan]

LGTM! I think it's now pretty easy to add more errors to ignore if necessary...