feat(bpf): detect DNS resolution failures via UDP/53 eBPF (#22)

[Anushreer22]

What

Implements DNS visibility for Kerno — the #2 silent killer on Kubernetes.
Adds an eBPF program that hooks sendmsg/recvmsg syscalls filtered to UDP
port 53, measures per-pod DNS latency and failure rates token-by-token,
and fires doctor rules when CoreDNS is slow or dropping queries.

Files Changed

File	Purpose
internal/bpf/c/dns_monitor.c	eBPF C program — hooks sys_enter_sendmsg + sys_enter_recvmsg, filters port 53, tracks latency via dns_inflight hash map
internal/bpf/dns_monitor.go	Go loader — attaches both tracepoints, reads ring buffer (build tag: ebpf)
internal/bpf/gen_stub.go	dnsMonitorObjects stub for non-ebpf builds
internal/bpf/events.go	DNSEvent struct + DNSEventType constants matching C struct exactly
internal/bpf/loader.go	EventDNSMonitor = 8 added
internal/collector/dns.go	DNSCollector — aggregates request/response/failure rates, p50/p95/p99 latency histogram, per-process stats, 5s timeout reaper goroutine
internal/collector/signals.go	DNSSnapshot + DNSConsumerEntry types added to Signals
internal/doctor/rules.go	dns_high_latency + dns_failure_rate rules wired into Evaluate()
internal/chaos/dns.go	dns-flood chaos scenario firing concurrent DNS lookups

Doctor Rules

Rule	WARNING	CRITICAL
dns_high_latency	P99 > 100ms	P99 > 500ms
dns_failure_rate	> 1% timeouts	> 5% timeouts

How It Works

1. eBPF hooks sys_enter_sendmsg — records send timestamp in dns_inflight map keyed by (pid, query_id)
2. eBPF hooks sys_enter_recvmsg — emits recv event; userspace looks up send timestamp to compute latency
3. A reaper goroutine runs every 5s to expire in-flight queries with no response → counted as failures
4. Filter is enforced in the eBPF program (port == 53), not userspace — overhead < 0.1% CPU

Acceptance Criteria

• eBPF filter at kernel level (port == 53)
• dns_high_latency: P99 > 100ms = WARNING, > 500ms = CRITICAL
• dns_failure_rate: > 1% = WARNING, > 5% = CRITICAL
• Per-process enrichment via comm + PID
• 5-second failure timeout (no matching response = failed)
• kerno chaos --induce dns-flood pairs with dns_high_latency rule
• Stub added to gen_stub.go so non-ebpf builds compile cleanly
• Bare metal compatible (chaos falls back to 8.8.8.8 if 127.0.0.53 unavailable)

Testing

# Trigger the rules with chaos
kerno chaos --induce dns-flood --duration 30s

# Verify doctor fires DNS findings
kerno doctor

# Verify eBPF verifier passes on kernel 5.15+
make bpf-verify

Closes #22

[github-actions]

🚀 First PR — welcome aboard!

A few things to expect:

1. CI: every PR runs build + race tests + lint + (eventually) the kernel matrix. If something fails, the log will tell you exactly which gate.
2. DCO: every commit needs Signed-off-by: — git commit -s adds it automatically.
3. Conventional Commits: PR titles like feat(doctor): add new rule or fix(bpf): handle X. We squash-merge by default.
4. Review: a maintainer will review within 72 hours. Suggestions are conversations, not orders — push back if something doesn't fit your context.

If you get stuck, reply here or jump to Discussions. We want this PR to land.