DNS: extract geolocation information, if available (#2065)

The option NSID (RFC5001) is used by Google DNS to report the
airport code of the metro where the DNS query is handled.

This option is quite rare, but the added overhead in DNS code is pretty
much zero for "normal" DNS traffic

3 files changed, 8 insertions, 0 deletions

diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 260d956d5..7856ae1a0 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -1779,6 +1779,8 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
 
     if(flow->flow_extra_info[0] != '\0') fprintf(out, "[%s]", flow->flow_extra_info);
 
+    if(flow->dns.geolocation_iata_code[0] != '\0') fprintf(out, "[GeoLocation: %s]", flow->dns.geolocation_iata_code);
+
     if((flow->src2dst_packets+flow->dst2src_packets) > 5) {
       if(flow->iat_c_to_s && flow->iat_s_to_c) {
 	float data_ratio = ndpi_data_ratio(flow->src2dst_bytes, flow->dst2src_bytes);
diff --git a/example/reader_util.c b/example/reader_util.c
index d8c4b23f3..7144626ca 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1228,6 +1228,8 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
       /* For consistency across platforms replace :0: with :: */
       ndpi_patchIPv6Address(flow->info);
     }
+    if(flow->ndpi_flow->protos.dns.geolocation_iata_code[0] != '\0')
+      strcpy(flow->dns.geolocation_iata_code, flow->ndpi_flow->protos.dns.geolocation_iata_code);
   }
   /* MDNS */
   else if(is_ndpi_proto(flow, NDPI_PROTOCOL_MDNS)) {
diff --git a/example/reader_util.h b/example/reader_util.h
index cce243130..9d63278a4 100644
--- a/example/reader_util.h
+++ b/example/reader_util.h
@@ -294,6 +294,10 @@ typedef struct ndpi_flow_info {
     char *username, *password;
   } telnet;
 
+  struct {
+    char geolocation_iata_code[4];
+  } dns;
+
   ndpi_multimedia_flow_type multimedia_flow_type;
   
   void *src_id, *dst_id;