I would like to redirect DNS requests for specific processes on Windows so that they hit a different set of DNS servers than the default ones configued for my system.
I've looked into doing this, but come across some blockers. First, where do DNS request arise from on windows? do they come from the process itself or is there a proxy process that does DNS requests on behalf of all processes? I used 'message analyzer' and it looked like DNS requests were coming from a process called svchost.exe, and not the process itself. Is this correct?
I've looked into WFP (windows filtering platform) and haven't come across any obvious APIs for achieving this - does WFP offer sometthing, or i'm looking in the wrong place? If DNS requests arise from the process itself i could add a filter that redirects port 53 UDP traffic for that process, but it seems like (unless i am mistaken) DNS comes from the svchost.exe process, so this approach cannot work.
If DNS does instead arise from svchost.exe then tehre emust be an RPC/API that a process uses to communicate with that service, is it possible to hook that RPC/API ? I need to find the originating process of the DNS request so that i can customize the DNS servers it actually hits.
JUST Disable DNSCache(DNS Client) service.
I have disabled DNSCache service by changing the registry value [HKLM\SYSTEM\CurrentControlSet\Services\Dnscache:Start] as 4(SERVICE_DISABLED), and rebooting my computer.
Before disabling DNSCache, svchost.exe query a DNS name
After disalbed DNSCache, IE directly query a DNS name
It is a very simple way, but I'm not sure it's a right way you wanted.
Related
The goal of this is to redirect the traffic from a specific application (The process name matching a specific Text) to a separate gateway address without interfering with other traffic going through my main gateway, since there are network shares and other servers connected that cannot lose the connection. I have already been able to redirect specific IPs that I found in the Resource Manager, but they constantly change and sometimes parts of Programs access different servers which I cannot see until they are used, obviously.
The desired end result would be a list of IP addresses that the given Process is using. On this list I want to run a loop which basically routs the IP addresses to the other gateway:
route add IP mask 255.255.255.255 otherGateway
SysInternals TCPVcon (TCPView for console) can do that. It has a command line option to output the result as CSV.
tcpvcon [-a] [-c] [-n] [process name or PID]
Use proxy setting in app. If there is nonthing about proxy, try using ProxyCap or similar software.
Alternatively you can use ProcMon and TCPView to get all connections made by process.
But beware of
network calls can be made by child processes (ex., app.exe starts powershell that makes request)
IP addresses can change due to many reasons.
I would like to be able to intercept DNS queries on my Windows computer by "hooking" into "all of the DNS functions" (Is it possible to intercept dns queries using LSP/SPI?).
So, for example, if I have a config file with contents:
*.example.com
I am hoping to handle these requests with a response of 127.0.0.1. Wildcarding doesn't work in the hosts file (and I also might try logging some queries, too). This can be done from a network level; I want to do it through the host operating system, partially out of a perfectionist bent.
Someone else suggested "Hooking DNSQuery() function calls in dnsapi.lib/dnsap.dll" (Windows DNS hooks).
Will the mhook library allow me to do what I want to do?
Lastly: I have no intention of making malware; I want to take a bit more control over the traffic my computer(s) are creating.
It is said that the recursive DNS refers to its cache first before performing recursive search on the authoritative DNS. So, I wanted to know how is the DNS caching done. Is it automatic or if no, what happens? How is the DNS record cached?
Unless you are running a DNS server, then the caching is being done by your client or and LDNS. Your system runs something called a resolver (set of libraries in linux, DNS client service on windows) whose job it is to take names and turn them into IP address, hopefully following the TTL of the returned records. Additionally, browsers and other applications may also add their own level of caching, often not adhering to the TTL returned for the record.
Additionally, your machine will point to another server, either locally or your ISP's, that is your LDNS (local DNS). This is a configuration that's required for proper functioning because it must be specified by IP address, either manually entered or obtained via a mechanism like DHCP.
The project I'm working on is to handle data capture from scan guns (Pocket PC 2003) and process this data on a host (Win XP) then into our inventory database on a separate server (Win 2000). This is all driven by the Remoting framework provided by MS and As Good As It Gets (http://gotcf.net). The application is complete enough for a general proof of concept with both the client and server working properly while in the emulator.
All is well until I began to test using actual scan guns. Due to security concerns, the scanners are on a separate network (for clarification the 10 network) than the server (the 15 network). My development machine has dual NIC connected to both networks and can communicate with both independently. However, I am having issues with my application receiving information from the 10 network using .Net Remoting, and then sending out information to the server on the 15 network via a third party app (Combination of ODBC, Btrieve, and OLE).
Is there anyway to process information from one network then update the server on another?
Any suggestions will be greatly appreciated!
Note: I'm not very familiar with networking, thus I may be calling it the wrong name but the gun IP's start with 10...* and the server IP's start with 15...*
So long as the computer's routing table is properly configured, you shouldn't have to worry about this from your application. So long as you're using the proper IP addresses, the networking stack should take care of delivering things to the right place.
You might want to check the output of "route print" (at least I think that was available on WinXp -- if not, someone else will likely post the correct command for XP soon). In any way, you should see what network destinations are configured for which interfaces. You'll need to make sure that the server's IP on the 15 network will properly route via the interface you want (ie. the lowest-cost matching destination/netmask lists your 15 interface).
The issue seems to stem from both the NIC cards not set up properly and a so far unresolved issue with the frameworks I've chosen.
To solve the NIC problem, the easiest solution I'd found had me clear the default gateway on the 10 network.
The other issue deals with recreating the remoting objects after they've been destroyed. I currently have to warm boot the scanner in order to re-connect to the host. In order to correct this issue I'm going to contact As Good As It Gets to see what their input is. Damn firewall
alt text http://img440.imageshack.us/img440/6950/problemyd1.png
(The curly lines with dots represent a network route.)
Having a process called "foo.exe", is there a way to forward everything it communicates over TCP/IP to a forwarding proxy located elsewhere? This forwarding should not reflect to other processes.
Another question: if there are multiple network adapters, is it possible to force a process to use one specific adapter.
Since in this example the targethost.com is known, I could just edit "system32\drivers\etc\hosts" to map targethost.com's IP to localhost, where on port 8765 would be the first forwarder waiting for an incoming connection and pass everything forward to proxy.foo.com. I was wondering if there's a more elegant way of doing this.
This is not for malware, I'm doing some network testing with my complex home network. Thank you for warning us.
Some free software for this would be perfect, alternatively a code idea (native or .net). Thank you very much.
It's not too hard if you make your own computer a firewall, then your app connects to a port on your own computer, and that port is forwarded to both the original destination and logged or forwarded on to your spying computer.
Alternatively you can make your other computer the firwall and have it log/forward the info.
Finally you could use a sniffer.
SocksCap will probably do the job (if you're OK with establishing a SOCKS proxy at proxy.foo.com).
You could hook into the TCP stack, for example, by using the Windows Filtering Platform or its predecessors, or you could substitute the network libraries/calls of that particular process.