Intercept DNS Queries Windows - windows

I would like to be able to intercept DNS queries on my Windows computer by "hooking" into "all of the DNS functions" (Is it possible to intercept dns queries using LSP/SPI?).
So, for example, if I have a config file with contents:
*.example.com
I am hoping to handle these requests with a response of 127.0.0.1. Wildcarding doesn't work in the hosts file (and I also might try logging some queries, too). This can be done from a network level; I want to do it through the host operating system, partially out of a perfectionist bent.
Someone else suggested "Hooking DNSQuery() function calls in dnsapi.lib/dnsap.dll" (Windows DNS hooks).
Will the mhook library allow me to do what I want to do?
Lastly: I have no intention of making malware; I want to take a bit more control over the traffic my computer(s) are creating.

Related

Per-process DNS in windows

I would like to redirect DNS requests for specific processes on Windows so that they hit a different set of DNS servers than the default ones configued for my system.
I've looked into doing this, but come across some blockers. First, where do DNS request arise from on windows? do they come from the process itself or is there a proxy process that does DNS requests on behalf of all processes? I used 'message analyzer' and it looked like DNS requests were coming from a process called svchost.exe, and not the process itself. Is this correct?
I've looked into WFP (windows filtering platform) and haven't come across any obvious APIs for achieving this - does WFP offer sometthing, or i'm looking in the wrong place? If DNS requests arise from the process itself i could add a filter that redirects port 53 UDP traffic for that process, but it seems like (unless i am mistaken) DNS comes from the svchost.exe process, so this approach cannot work.
If DNS does instead arise from svchost.exe then tehre emust be an RPC/API that a process uses to communicate with that service, is it possible to hook that RPC/API ? I need to find the originating process of the DNS request so that i can customize the DNS servers it actually hits.
JUST Disable DNSCache(DNS Client) service.
I have disabled DNSCache service by changing the registry value [HKLM\SYSTEM\CurrentControlSet\Services\Dnscache:Start] as 4(SERVICE_DISABLED), and rebooting my computer.
Before disabling DNSCache, svchost.exe query a DNS name
After disalbed DNSCache, IE directly query a DNS name
It is a very simple way, but I'm not sure it's a right way you wanted.

Are the ip addresses automatically cached in the recursive DNS when it is returned from the authoritative DNS?

It is said that the recursive DNS refers to its cache first before performing recursive search on the authoritative DNS. So, I wanted to know how is the DNS caching done. Is it automatic or if no, what happens? How is the DNS record cached?
Unless you are running a DNS server, then the caching is being done by your client or and LDNS. Your system runs something called a resolver (set of libraries in linux, DNS client service on windows) whose job it is to take names and turn them into IP address, hopefully following the TTL of the returned records. Additionally, browsers and other applications may also add their own level of caching, often not adhering to the TTL returned for the record.
Additionally, your machine will point to another server, either locally or your ISP's, that is your LDNS (local DNS). This is a configuration that's required for proper functioning because it must be specified by IP address, either manually entered or obtained via a mechanism like DHCP.

Using FTP Programs with Automatic Proxy Configuration URL

I've literally searched the internet for the last 5 hours and I have tried every suggestion out there and I'm starting to wonder if what I want to do is simply not possible....
Most webservers only allow X simultaneous connections for uploading/downloading. I simply want to upload my many files faster, by connecting/uploading through various proxies. However, no program I can find has anything for automatic proxy configuration, and only for a specific proxy IP. I have an account with a proxy service that gives you a different IP address for every request/connection made through it. I can connect to this fine from any FTP program but it appears that the servers are confused when they see different IP's connecting, and there's no way to manually whitelist/authenticate them on the server side, so it simply closes all connections. I even have a list of IP addresses with port/user/pass that I am willing to use, but I can't figure out how to do anything other than use a specific proxy to upload/download from servers.... Is this even possible????
ANY HELP/INPUT IS GREATLY APPRECIATED!!

How to find the external IP from a desktop app. Note: not the local IP

I am working on some legacy code on Windows for a desktop app in "C.
The client needs to know the geo-location of the user who is running the application.
I have the geo-location code all working (using MaxMind: http://dev.maxmind.com/).
But now I'm looking for help in getting their external IP.
From all the discussions on this topic throughout SO and elsewhere it seems that there is a way to do this by connecting to a "reliable" host (server) and then doing some kind of lookup. I'm not too savvy on WinSock but this is the technology that may be the simplest to use.
Another option is to use WinHttpConnect technology.
Both have "C" interfaces.
Thank you for your support and suggestions.
You can write a simple web service that checks the IP address(es) that the program presents when connecting to that web service.
Look at http://whatismyip.com for an example.
Note that multiple addresses can be presented by the HTTP protocol if there are proxy servers along the route.
You can design your simple web service to get the IP of the client. See
How do I get the caller's IP address in a WebMethod?
and then return that address back to the caller.
Note that in about 15% of cases (my experience metric) the geo location will be way off. The classic example is that most AOL users are routed through a small number of proxy servers. However, there are many other cases where the public IP does not match the user's actual location. Additionally, Geo IP databases are sometimes just wrong.
Edit
It is not possible to detect your external IP address using only in-browser code.
The WebSocket has no provision to expose your external IP address.
https://www.rfc-editor.org/rfc/rfc6455
You need an outside server to tell you what IP it sees.

How do I detect hosts on my LAN?

To help users, I would like my code to discover Oracle databases on the LAN. I thought to do this by first detecting all hosts, then checking each host to see if it is listening on Oracle's default port.
Any ideas how to go about this? Preferably in Java, but any language or algorithm would do.
Are you using DHCP? If so, your DHCP server has a list of the leases it has passed out. That should do you for a list of hosts on the LAN. Then try opening a connection to the Oracle port on each of those hosts and see if it accepts the connection.
It should be pretty simple to implement as a shell script with half a dozen lines or so. Java seems like overkill for something like this. Loop through the leases file, grab the IP from each lease, and telnet to the Oracle port; if it connects, disconnect and print the IP to standard out.
If you want to stay platform-independant, and unless you have access to some kind of database that lists the hosts, the only way to get a list is to try each IP address in the local network - might as well try to connect to the Oracle port on each of them.
There are lots of problems with this approach:
Will only search through the local network, which may only be a small part of the LAN (in case of large companies with lots of subnets)
Can take a long time (you definitely want to reduce the timeout for the connection attempts, but if someone has configured his LAN as a class A network, it will still take forever)
Can trigger all kinds of alerts, such as desktop users' personal firewalls, and intrusion detection systems - because you're doing exactly the same thing someone trying to exploit a security hole in Oracle servers would do
As brazzy points out, scanning for hosts is likely to cause problems, especially if there is a bug in your scanner.
A better approach may be to get the owners of the databases to register them somewhere, for example in a local DNS service (or does Oracle have zeroconf support?), or simply on some intranet webpage or wiki.
You better register the SID names/addresses to some server with a fixed address(maybe with a simple web service), and then query the list from there. Another approach is the bruteforce one (explained by #brazzy) by scanning one or more subnets, but this isn't really a good thing to do.
In case you are looking for a tool Loo#Lan can do this for you. Unfortunately there's no source available...
All of these smart answers are the reasons why many companies do not use the default port. Using a different port for each database is entirely possible, you know.

Resources