2

I would like to redirect DNS requests for specific processes on Windows so that they hit a different set of DNS servers than the default ones configued for my system.

I've looked into doing this, but come across some blockers. First, where do DNS request arise from on windows? do they come from the process itself or is there a proxy process that does DNS requests on behalf of all processes? I used 'message analyzer' and it looked like DNS requests were coming from a process called svchost.exe, and not the process itself. Is this correct?

I've looked into WFP (windows filtering platform) and haven't come across any obvious APIs for achieving this - does WFP offer sometthing, or i'm looking in the wrong place? If DNS requests arise from the process itself i could add a filter that redirects port 53 UDP traffic for that process, but it seems like (unless i am mistaken) DNS comes from the svchost.exe process, so this approach cannot work.

If DNS does instead arise from svchost.exe then tehre emust be an RPC/API that a process uses to communicate with that service, is it possible to hook that RPC/API ? I need to find the originating process of the DNS request so that i can customize the DNS servers it actually hits.

horseyguy
  • 29,455
  • 20
  • 103
  • 145
  • 1
    *looked like DNS requests were coming from a process called svchost.exe* - in most case yes (where *dnsrslvr.dll* loaded). but say new api [`DnsQueryEx`](https://learn.microsoft.com/en-us/windows/win32/api/windns/nf-windns-dnsqueryex) can do in process query only, without rpc call to svchost – RbMm Jul 07 '20 at 14:28
  • @RbMm excellent info thanks -- is there a way to trace and possibly block/redirect the rpc call to svchost? – horseyguy Jul 07 '20 at 14:29
  • 1
    this is not simply.. some malware inject self dll in svchost (where dnsrslvr.dll loaded) and hook `Query_Main` (this is exported function from *dnsapi.dll* and called while dns resolved) and modify it result – RbMm Jul 07 '20 at 14:36
  • @RbMm Is there a way to tell windows to do the DNS lookup in the process itslef instead of in the service? what if i stop the service, will DNS lookup then happen in the process? – horseyguy Jul 07 '20 at 14:39
  • 1
    no. not exist way. if not use `DnsQueryEx` - always will be request to svchost. the `DnsQueryEx` relative new api and very rarely used in soft. and here - are will be in process only depend from flags in call ([`DNS_QUERY_BYPASS_CACHE`](https://learn.microsoft.com/en-us/windows/win32/dns/dns-constants) if i not mistake) but for control options - you need inject to process and hook api call.. really you have hard task. with `DNS_QUERY_WIRE_ONLY` also will be in process query too – RbMm Jul 07 '20 at 14:45
  • "If DNS does instead arise from svchost.exe then tehre emust be an RPC/API that a process uses to communicate with that service" As being something completely internal and proprietary of Windows, I wouldn't expect an RFC here :-) Also your question is not really about programming, so offtopic here. You will get more help on [sf] I think. Note also that more and more applications, starting with browsers, are doing DNS over HTTPs or over TLS themselves, hence not relying on OS services. Also on Linux you can solve your problem using namespaces, maybe there is something similar in Windows. – Patrick Mevzek Jul 09 '20 at 17:26
  • @PatrickMevzek it is about programming and i already mentioned WFP APIs. In the end i solved this by turning off DNS caching -- when DNS caching is off then the processes themselves make DNS requests and those requests can be overriden using a WFP callout driver that intercepts those DNS packets and rewrrites the destination address to the DNS serverrs i want. – horseyguy Jul 09 '20 at 22:43
  • " it is about programming" So where is the source code? – Patrick Mevzek Jul 09 '20 at 22:48
  • @PatrickMevzek let's please not get into a boring argument about this - there's plenty of theoretical questions on here that do not have source code. My question is about which APIs to use to implement per-process DNS - that's absolutely programming as you cannot achieve this without writing a WFP filter, and that requiers low-level driver and C code. Let's not argue - it's just too boring, for the love of god let's not argue. Have a good evening. – horseyguy Jul 09 '20 at 22:50
  • Interesting way to derail the discussion by just saying it is boring. So instead do this: put yourself as someone having your problem (but not being you) in 1 year and stumbling on this question. At this current shape, do you think it would help anyone solve their problem? Without any detail on what you attempted exactly, nor a proper response (the one in your comment is really something completely different than the original question, so if I say X/Y problem will you say it is a boring argument too?),will it be useful? You seem to say it is easy (WFP callout driver) without showing anything. – Patrick Mevzek Jul 09 '20 at 22:57
  • WFP https://stackoverflow.com/questions/58554214/how-to-intercept-dns-queries-in-windows – kaho J Oct 28 '21 at 06:39

1 Answers1

1

JUST Disable DNSCache(DNS Client) service.

I have disabled DNSCache service by changing the registry value [HKLM\SYSTEM\CurrentControlSet\Services\Dnscache:Start] as 4(SERVICE_DISABLED), and rebooting my computer.

Before disabling DNSCache, svchost.exe query a DNS name

Before disabling DNSCache, svchost.exe query a DNS name

After disalbed DNSCache, IE directly query a DNS name

After disalbed DNSCache, IE directly query a DNS name

It is a very simple way, but I'm not sure it's a right way you wanted.

Michael Kim
  • 343
  • 5
  • 20