Intercepting DNS Queries Using LSP
sars...@yahoo.com
I was looking (again :)) at the LSP code that comes with Platform SDk
which i downloaded a couple of months ago. I just wanted to see if an
LSP traps DNS requests so i modified the WSPSend function by only
adding the code to dump to a file any data that is passed in LPWSABUF
lpBuffers param. Before doing something that would send a DNS query, i
started Ethereal to see any traffic being sent on the wire. After
that, i started a web browser window and accessed a URL (its not in
the cache). I found out that WSPSend did not print any data sent on
UDP even though a DNS request could be seen on the wire (WSPSend does
get called though multi times). The same code prints data sent on TCP
(like HTTP traffic of the page i opened). I have debugged the lsp dll
to see if i am doing something wrong while dumping data to a file but
the contents of the buffers (being sent as parameters) match dumped
data. The observation that i made is that every time WSPSend is called
for UDP data, it shows the length of the buffer (LPWSABUF.len) just
one byte and the contents (LPWSABUF.buf) as 21 hex (!).
I have also logged whenever calls to other send functions such as
WSPSendTo and WSPSendDisconnect are made but for accessing a URL (and
DNS query sent as a result), only WSPSend is called (and i am
perfectly ok with that). Since these functions were never being called
so i did not bother logging data being passed as their parameters.
So my question is can LSP be used to trap DNS requests? If yes then
how it can be done and any idea on why i am seeing the aforementioned
behavior?
The OS is Windows XP SP2 and I have installed the lsp in two different
ways using the following commands:
- instlsp -i -a -n "MyLSP"
- instlsp -i -o 1001 -o 1002 -n "MyLSP"
Thank you for your help,
sarshah.
sars...@yahoo.com
I have done a few additional things since yesterday to find out the
issue.
I have restarted the system after installing the LSP. I did it because
LSP when installed is only effective for those processes that are
executed after the LSP installation. So if i want to intercept network
calls by processes that are already running (like different services
or some other user process) then i would have to restart the system.
Still DNS queries are undetectable.
In order to verify if an LSP can intercept any UDP traffic, i tried to
connect from the machine where LSP is installed to a TFTP server on a
remote machine (on LAN). The connection was successful and LSP
intercepts the data sent over UDP (UDP data dumped in the log file and
compared with the network traffic to verify). From this, i am
suspecting that DNS queries are not sent by a process operating at
user level. I am not sure if this statement is entirely correct.
So far no one has responded to the post. If all the details in the
first post has created ambiguity and i have failed to convey my
question then lets just forget about all the details about what i did
or did not and help me find answer to the following question:
Can an LSP be used to intercept DNS queries? or DNS queries cannot be
intercepted (by LSP) at user level? (LSP operates at user level)
Responses by some of the guys really helped me in one of my posts
related to LSP. If you guys are listening out there........Please help
me.
sarshah.
Volodymyr M. Shcherbyna
via TDI providers and all operations are done in Kernel Mode. Consider ways
of traffic interception at kernel mode. For 2k and XP and Vista - TDI filter
may be enough.
--
V.
This posting is provided "AS IS" with no warranties, and confers no
rights.
<sars...@yahoo.com> wrote in message
news:6f9e9de9-606d-416b...@s12g2000prg.googlegroups.com...
Volodymyr M. Shcherbyna
when making DNS request. If the "application" is "System", then, for sure,
the requests are generated in km system thread.
--
V.
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Volodymyr M. Shcherbyna" <v_sch...@online.mvps.org> wrote in message
news:OGDUXKbh...@TK2MSFTNGP04.phx.gbl...
Vishal Swarnkar
<v_scherb...@online.mvps.org> wrote:
> What you can do, is to download TdiMon or TdiScope, and look at the output
> when making DNS request. If the "application" is "System", then, for sure,
> the requests are generated in km system thread.
>
> --
> V.
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
> >I did not verified this issue, but my assumption is that DNS traffic goes
> >via TDI providers and all operations are done in Kernel Mode. Consider ways
> >of traffic interception at kernel mode. For 2k and XP and Vista - TDI
> >filter may be enough.
>
> > --
> > V.
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
>
> - Show quoted text -
Sorry for late reply Sarsah, didnt see your message before.
First to answer your quetion
>>Can an LSP be used to intercept DNS queries? or DNS queries cannot be intercepted (by LSP) at user level? (LSP operates at user level)
Ofcourse you can intercept DNS query in LSP, there is no need to go in
kernal level if your problem is just to intercept DNS queries.
You are very right to confirm that DNS runs over UDP. DNS primarily
uses UDP on port 53 to serve requests. Almost all DNS queries consist
of a single UDP request from the client followed by a single UDP reply
from the server. TCP comes into play only when the response data size
exceeds 512 bytes, or for such tasks as zone transfer. Well I believe
you dont need to handle the second task as this will hardly come in
picture and zone transfer will be in case of IPv6 only. I believe you
are building your program for windows users only so TCP can be skipped
for now. ?? To add with DNS queries runs over TCP for few OSes like HP-
UX.
Well focusing on UDP for now -->>
Sarshah, you are doing a mistake when you say you are logging inside
WSPSend. WSPSend is meant to work with Connected socket only, that
means TCP. To intercept UDP traffic you need to implement WSPSendTo
function.
As you said you verified that you are intercepting UDP using TFTP. I
know TFTP uses UDP on port 69 but I am not sure what are the calls you
saw in your log. Did you see WSPSendTo logs using TFTP? If not verify
that you are returning WSPSendTo in the proctable in WSPStartup
function, means you are implementing it.
You can check a DNS query inside WSPSendTo function by making a
check ::
if("Your Remote Port" == 53 && "Protocol Type" == SOCK_DGRAM) // DNS
client.
Be sure that you are logging every data, I am not sure at which moment
IE makes a DNS query.
Vishal Swarnkar
wrote:
>
> - Show quoted text -
I just verified this, I can get DNS calls by making the above check in
WSPSendTo.
sars...@yahoo.com
completely goes away if i do the following: Stop the DNS client from
Services list, installed the LSP and now i am getting DNS data in
WSPSendTo. I had logging enabled in WSPSend, WSPSendTo and
WSPSendDisconnect but if i do not stop the DNS client service and then
install LSP, DNS data is not intercepted not even in WSPSendTo. Any
thoughts on this?
On Mar 15, 11:13 am, Vishal Swarnkar <vishal.swarn...@gmail.com>
wrote:
> On Mar 15, 11:10 am, Vishal Swarnkar <vishal.swarn...@gmail.com>
> wrote:
>
>
>
>
>
> > On Mar 15, 2:18 am, "Volodymyr M. Shcherbyna"
>
> > <v_scherb...@online.mvps.org> wrote:
> > > What you can do, is to download TdiMon or TdiScope, and look at the output
> > > when makingDNSrequest. If the "application" is "System", then, for sure,
> > > the requests are generated in km system thread.
>
> > > --
> > > V.
> > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > "Volodymyr M. Shcherbyna" <v_scherb...@online.mvps.org> wrote in messagenews:OGDUXKbh...@TK2MSFTNGP04.phx.gbl...
>
> > > >I did not verified this issue, but my assumption is thatDNStraffic goes
> > > >via TDI providers and all operations are done in Kernel Mode. Consider ways
> > > >of traffic interception at kernel mode. For 2k and XP and Vista - TDI
> > > >filter may be enough.
>
> > > > --
> > > > V.
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > > rights.
> > > > <sarsha...@yahoo.com> wrote in message
> > > >news:6f9e9de9-606d-416b...@s12g2000prg.googlegroups.com...
> > > > Hi again,
>
> > > > I have done a few additional things since yesterday to find out the
> > > > issue.
>
> > > > I have restarted the system after installing theLSP. I did it because
> > > >LSPwhen installed is only effective for those processes that are
> > > > executed after theLSPinstallation. So if i want to intercept network
> > > > calls by processes that are already running (like different services
> > > > or some other user process) then i would have to restart the system.
> > > > StillDNSqueries are undetectable.
>
> > > > In order to verify if anLSPcan intercept any UDP traffic, i tried to
> > > > connect from the machine whereLSPis installed to a TFTP server on a
> > > > remote machine (on LAN). The connection was successful andLSP
> > > > intercepts the data sent over UDP (UDP data dumped in the log file and
> > > > compared with the network traffic to verify). From this, i am
> > > > suspecting thatDNSqueries are not sent by a process operating at
> > > > user level. I am not sure if this statement is entirely correct.
>
> > > > So far no one has responded to the post. If all the details in the
> > > > first post has created ambiguity and i have failed to convey my
> > > > question then lets just forget about all the details about what i did
> > > > or did not and help me find answer to the following question:
>
> > > > Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be
> > > > intercepted (byLSP) at user level? (LSPoperates at user level)
>
> > > > Responses by some of the guys really helped me in one of my posts
> > > > related toLSP. If you guys are listening out there........Please help
> > > > me.
>
> > > > sarshah.
>
> > > > On Mar 12, 10:04 pm, sarsha...@yahoo.com wrote:
> > > >> Hi All,
>
> > > >> I was looking (again :)) at theLSPcode that comes with Platform SDk
> > > >> which i downloaded a couple of months ago. I just wanted to see if an
> > > >>LSPtrapsDNSrequests so i modified the WSPSend function by only
> > > >> adding the code to dump to a file any data that is passed in LPWSABUF
> > > >> lpBuffers param. Before doing something that would send aDNSquery, i
> > > >> started Ethereal to see any traffic being sent on the wire. After
> > > >> that, i started a web browser window and accessed a URL (its not in
> > > >> the cache). I found out that WSPSend did not print any data sent on
> > > >> UDP even though aDNSrequest could be seen on the wire (WSPSend does
> > > >> get called though multi times). The same code prints data sent on TCP
> > > >> (like HTTP traffic of the page i opened). I have debugged thelspdll
> > > >> to see if i am doing something wrong while dumping data to a file but
> > > >> the contents of the buffers (being sent as parameters) match dumped
> > > >> data. The observation that i made is that every time WSPSend is called
> > > >> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
> > > >> one byte and the contents (LPWSABUF.buf) as 21 hex (!).
>
> > > >> I have also logged whenever calls to other send functions such as
> > > >> WSPSendTo and WSPSendDisconnect are made but for accessing a URL (and
> > > >>DNSquery sent as a result), only WSPSend is called (and i am
> > > >> perfectly ok with that). Since these functions were never being called
> > > >> so i did not bother logging data being passed as their parameters.
>
> > > >> So my question is canLSPbe used to trapDNSrequests? If yes then
> > > >> how it can be done and any idea on why i am seeing the aforementioned
> > > >> behavior?
>
> > > >> The OS is Windows XP SP2 and I have installed thelspin two different
> > > >> ways using the following commands:
>
> > > >> - instlsp -i -a -n "MyLSP"
> > > >> - instlsp -i -o 1001 -o 1002 -n "MyLSP"
>
> > > >> Thank you for your help,
>
> > > >> sarshah.- Hide quoted text -
>
> > > - Show quoted text -
>
> > Sorry for late reply Sarsah, didnt see your message before.
>
> > First to answer your quetion
>
> > >>Can anLSPbe used to interceptDNSqueries? orDNSqueries cannot be intercepted (byLSP) at user level? (LSPoperates at user level)
>
> > Ofcourse you can interceptDNSquery inLSP, there is no need to go in
> > kernal level if your problem is just to interceptDNSqueries.
>
> > You are very right to confirm thatDNSruns over UDP.DNSprimarily
> > uses UDP on port 53 to serve requests. Almost allDNSqueries consist
> > of a single UDP request from the client followed by a single UDP reply
> > from the server. TCP comes into play only when the response data size
> > exceeds 512 bytes, or for such tasks as zone transfer. Well I believe
> > you dont need to handle the second task as this will hardly come in
> > picture and zone transfer will be in case of IPv6 only. I believe you
> > are building your program for windows users only so TCP can be skipped
> > for now. ?? To add withDNSqueries runs over TCP for few OSes like HP-
> > UX.
>
> > Well focusing on UDP for now -->>
> > Sarshah, you are doing a mistake when you say you are logging inside
> > WSPSend. WSPSend is meant to work with Connected socket only, that
> > means TCP. To intercept UDP traffic you need to implement WSPSendTo
> > function.
>
> > As you said you verified that you areinterceptingUDP using TFTP. I
> > know TFTP uses UDP on port 69 but I am not sure what are the calls you
> > saw in your log. Did you see WSPSendTo logs using TFTP? If not verify
> > that you are returning WSPSendTo in the proctable in WSPStartup
> > function, means you are implementing it.
>
> > You can check aDNSquery inside WSPSendTo function by making a
> > check ::
>
> > if("Your Remote Port" == 53 && "Protocol Type" == SOCK_DGRAM) //DNS
> > client.
>
> > Be sure that you are logging every data, I am not sure at which moment
> > IE makes aDNSquery.- Hide quoted text -
>
> > - Show quoted text -
>
> I just verified this, I can getDNScalls by making the above check in
> WSPSendTo.- Hide quoted text -
Volodymyr M. Shcherbyna
--
V.
This posting is provided "AS IS" with no warranties, and confers no
rights.
<sars...@yahoo.com> wrote in message
news:ed693aa6-f4c3-4c20...@d4g2000prg.googlegroups.com...
Vishal Swarnkar
<v_scherb...@online.mvps.org> wrote:
> If you simply reboot machine, does the LSP intercept data?
>
> --
> V.
> This posting is provided "AS IS" with no warranties, and confers no
>
> - Show quoted text -
I install LSP simple and immediately go for logs and I can see DNS
queries intercepting. Yeah but I launch IE after installing LSP so
that my LSP should get loaded properly.
IE is making a DNS queries so it gets intercepted by LSP. If you want
to intercept every query by DNS Client, then yes you need a reboot or
restart of your service so that it should load your LSP. In short only
those applications which starts after installation your LSP will load
your LSP. ( Dont get confuse with winlogon and lsass.exe because they
are system critical process and I dont know how they keep on
refereshing the things).
sars...@yahoo.com
1- I did not stop the DNS Client service and installed the LSP.
Rebooted the machine and used ping to send the DNS request. Did not
log anything.
2- I stopped the DNS Client service and installed the LSP. Did not
restart the machine and used ping to generate DNS request. DNS request
was intercepted and logged to file.
Could it be a difference of some settings on my machine or what?
sarshah
On Mar 18, 1:31 pm, Vishal Swarnkar <vishal.swarn...@gmail.com> wrote:
> On Mar 18, 12:26 pm, "Volodymyr M. Shcherbyna"
>
>
>
>
>
> <v_scherb...@online.mvps.org> wrote:
> > If you simply reboot machine, does the LSP intercept data?
>
> > --
> > V.
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.<sarsha...@yahoo.com> wrote in message
>
> >news:ed693aa6-f4c3-4c20...@d4g2000prg.googlegroups.com...
> > Guys thanks for your responses. Here is what i found out.The problem
> > completely goes away if i do the following: Stop theDNSclient from
> > Services list, installed the LSP and now i am gettingDNSdata in
> > WSPSendTo. I had logging enabled in WSPSend, WSPSendTo and
> > WSPSendDisconnect but if i do not stop theDNSclient service and then
> > install LSP,DNSdata is not intercepted not even in WSPSendTo. Any
> I install LSP simple and immediately go for logs and I can seeDNSqueriesintercepting. Yeah but I launch IE after installing LSP so
> that my LSP should get loaded properly.
> IE is making aDNSqueriesso it gets intercepted by LSP. If you want
> to intercept every query byDNSClient, then yes you need a reboot or
> restart of your service so that it should load your LSP. In short only
> those applications which starts after installation your LSP will load
> your LSP. ( Dont get confuse with winlogon and lsass.exe because they
> are system critical process and I dont know how they keep on
> refereshing the things).- Hide quoted text -
Vishal Swarnkar
No difference in settings at all.
As I mentioned to you before, only those application will load your
LSP which are being started after your LSP's installation. Application
which are running before your LSP installation will NOT load your LSP
( again remember the difference for critical system process like
winlogon.exe etc).
So if your service is running and you install LSP, your Service will
NOT load your LSP.
If you stop ur service, install LSP and then start service , which
means you are STARTING application AFTER your LSP installation, so now
it will load LSP successfully.
sars...@yahoo.com
Thanks for your reply. I am sure i am doing something wrong at my end.
Thanks for the clarification. I will again try exactly as you
mentioned.
sarshah
On Mar 25, 4:48 pm, Vishal Swarnkar <vishal.swarn...@gmail.com> wrote:
> On Mar 20, 10:53 pm, sarsha...@yahoo.com wrote:
>
> > I tried the following things:
>
> > 1- I did not stop theDNSClient service and installed the LSP.
> > Rebooted the machine and used ping to send theDNSrequest. Did not
> > log anything.
>
> > 2- I stopped theDNSClient service and installed the LSP. Did not