Search code examples

Possible to tell whether a DNS query is being answered by the HOSTS file?

Currently using the Dns.GetHostEntry method in our WinForms application, I discovered that some guys trying to bypass our "copy protection" by redirecting lookups to our servers to localhost by changing the IP address in the HOSTS file (i.e. they enter "" to redirect our domain).

Now I asked myself whether I somehow might be able to detect whether a looked up IP address comes from the HOSTS file or from a "real" DNS server.

Of course I might be reading and parsing the HOSTS file by myself but maybe there is a better way?


  • The Dns Query Options you can pass to DnsQuery with p/invoke allow a DNS_QUERY_NO_HOSTS_FILE parameter.

    Here's an example, partial credit goes to the resource on DnsQuery. Note that this only handles the A record type, you'd need to define the other possible DnsData structures to handle other response types.

    public static class DnsFuncs
        [DllImport("dnsapi", EntryPoint = "DnsQuery_W", CharSet = CharSet.Unicode, SetLastError = true, ExactSpelling = true)]
        private static extern int DnsQuery(
            [MarshalAs(UnmanagedType.VBByRefStr)]ref string pszName,
            QueryTypes wType,
            QueryOptions options,
            int aipServers,
            ref IntPtr ppQueryResults,
            int pReserved);
        [DllImport("dnsapi", CharSet = CharSet.Auto, SetLastError = true)]
        private static extern void DnsRecordListFree(
            IntPtr pRecordList, 
            int FreeType);
        private enum QueryOptions
            DNS_QUERY_BYPASS_CACHE = 8,
            DNS_QUERY_DONT_RESET_TTL_VALUES = 0x100000,
            DNS_QUERY_NO_HOSTS_FILE = 0x40,
            DNS_QUERY_NO_LOCAL_NAME = 0x20,
            DNS_QUERY_NO_NETBT = 0x80,
            DNS_QUERY_NO_RECURSION = 4,
            DNS_QUERY_NO_WIRE_QUERY = 0x10,
            DNS_QUERY_RESERVED = -16777216,
            DNS_QUERY_RETURN_MESSAGE = 0x200,
            DNS_QUERY_STANDARD = 0,
            DNS_QUERY_TREAT_AS_FQDN = 0x1000,
            DNS_QUERY_USE_TCP_ONLY = 2,
            DNS_QUERY_WIRE_ONLY = 0x100
        private enum QueryTypes
            DNS_TYPE_A = 1,
            DNS_TYPE_NS = 2,
            DNS_TYPE_CNAME = 5,
            DNS_TYPE_SOA = 6,
            DNS_TYPE_PTR = 12,
            DNS_TYPE_HINFO = 13,
            DNS_TYPE_MX = 15,
            DNS_TYPE_TXT = 16,
            DNS_TYPE_AAAA = 28
        private struct DNS_RECORD
            public IntPtr pNext;
            public string pName;
            public short wType;
            public short wDataLength;
            public int flags;
            public int dwTtl;
            public int dwReserved;
            public DnsData DATA;
            public short wPreference;
            public short Pad;
        private struct DnsData
            public DNS_A_DATA A;
        private struct DNS_A_DATA
            public IP4_ADDRESS IpAddress;
        private struct IP4_ADDRESS
            public UInt32 Ip4Addr;
        public static List<string> GetDnsRecords(string domain)
            IntPtr ptr1 = IntPtr.Zero;
            IntPtr ptr2 = IntPtr.Zero;
            DNS_RECORD recDns;
            DNS_A_DATA recA;
            List<string> Results = new List<string>();
            int RtnVal = DnsQuery(
                ref domain,
                ref ptr1, 
            if (RtnVal != 0)
                throw new Win32Exception(RtnVal);
            for (ptr2 = ptr1; !ptr2.Equals(IntPtr.Zero); ptr2 = recDns.pNext)
                recDns = (DNS_RECORD)Marshal.PtrToStructure(ptr2, typeof(DNS_RECORD));
                if (recDns.wType == 1)
                    recA = (DNS_A_DATA)recDns.DATA.A;
                    string ip = ReverseIPAddr(recA.IpAddress.Ip4Addr);
            DnsRecordListFree(ptr2, 0);
            return Results;
        private static string ReverseIPAddr(UInt32 longIP)
            IPAddress ip = IPAddress.Parse(longIP.ToString());
            byte[] ipBytes = ip.GetAddressBytes();
            string ipAddress = new IPAddress(ipBytes).ToString();
            return ipAddress;