Is it possible to intercept dns queries using LSP/SPI?

Question

I wrote my own LSP which is working fine. However, I can not catch dns queries. For example there is no function like WSPGetHostByName or WSPGetAddrInfo.

My lsp also supports UDP protocol but it is not working. If I run nslookup from console (cmd.exe) it seems working but i can not catch gethostbyname. Does anyone know how to do that? I don't think writing NSP (Name Service Provider) is a solution. But I might be wrong.

Thanks

Answer 1

We have developed a LSP that can "intercept" DNS queries. The only way to do it is by hooking into all of the DNS functions, keep in mind there are a few challenges you need to solve:

1. You need to use a good hooking library that will support both 32bit and 64bit code.
2. The library license must be right for your application, there are some free libraries, but can be used freely only with free projects.
3. When you hook the functions, you need to make sure not to modify certain values that are not IP based and defer the query to the real function.

Intercepting UDP will not work since the queries are going out from MS DNS client, so unless you write a low level driver like: TDI, NDIS or WFP you must hook the functions (or write a NSP). NSLookup works for you because it creates the DNS queries itself.