How to filter network connections to specific domain names on Windows

Asked 23/3, 2016 at 17:0 Answered 24/3, 2016 at 0:43

I want to implement a Windows Service that will by default block/allow all network connections and whitelist/blacklist specific domain names (like google.com).

I looked at Windows Filtering Platform but it does not seem I can filter on domain names, only on exact IPs. The problem is that IPs corresponding to domain names might change over the time and there might be multiple for one domain name.

How can I do this filtering on domain names ?

Sammy answered 23/3, 2016 at 17:0 Comment(0)

Note that if you only filter by DNS name, your filter can easily be circumvented by using an IP address. So filtering by IP address will be more robust.

You can do reverse IP lookups to get associated domain names. You'll probably want to implement a reverse IP address lookup cache. You would flush entries in the cache when they've exceeded their DNS TTL.

If you want to stick solely with domain names (and depending on where you want to do the filtering) you could hook winsock.dll. See this on SO. Your winsock hook would filter gethostbyname() and other APIs that resolve DNS names.

Orography answered 24/3, 2016 at 0:43 Comment(8)

I indeed need this filter to be robust so that it cannot be circumvented by using directly IP addresses. I really need to {white, black}list domain names though as I cannot know the IP addresses in advance and they might change. I am not sure I get the reverse IP lookups idea though. Wouldn't a DNS lookup be actually more useful as I'd whitelist the IP returned by the DNS query (and flush it after DNS TTL)? – Sammy 24/3, 2016 at 8:15

Also where would you implement the reverse IP lookup check ? You'd need a custom callback routine. I'm not sure it's possible in WFP. – Sammy 24/3, 2016 at 11:38

If you just have a white list you could create a list of all allowed IP addresses and not worry about reverse lookup. But if you have a black list you will receive "unknown" IP addresses which may not be in the white list and may not be in the black list. Those will have to be looked up. Google for reverse IP lookup. Don't know details of WFP. But if callback routine can block then you can do the lookup within the routine - perform the lookup synchronously. – Buckbuckaroo 24/3, 2016 at 16:16

now that I think of it, when doing a reverse IP lookup you get a resource name (a machine name) not exactly the domain name. I am not sure if that can work then. – Sammy 28/3, 2016 at 16:57

I'm at work now and am not able to ping out, but as I recall using ping -a results in getting a FQDN. So yes you get a resource name, but the domain name is part of the resource name. You could just match your white list entries against the ending substring of the reverse IP lookup name. – Buckbuckaroo 28/3, 2016 at 17:42

Is that guaranteed? If I try to reverse IP lookup the following domain name rts.ch whose IP is 146.159.95.38, I get the resource name ns1.p23.dynect.net – Sammy 29/3, 2016 at 8:17

dynect.net is a dynamic DNS service. I'm not very familiar with the dynamic DNS protocol. You'd have to figure out it works and special case it. – Buckbuckaroo 4/4, 2016 at 19:48

I just looked up 146.159.95.38 on yougetsignal.com/tools/web-sites-on-web-server and got the message "Found 14 domains hosted on the same web server as 146.159.95.38". One of the 14 was rts.ch. So the ability of a single IP address to map to different domain names is a wrinkle you'll have to sort through. – Buckbuckaroo 4/4, 2016 at 19:51

Before your browser connects to to the host identified by the domain name it issues a DNS query for that domain name. You can create a network filter driver to intercept DNS response packets and even modify them. An example, if the specific domain name is blacklisted then you can modify DNS response and change the IP address to the IP of the host with HTTP-server which shows the message like "Web-site is blocked".

Another possible approach is playing around HTTP GET request. You can detect the forbidden URL in the packet and drop the session or optionally forge and inject a redirect packet. There is a sample code named wwwcensor which demonstrates how this can be done.

More complex approach is implementing redirector + http proxy, redirector built on packet filter driver can transparently redirect outgoing connections to local http proxy which in turn can decide what to do with the particular session. The sample source code LAN HTTP Monitor demonstrates how this can be implemented. Although this sample is supposed to run on the gateway (an example, on Windows host with ICS enabled) and redirect connections from the LAN to the Internet, but it can be easily modified to redirect local connections.

DISCLOSURE: I authored the sample code mentioned in this post.

Sanctimony answered 23/3, 2016 at 17:1 Comment(0)

Recommended topics

Hot tags