DnsGetCacheDataTable : Get Local DNS records at kernel mode

Learner · August 8, 2023, 9:03am

Hi
I am new to this kernel space programming, although worked bit on user mode, please excuse my question if its too basic.
I have kernel mode WFP d``river driver, I am trying to Get all DNS entries on system in kernel mode.
I know there is user mode API DnsGetCacheDataTable which gives me list of DNS records on system.
I am similar looking for kernel mode equivalent to get DNS records cached.
I found WskGetAddressInfo which gives name resolution, but did not routine to capture list of all DNS records at kernel mode

Tried to dissemble DnsGetCacheDataTable to check underneath kernel routine call, but looks like usermode DnsGetCacheDataTable calls DNSClient service, does not look like any kernel mode call

00007ffb`b7d99d9b 488d0dbe620300  lea     rcx,[DNSAPI!WPP_SF_qqdd <PERF> (DNSAPI+0x70060) (00007ffb`b7dd0060)]
00007ffb`b7d99da2 ff15e8d20500    call    qword ptr [DNSAPI!_imp_NdrClientCall3 (00007ffb`b7df7090)]

Tim_Roberts · August 8, 2023, 5:38pm

Are you saying you want to access the cached DNS data that already exists, or are you saying you want to intercept all DNS requests from now on?

MBond2 · August 8, 2023, 10:12pm

Inspecting the DNS cache in KM is an odd thing to want to do. Is there a larger goal that you are trying to achieve?

Learner · August 9, 2023, 4:49am

Hi Tim,
I want to access cached DNS records already.

MBond2
I am capturing DNS request/answers using WFP driver. I do not have DNS records those have already cached on the system, so wanted to enumerate already cached records

Scott_Noone_OSR · August 9, 2023, 3:00pm

No way from kernel mode. The cache is stored in the DNS Client service and only accessible to user mode.

MBond2 · August 10, 2023, 12:55am

why not flush the DNS cache after you start tracing the responses in your filter? Ipconfig /flushdns

Learner · August 11, 2023, 8:50am

Thanks Scott and MBond2.

Flushing DNS records seems good option.