I am trying to block dns requests, using WFP driver. I am checking DNS port 53, I am able to get all DNS requests. I wanted to know exact process that has initiated DNS request, for chrome.exe, nslookup I am able to get exact process ID. but for some processes msedge, ping I am not able to get exact process ID, instead I am getting svchost (dnsclient service) PID.
Any workaround how I can get the exact process Id that initiated DNS query?
The DnsQuery APIs use a DNS cache maintained by the DNS Client service. If you disable that service you’ll see the actual requesting process but you’ll also disable the DNS cache.
IIRC this is not generally possible. If a UM program hand crafts DNS query UDP packets, and opens a socket to send them on, then sure. But I don’t know of any program that does this. Instead they rely on the name resolution APIs provided by the OS - getaddrinfo etc. Those APIs will use some mechanism, possibly DNS, to resolve the name. Even in 2024 it could be a local hosts file or WINS or NetBIOS PROBE rather than DNS.
Then you have the problem that programs like Edge don’t run in a single process like ‘normal’ programs. But that’s a much larger problem
Perhaps if you explain what you are trying to do with this information, we might be able to help more
with that very simple statement of what you are trying to do, I can give the very simple answer - you can’t do that. If you can explain a larger problem you are working on, we might be able to help more