My task is to block Urls based on domain names. So I tried to retrive the ip addresses using ‘getaddrinfo’ in user application and add filter condition for every ip address in driver.
I manage to block urls with single ip address but not able to block urls which contains multiple ip adresses, even after adding filter condition for all of its ips.
What can I do to block the urls based on domain names in kmdf driver.
The normal way to do that is to configure a web proxy, so all web requests go through your proxy. No kernel work required.
It should also be noted that in the same way that a single website (base URL) may reference several IP addresses, a single IP address may also host may websites.
If you want to do full URL filtering, then you really need to operate as a proxy or a transcrypting firewall (firewall that acts as a TLS proxy and views the encrypted content). There are many commercial products that you can choose from that do this job
if you want to do basic URL filtering, then what you want to do is fail the DNS requests for the URLs of interest. A determined attacker can bypass your protection, but ordinary browsers, including those that implement their own DNS resolution separate from the OS settings, will be prevented from accessing the URLs on your block list regardless of how the network admin has configured that website
A determined attacker can bypass your protection
@MBond2 Can you please point how this can be done?
(Disclaimer: I’m author of open-source firewall and planning to add basic domain names filtering.)
Any firewall software that runs on the local machine can be bypassed by connecting a debugger and modifying its behaviour. I also have the option of loading my own driver and having it do whatever is needed. Most users don’t have the ability, but a determined and skillful person can always get around anything on the local machine.
Of course it is also counterproductive since users who can do this can also remove your software or change the settings