RES: Filtering name resolution with TDI filter

Dave,

Thanks for your answer.
I need to check the address resulted for a resolution name to make sure
that this address is safe to use.
I was trying to get the address for “Address File Object” that was
created, but I only got local references such as 0:1028.
Is an “Address File Object” usually shared among several processes?
I’m using PING.EXE to make some observations, and I noted that only one
“Address File Object” is created. I can’t see any reference to host name
in EA info in MJ_IRP_CREATE parameters. Only the same IP address 0:1028.
As we know, there isn’t a call to ASSOCIATE_ADDRESS because it is a
connectionless action. So, when the address is informed to make FO refer
to it?

Any help is welcome.
Regards,
Fernando R. Silva

-----Mensagem original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] Em nome de David R. Cattley
Enviada em: quarta-feira, 31 de maio de 2006 18:26
Para: Windows System Software Devs Interest List
Assunto: RE: [ntdev] Filtering name resolution with TDI filter

Fernando,

DNS name resolution is built on TCP and UDP. The DNS ‘client’ resolver
is quite simply a Winsock client in usermode. You have many options to
‘filter’ this behavior but TDI_QUERY_ADDRESS_INFO is not one of them.
That will only give you information about the TDI ‘address file object’,
probably not what you are looking for.

Just what do you need to ‘filter’ in the DNS process? Have you
considered a layered service provider?

Good Luck,
Dave Cattley

David R. Cattley
Consulting Engineer
Systems Software Development


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Fernando Roberto
Sent: Wednesday, May 31, 2006 12:20 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Filtering name resolution with TDI filter
Hi all,

Is it possible to filter DNS name resolution with TDI filter?
I got TDI_QUERY_ADDRESS_INFO to try monitore this action, but I can’t
get right input and output parameters yet.

Am I going to the right way?

Thanks in advance,
Fernando Roberto da Silva.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

You need to understand how DNS works before you continue. As David
said, DNS is a protocol that is built “on top of” TCP/IP and UDP/IP.
You will never see a hostname anywhere in the binding information for
TCP/IP or UDP/IP sockets – it just doesn’t make sense. IP doesn’t have
any notion of hostnames – IP deals only with IP addresses. The only
binding information for the IP4 stack is IP4 addresses (x.x.x.x), and
the only binding information for the IP6 stack is IP6 addresses
(yy:yy:…:yy).

Consider how ping.exe works. Ping sends an ICMP ECHO message to a
remote IP host, and then waits for a reply message. The ICMP is layered
directly on top of IP. So if you look at the packets with a network
sniffer, you’ll see the IP header, followed by the ICMP message body.
The IP header contains the source and destination IP addresses – both
of which are 32 bits (4 octets). When the remote host receives the
message, it will build an ICMP reply, with the source and destination
addresses swapped, and send it to the network.

There is not a hostname anywhere in those ICMP messages. So how does
Ping send a message to a hostname? It uses the DNS protocol to
translate a domain name to an IP address. In the simplest case, your
machine sends a DNS question to a DNS server, and receives a DNS reply.
The DNS question contains the domain name you want to send an ICMP ECHO
message to. The DNS reply contains the corresponding IP address.

In most cases, it’s a bit more complicated than this. The software
component that translates DNS domain names to IP addresses (and other
resource records) is usually called a DNS “resolver”. In Windows, part
of the resolver lives in the WinSock API, and part of it (the cache)
lives in a separate service process (the DNSCache service, display name
“DNS Client”).

Because there’s a cache involved, you may not see any DNS messages *at
all* when you ping a domain name, if you are pinging the same domain
name every time. You can use “ipconfig /flushdns” to clear the cache,
and “ipconfig /displaydns” to view the contents of the cache.

The key message here is that you need to understand how DNS works, and
even how TCP/IP and UDP/IP protocol layering works. DNS is *not* part
of TCP/IP or UDP/IP. To the TCP/IP stack, DNS is just another
application protocol – it lives at the same layer as Telnet, FTP, SMB,
and all the usual application-layer protocols. Virtually all TCP/IP
programs use the DNS resolver to translate names to IP addresses, before
they call bind() or connect(), which might be part of your confusion.
The best way to understand this might be to flush your DNS cache
(ipconfig /flushdns), start your network sniffer, ping a domain name,
and then look at the packets captured.

This is obviously way outside the scope of NT driver development. If
you’re still having trouble with this, mail me off-list and I’ll see if
I can help.

– arlie


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Fernando Roberto
Sent: Thursday, June 01, 2006 4:53 AM
To: Windows System Software Devs Interest List
Subject: RES: [ntdev] Filtering name resolution with TDI filter

Dave,

Thanks for your answer.

I need to check the address resulted for a resolution name to make sure
that this address is safe to use.

I was trying to get the address for “Address File Object” that was
created, but I only got local references such as 0:1028.

Is an “Address File Object” usually shared among several processes?

I’m using PING.EXE to make some observations, and I noted that only one
“Address File Object” is created. I can’t see any reference to host name
in EA info in MJ_IRP_CREATE parameters. Only the same IP address 0:1028.
As we know, there isn’t a call to ASSOCIATE_ADDRESS because it is a
connectionless action. So, when the address is informed to make FO refer
to it?

Any help is welcome.

Regards,

Fernando R. Silva

-----Mensagem original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] Em nome de David R. Cattley
Enviada em: quarta-feira, 31 de maio de 2006 18:26
Para: Windows System Software Devs Interest List
Assunto: RE: [ntdev] Filtering name resolution with TDI filter

Fernando,

DNS name resolution is built on TCP and UDP. The DNS ‘client’ resolver
is quite simply a Winsock client in usermode. You have many options to
‘filter’ this behavior but TDI_QUERY_ADDRESS_INFO is not one of them.
That will only give you information about the TDI ‘address file object’,
probably not what you are looking for.

Just what do you need to ‘filter’ in the DNS process? Have you
considered a layered service provider?

Good Luck,

Dave Cattley

David R. Cattley

Consulting Engineer

Systems Software Development


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Fernando Roberto
Sent: Wednesday, May 31, 2006 12:20 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Filtering name resolution with TDI filter

Hi all,

Is it possible to filter DNS name resolution with TDI filter?

I got TDI_QUERY_ADDRESS_INFO to try monitore this action, but I can’t
get right input and output parameters yet.

Am I going to the right way?

Thanks in advance,

Fernando Roberto da Silva.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Yes, filter TCP and UDP traffic to external port 53

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Fernando Roberto”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, May 31, 2006 8:20 PM
Subject: [ntdev] Filtering name resolution with TDI filter

Hi all,

Is it possible to filter DNS name resolution with TDI filter?
I got TDI_QUERY_ADDRESS_INFO to try monitore this action, but I can’t
get right input and output parameters yet.

Am I going to the right way?

Thanks in advance,
Fernando Roberto da Silva.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

>quite simply a Winsock client in usermode. You have many options to

‘filter’ this behavior but TDI_QUERY_ADDRESS_INFO is not one of them. That

I think that TDI_QUERY_ADDRESS_INFO is either getsockname() or getpeername(),
don’t remember which one off-head.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com