Tracking Process ID in DNS queries using WFP driver

I am trying to block dns requests, using WFP driver. I am checking DNS port 53, I am able to get all DNS requests. I wanted to know exact process that has initiated DNS request, for chrome.exe, nslookup I am able to get exact process ID. but for some processes msedge, ping I am not able to get exact process ID, instead I am getting svchost (dnsclient service) PID.
Any workaround how I can get the exact process Id that initiated DNS query?

Thanks in Advance

The DnsQuery APIs use a DNS cache maintained by the DNS Client service. If you disable that service you’ll see the actual requesting process but you’ll also disable the DNS cache.

IIRC this is not generally possible. If a UM program hand crafts DNS query UDP packets, and opens a socket to send them on, then sure. But I don’t know of any program that does this. Instead they rely on the name resolution APIs provided by the OS - getaddrinfo etc. Those APIs will use some mechanism, possibly DNS, to resolve the name. Even in 2024 it could be a local hosts file or WINS or NetBIOS PROBE rather than DNS.

Then you have the problem that programs like Edge don’t run in a single process like ‘normal’ programs. But that’s a much larger problem

Perhaps if you explain what you are trying to do with this information, we might be able to help more

@“Scott_Noone_(OSR)” @MBond2 thank you so much for repsonse.

I am trying to allow/block some of the dns queries based on process name/process id.


with that very simple statement of what you are trying to do, I can give the very simple answer - you can’t do that. If you can explain a larger problem you are working on, we might be able to help more