dns wildcard blocking

Author: David Zimmer
Date: 11.03.17 - 5:39pm

for years I wished the windows hosts file supported dns wildcard matching so I could block things on pretty wide filters.

I have been playing around with a Win10 machine and watching the traffic it generates. Live tile requests, windows update requests, data and services, telemetry, and god knows what else..

This annoys me on two fronts. One the machine is out of my control and it is doing things I cant know. Two if I want to capture traffic, now it is bulked up with loads of irrelevant crap I have to wade through. So the desire for wildcard dns blocking grew.

Yesterday I finally found a cool library that let me implement it in about 3 hrs.

The Windivert library by Basil is an easy to use kernel driver that lets you intercept, drop, relay, and modify raw packets. It supports Vista+ machines and has a good set of python bindings already made for it.

This is the same library that the FireEye FakeNet-NG project designed by Peter Kacherginsky uses to record and redirect traffic for malware analysis.

Ripping some code from FakeNet and browsing online pydivert examples I was able to throw together a quick sample that fit my specs.

Just double click on dnsblock.py and it will intercept and log all dns requests. You can white or black list domains and/or processes in config.txt. Anything blocked just gets resolved to localhost.

Its small, its python, and its easy to modify. Use pip to install pydivert and dnslib.

  • it doesnt do anything against direct ip connections.
  • you may want to delete the dnscache service from registry and reboot (make sure to export and back it up first!) otherwise most requests coming from system services will always be routed though the dnscache service and you wont be able to see the actual requestor.

Good first step and also nice easy way to monitor all dns requests and easily block them.

DNSBlock Github repo

Comments: (0)

Leave Comment:
Email: (not shown)
Message: (Required)
Math Question: 19 + 42 = ? followed by the letter: Q 

About Me
More Blogs
Main Site
Yara WorkBench
vbdec dbg updates
vb6 PCode NOP
vb6 API and call backs
how pcode works Pt1
Reversing PCode Args
VB6 PCode Disassembly
VB6 PCode Debugger
UConnect Disable Cell Modem
IDA python over IPC
dns wildcard blocking
64bit IDA Plugins
anterior lines
misc news/updates
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation