dns wildcard blocking


Author: David Zimmer
Date: 11.03.17 - 5:39pm



for years I wished the windows hosts file supported dns wildcard matching so I could block things on pretty wide filters.

I have been playing around with a Win10 machine and watching the traffic it generates. Live tile requests, windows update requests, data and services, telemetry, and god knows what else..

This annoys me on two fronts. One the machine is out of my control and it is doing things I cant know. Two if I want to capture traffic, now it is bulked up with loads of irrelevant crap I have to wade through. So the desire for wildcard dns blocking grew.

Yesterday I finally found a cool library that let me implement it in about 3 hrs.

The Windivert library by Basil is an easy to use kernel driver that lets you intercept, drop, relay, and modify raw packets. It supports Vista+ machines and has a good set of python bindings already made for it.

This is the same library that the FireEye FakeNet-NG project designed by Peter Kacherginsky uses to record and redirect traffic for malware analysis.

Ripping some code from FakeNet and browsing online pydivert examples I was able to throw together a quick sample that fit my specs.

Just double click on dnsblock.py and it will intercept and log all dns requests. You can white or black list domains and/or processes in config.txt. Anything blocked just gets resolved to localhost.

Its small, its python, and its easy to modify. Use pip to install pydivert and dnslib.

Notes:
  • it doesnt do anything against direct ip connections.
  • you may want to delete the dnscache service from registry and reboot (make sure to export and back it up first!) otherwise most requests coming from system services will always be routed though the dnscache service and you wont be able to see the actual requestor.

Good first step and also nice easy way to monitor all dns requests and easily block them.

DNSBlock Github repo




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 29 + 36 = ? followed by the letter: H 



Twitter
RSS
About Me
More Blogs
Main Site
Posts: (year)
2021 (1)
     VB App object
2020 (8)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Vb6 PCode Internals
     Vb6 Runtime ForLoop Disasm
     VB6 Pcode - For Loops
     Yara Corrupt Imports
     Yara Undefined values
2019 (12)
     Yara WorkBench
     SafeArrayGetVartype
     vbdec dbg updates
     vb6 PCode NOP
     vb6 API and call backs
     how pcode works Pt1
     PrintFile
     ImpAdCallNonVirt
     Reversing PCode Args
     VB6 PCode Disassembly
     VB6 PCode Debugger
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 (4)
     KANAL Mod
     Decoders again
     CDO.Message Breakpoints
     SysAnalyzer Updates
2015 (6)
     SysAnalyzer and Site Updates
     crazy decoder
     ida js w/dbg
     flash patching #2
     JS Graphing
     packet reassembly
2014 (5)
     Delphi IDA Plugin
     scdbg IDA integration
     API Hash Database
     Winmerge plugin
     IDACompare Updates
2013 (9)
     Guest Post @ hexblog
     TCP Stream Reassembly
     SysAnalyzer Updates
     Apilogger Video
     Shellcode2Exe trainer
     scdbg updates
     IDA Javascript w/IDE
     Rop Analysis II
     scdbg vrs ROP
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     findDll
     Java Hacking
     Windows 8
     Win7 x64
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     BootLoaders
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 (11)
     Retro XSS Chat Codes
     Exe as DLL
     Olly Plugins
     Debugging Explorer
     Attach to hidden process
     JS Refactoring
     Asm and Shellcode in CSharp
     Fancy Return Address
     PDF Stream Dumper
     Malcode Call API by Hash
     WinDbg Cheat Sheet
2009 (1)
     GPG Automation