tope awolowo wrote:
Am writing a DNS redirection application with a module:
ClassifyFunctions_ProxyCallouts.cpp from
https://github.com/Microsoft/Windows-driver-samples/blob/master/network/trans/WFPSampler/sys/ClassifyFunctions_ProxyCallouts.cpp.
What i want to achieve is to intercept certain DNS queries e.g
those starting with HTTPS not HTTP i.e https://www.yahoo.com., then
redirect it to www. mydomain.com.
Honestly, you are wasting so much of our time, because you won’t tell us
what you are actually trying to do. You keep dropping little bits and
pieces, each of which changes the job dramatically. Your second
paragraph defines a VERY different problem from the proposed solution in
your first paragraph.
You need to do a lot more reading about how networking actually works.
What you’re describing is not DNS redirection. With DNS redirection,
every reference to www.yahoo…com (whether web or email or FTP or even
ping) is redirected to a new web site. It isn’t until after the domain
has been converted to an IP address that you start to worry about what
port is being referenced (80 for HTTP or 443 for HTTPS, in this case).
And that makes what you want to do almost impossible. Consider the
processing of a request for http://www.yahoo.com. Each of these are
separate steps:
- Make DNS request to convert www.yahoo.com to an IP address (say
98.138.252.30).
- Convert the service “http” to a port number (80).
- Open a TCP connection to IP 98.138.252.30, port 80.
- Send HTTP request.
OK, now consider the processing of a request for https://www.yahoo.com:
- Make DNS request to convert www.yahoo.com to an IP address (say
98.138.252.30).
- Convert the service “https” to a port number (443).
- Open a TCP connection to IP 98.138.252.30, port 443.
- Send HTTP request.
Notice that, by the time the network stack sees whether this is port 80
or port 443, all you have is an IP address. There is no longer any
record of the fact that the IP address belongs to yahoo.com. Even if
you were monitoring packets, you couldn’t do the redirect.
But wait, there’s more! The HTTP request includes the web site that is
being queried, so you might think you could read that request to tell
the difference. But you can’t do that, because all HTTPS traffic is
encrypted. You cannot proxy HTTPS traffic. That’s the point of HTTPS
– it’s secure, so no one can interfere with the request.
My application main aim (WHAT I WANT TO ACHIEVE) is to monitor
traffic flow in my area network.
You can do that today with an application like Wireshark, without
writing applications or drivers of any kind. Wireshark uses a library
called libpcap, which you could also use to write a monitoring app.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.