I am trying to redirect DNS requests on a per-app basis using WFP (Windows Filtering Platform). I want to redirect to a public DNS server - not a local proxy. I have a callout driver at the ALE_CONNECT_REDIRECT_V4
layer. When I trace DNS requests at this layer, i can see them going out just fine.
However, when i rewrite the DNS server ip (using INETADDR_SET_ADDRESS
) to another public server such as 1.1.1.1
(i'm only rewriting to public servers, not a local proxy) I see the rewritten DNS requests leaving on wireshark and also their responses coming in, successfully -- yet the application whose DNS i'm rewriting does not receive those DNS responses - it fails to resolve the hostname.
I have disabled the DNS cache so that the DNS requests come directly from the application, rather than the svchost.exe process.
Why is this? Do I have to somehow also hook incoming packets and restore the DNS server to the one the application expects? I'm at a loss.
After trying this out for myself, yes, for DNS traffic over UDP you have to intercept the inbound datagrams and modify the source address using the clone-drop-reinject method. DNS traffic over TCP is unaffected since it is a connection-based protocol whereas UDP is connectionless.
Full minimal working driver code: https://pastebin.com/tCHqNnJH
Relevant extract: