It is possible to intercept DNS queries, usually it is done for anonymizers for two reasons:
- Even if the session is anonymized the DNS query reveals the destination.
- Some countries have their DNS servers censored.
Because of these two reasons when you intercept the DNS you are able to use the domain name via a proxy you tunnel the data to (still assuming we are writing an anonymizer).
What are the ways to do it:
- Winsock LSP or any other network interception ability like TDI, WFP, NDIS.
- Use NSP (it’s very rare)
- Hooking, detours.
Each method has it’s advantage and disadvantage and making the wrong choice can later means starting all over, for example, what works perfect on 32bit may not work at all under 64bit or even worse can’t work on 64bit, or it may not be compatible with all current OS.
We at Komodia’s has an optional module for: “Intercepting DNS queries LSP” which works on Windows 2000 and up to 7 and 2008 including all 64 bit flavors.