Didier Stevens

Monday 26 December 2022

New Tool: dns-pydivert.py

Filed under: Announcement,My Software — Didier Stevens @ 0:00

dns-pydivert is a tool that uses WinDivert, a “user-mode packet capture-and-divert package for Windows” to divert IPv4 DNS packets to and from the machine it is running on.

This tool requires admin rights.

When started, it listens for IPv4 UDP packets with source and/or destination port equal to 53.
When this tools processes its first UDP packet with destination port 53, it considers the source address of this packet as the DNS client’s IPv4 address (e.g., the Windows machine this tool is running on) and the destination address to be the IPv4 address of the DNS server used by the client.
From then on, all IPv4 UDP packets with source or destination port 53 (including that first packet) are altered by the tool.
All IPv4 UDP packets with destination port 53, have their destination address changed to the IPv4 address of the client.
All IPv4 UDP packets with source port 53, have their source address changed to the IPv4 address of the DNS server.

This tool can be used to redirect all DNS IPv4 traffic to the machine itself, where a tool like dnsresolver.py can handle the DNS requests.

Caveats:

  • This tool does not handle IPv6.
  • This tool does not check if the UDP packets to and/or from port 53 are actual DNS packets.
  • This tool ignores DNS traffic over TCP.
  • This tool does not handle queries to multiple DNS servers (different IPv4 addresses) correctly.
dns-pydivert_V0_0_1.zip (http)
MD5: BEAB8F9D180E15B27EB86CBEF7429216
SHA256: 7CB4BA7A4ABC0788AB8CE3F2DD1006DF86AD5D80943A4716FC3E62F1FA2100F6

Blog at WordPress.com.