Help - Search - Members
Full Version: What is PDM.DNS Query?
Kaspersky Lab Forum > English User Forum > Protection for Home Users > Kaspersky Internet Security & Anti-Virus for Windows
nurbles
I wrote several of the programs that are being flagged with PDM.DNS Query. The actual DNS access code came from Microsoft's samples of WinSock applications, yet, as I understand it, my code is apparently "using a DNS API in a non-stardard way." Hopefully, someone can provide an example of the "standard" way, since it is not the documented way.

I know I can exclude these programs, but I'd like to know what I could be doing that is non-standard. Can anyone help, preferably by providing an acceptable C function (using standard Win32 APIs, not C++, .NET or any other managed crap) to determine the various IP addresses of both the local computer and remote computers?

If acceptable code is not an option, then at least provide a list of "non-standard" uses of the Win32 DNS APIs, preferably with explanations of the risks involved with them. Or at least a link to an article on this topic.

Thanks?
Lucian Bara
hello
this popup is usually shown when the dns packets carry extra information (not just requests to resolve the name). Are you sure that the queries are correct?
nurbles
QUOTE(Lucian Bara @ 28.04.2010 11:17) *
hello
this popup is usually shown when the dns packets carry extra information (not just requests to resolve the name). Are you sure that the queries are correct?


Actually, I don't know what WinSock is putting in the actual network packets for me. However, I can show you the function being called:

CODE
DWORD GetIP(LPSTR lpName)
{
DWORD dwIp = INADDR_ANY;
PHOSTENT phe;
WSADATA wsaData;

if( lpName )
{
// if it's a numeric name... attempt to use as an address.
if( ('0' <= lpName[0]) && (lpName[0] <= '9') )
{
dwIp = inet_addr(lpName);
}
else
{
WSAStartup( MAKEWORD( 2, 0 ), &wsaData );
phe = gethostbyname(lpName);
if( phe )
{
memcpy( &dwIp, // save IP address from host entry.
phe->h_addr,
phe->h_length);
}
WSACleanup();
}
}
return dwIp;
}


This function will return INADDR_ANY if a host name (rather than numeric IP address) was provided. If that happens, then the program uses the GetIpAddrTable() function (from IPHLPAPI.DLL) to scan the local machine's addresses for a valid address to bind the local end of the connection. There's absolutely nothing non-standard here, the code is almost directly from a couple of examples in the WinSock documentation.

If there's something else on my system that is altering DNS traffic, then no antivirus program has been able to detect it.
Lucian Bara
Well, never played with gethostbyname. Always used getaddrinfo. Have you tried that?
nurbles
QUOTE(Lucian Bara @ 28.04.2010 15:19) *
Well, never played with gethostbyname. Always used getaddrinfo. Have you tried that?

A very long time ago (over a decade), but we could never get it to work. Either it didn't (back then), or none of the programmer's here at the time could understand the documentation and we were all using it wrong. That's why I wrote the simple wrapper I posted. I could give it a shot, but, IMHO, there's no reason to believe that the underlying DNS traffic generated by these two calls (which are both in the same library, after all) would be any different, and getaddrinfo may even use gethostbyname to resolve the given host name into an IP address.

But my original question stands, given the subroutine I posted (which is the only time my program goes near DNS -- intentionally, at least), why is Kaspersky anti-virus flagging it as non-standard / suspicious?

Thanks for the suggestion, though. getaddrinfo could be very handy in the future, assuming I can figure it out this time! smile.gif
Lucian Bara
don't know, possibly because on a modern system dns calls should be made with the dns service that's built in (tbh, never played that much with that).
you could also try:
http://msdn.microsoft.com/en-us/library/ms682016(VS.85).aspx
nurbles
QUOTE(Lucian Bara @ 28.04.2010 17:04) *
don't know, possibly because on a modern system dns calls should be made with the dns service that's built in (tbh, never played that much with that).
you could also try:
http://msdn.microsoft.com/en-us/library/ms682016(VS.85).aspx

It sounds like you're saying that the WinSock functions aren't "built in," yet I've never needed to install anything (except perhaps network capability) to have it present on Windows. That sure makes it seem like a "built in" part of Windows networking. I also need to move code between Windows and linux from time-to-time, and using winsock allows my code to be much more portable because the functions are designed to match their *nix socket library counterparts.

The DNS function you linked to is interesting, and if I were writing a Windows-specific replacement for dig or nslookup it might be useful, but it seems to be a too low a level for a normal application.

It looks like I'm not going to get a useful answer about why Kaspersky AV is flagging any program I have that calls gethostbyname as suspicious, so I'm going to give up and recommend against this package for my company and our customers. Thanks for trying. Bye!

PS: I was just browsing from the link you provided and found that the WinSock 2 library is documented in the same section on the web site. Interestingly, it lists all of the name services mentioned earlier, but only gethostbyname is listed as "deprecated - use getaddrinfo instead." Perhaps that is the reason that KAV is flagging programs that use it?
RostikK
QUOTE(nurbles @ 28.04.2010 16:40) *
I wrote several of the programs that are being flagged with PDM.DNS Query. The actual DNS access code came from Microsoft's samples of WinSock applications, yet, as I understand it, my code is apparently "using a DNS API in a non-stardard way." Hopefully, someone can provide an example of the "standard" way, since it is not the documented way.

I know I can exclude these programs, but I'd like to know what I could be doing that is non-standard. Can anyone help, preferably by providing an acceptable C function (using standard Win32 APIs, not C++, .NET or any other managed crap) to determine the various IP addresses of both the local computer and remote computers?

If acceptable code is not an option, then at least provide a list of "non-standard" uses of the Win32 DNS APIs, preferably with explanations of the risks involved with them. Or at least a link to an article on this topic.

Thanks?



KAV seems to display this alert on DNS cache requests. Both WinSock functions (getaddrinfo and gethostbyname) do trigger this alert.

The workaround is to use DnsQuery function with DNS_QUERY_BYPASS_CACHE option.

The following example lacks IPv6 support but it would work for simple resolve requests. This exact code was not tested and may contain errors, but it may help you.

CODE

#include <winsock2.h>
#include <ws2tcpip.h>
#include <dnsapi.h>

#pragma comment(lib,"dnsapi.lib")
#pragma comment(lib,"Ws32_2.lib")

int connect(const char* host, const char* port) {
struct DNS_RECORD *resolved, *server;
int res, retval = -1;
struct sockaddr_in addr;
short nPort = atoi(port);
addr.sin_family = AF_INET;
addr.sin_port = nPort;

res = DnsQuery_UTF8(host,DNS_TYPE_A,DNS_QUERY_BYPASS_CACHE, NULL, &resolved, NULL);
if (res)
return -1;
/* Try all found addresses in the order returned.
* If error is not set in the end we have connected successfully.*/
for (server = resolved; server ;server = server->pNext) {
if (server->wType != DNS_TYPE_A)
continue;
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if (sockfd == INVALID_SOCKET)
continue;

addr.sin_addr.S_addr = server->Data.A.IpAddress;

if (connect(sockfd,&addr,sizeof(addr)) == SOCKET_ERROR) {
closesocket(sockfd);
retval = -1;
sockfd = INVALID_SOCKET;
continue;
}
retval = 0;
break;
}
DnsRecordListFree(resolved);
return retval;
}
RostikK
QUOTE(RostikK @ 10.08.2010 15:54) *
KAV seems to display this alert on DNS cache requests. Both WinSock functions (getaddrinfo and gethostbyname) do trigger this alert.

The workaround is to use DnsQuery function with DNS_QUERY_BYPASS_CACHE option.

The following example lacks IPv6 support but it would work for simple resolve requests. This exact code was not tested and may contain errors, but it may help you.

Errata: change
#include <dnsapi.h>
to
#include <windns.h>
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.