Hi can anyone help me figure out if the dns query is the same as the http host?
I’ve tried doing the following but did not get any output.
if(c$dns$query == c$http$host)
{
#send notice to notice.log
}
A connection object is created for a DNS query and a DNS response. Subsequent connections made utilizing the results of that DNS query have their own connection objects. You’ll have to keep a DNS cache in userland and watch for connections to the resolved IP address with HTTP host fields differing from the domain that was resolved in the cache.
-AK