I am writing a content filter in C using the socket API that will intercept DNS requests, and only return the response if the domain is allowed. The pseudocode to describe this is:
- Redirect all DNS queries to the content filter program which is listening on UDP port X.
- Content filter program extracts domain being queried and determines if it is allowed or not.
- If it is allowed, then the content filter program forwards the original DNS request packet to the original destination DNS server while maintaining the original source and IP+port so that the DNS server can send the reply directly back to the client.
- If the domain is not allowed, then no reply is sent.
I currently have the program listening on UDP port X but the problem is that I can't access the IP headers, and therefore can't simply forward the DNS request to the original server while maintaining the original headers.
I have tried using socket(AF_INET, SOCK_RAW, IPPROTO_UDP)
but that doesn't bind on port X (understandably), and doesn't receive any traffic.
What is the best way to go about listening on UDP port X, while still being able to access the IP headers of incoming packets?