dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
119467

iam x
Sungazer
Premium Member
join:2005-02-23

3 recommendations

iam x

Premium Member

Stop Windows 10 From Spying On You? 36 DNS Addresses to host file.

Original article link:
»init.sh/?p=236
"While doing so, I was capturing all the traffic going into and out of the virtual network interface. Some interesting things showed.

During the first run, I simply picked out the DNS queries which were being requested during this process.

Here’s what showed up:

dns.msftncsi.com
ipv6.msftncsi.com
win10.ipv6.microsoft.com
ipv6.msftncsi.com.edgesuite.net
a978.i6g1.akamai.net
win10.ipv6.microsoft.com.nsatc.net
en-us.appex-rf.msn.com
v10.vortex-win.data.microsoft.com
client.wns.windows.com
wildcard.appex-rf.msn.com.edgesuite.net
v10.vortex-win.data.metron.life.com.nsatc.net
wns.notify.windows.com.akadns.net
americas2.notify.windows.com.akadns.net
travel.tile.appex.bing.com
www.bing.com
any.edge.bing.com
fe3.delivery.mp.microsoft.com
fe3.delivery.dsp.mp.microsoft.com.nsatc.net
ssw.live.com
ssw.live.com.nsatc.net
login.live.com
login.live.com.nsatc.net
directory.services.live.com
directory.services.live.com.akadns.net
bl3302.storage.live.com
skyapi.live.net
bl3302geo.storage.dkyprod.akadns.net
skyapi.skyprod.akadns.net
skydrive.wns.windows.com
register.mesh.com
BN1WNS2011508.wns.windows.com
settings-win.data.microsoft.com
settings.data.glbdns2.microsoft.com
OneSettings-bn2.metron.live.com.nsatc.net
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net"

So, if someone does block all these DNS queries, will it break their PC?

MeDuZa
join:2003-06-13
Austria

1 edit

2 recommendations

MeDuZa

Member

said by iam x:

So, if someone does block all these DNS queries, will it break their PC?

Edit: deleted
Redirecting to 0.0.0.0 is better (faster) than redirecting to 127.0.0.1.

Edit: deleted
Best thing IMHO would be to put Windows 10 altogether to your HOSTS file.

Edit: By rereading my post I realise that it is total unrelated to the topic and incorrect on top. I don't know were my mind was at the time of posting.

Cartel
Intel inside Your sensitive data outside
Premium Member
join:2006-09-13
Chilliwack, BC

3 recommendations

Cartel to iam x

Premium Member

to iam x
# [Block M$]
127.0.0.1 dns.msftncsi.com
127.0.0.1 ipv6.msftncsi.com
127.0.0.1 win10.ipv6.microsoft.com
127.0.0.1 ipv6.msftncsi.com.edgesuite.net
127.0.0.1 a978.i6g1.akamai.net
127.0.0.1 win10.ipv6.microsoft.com.nsatc.net
127.0.0.1 en-us.appex-rf.msn.com
127.0.0.1 v10.vortex-win.data.microsoft.com
127.0.0.1 client.wns.windows.com
127.0.0.1 wildcard.appex-rf.msn.com.edgesuite.net
127.0.0.1 v10.vortex-win.data.metron.life.com.nsatc.net
127.0.0.1 wns.notify.windows.com.akadns.net
127.0.0.1 americas2.notify.windows.com.akadns.net
127.0.0.1 travel.tile.appex.bing.com
127.0.0.1 any.edge.bing.com
127.0.0.1 fe3.delivery.mp.microsoft.com
127.0.0.1 fe3.delivery.dsp.mp.microsoft.com.nsatc.net
127.0.0.1 ssw.live.com
127.0.0.1 ssw.live.com.nsatc.net
127.0.0.1 login.live.com.nsatc.net
127.0.0.1 directory.services.live.com
127.0.0.1 directory.services.live.com.akadns.net
127.0.0.1 bl3302.storage.live.com
127.0.0.1 skyapi.live.net
127.0.0.1 bl3302geo.storage.dkyprod.akadns.net
127.0.0.1 skyapi.skyprod.akadns.net
127.0.0.1 skydrive.wns.windows.com
127.0.0.1 register.mesh.com
127.0.0.1 BN1WNS2011508.wns.windows.com
127.0.0.1 settings-win.data.microsoft.com
127.0.0.1 settings.data.glbdns2.microsoft.com
127.0.0.1 OneSettings-bn2.metron.live.com.nsatc.net
127.0.0.1 watson.telemetry.microsoft.com
127.0.0.1 watson.telemetry.microsoft.com.nsatc.net
# [End Block M$]

Bing and Live mail compatibility keep these 2 out.

www.bing.com
login.live.com

andyross
MVM
join:2003-05-04
Aurora, IL

2 recommendations

andyross to iam x

MVM

to iam x
Some of them, like the akamai addresses, could constantly change.

MacGyver

join:2001-10-14
Vancouver, BC

3 recommendations

MacGyver

I agree, don't block anything Akamai because I find it breaks stuff that you actually want.
OZO
Premium Member
join:2003-01-17

4 recommendations

OZO to Cartel

Premium Member

to Cartel
I remember time when m$ has started bypassing hosts file for name resolutions of some its own domain names. Here is the list of hardcoded hosts in WXP:

www.msdn.com
msdn.com
www.msn.com
msn.com
go.microsoft.com
msdn.microsoft.com
office.microsoft.com
microsoftupdate.microsoft.com
wustats.microsoft.com
support.microsoft.com
www.microsoft.com
microsoft.com
update.microsoft.com
download.microsoft.com
microsoftupdate.com
windowsupdate.com
windowsupdate.microsoft.com

You can't block above names with hosts file. They all were hardcoded in this DLL:
%WINDIR%\system32\dnsapi.dll

Is it still the case with those new spaying services now too?

Cartel
Intel inside Your sensitive data outside
Premium Member
join:2006-09-13
Chilliwack, BC

1 edit

1 recommendation

Cartel to iam x

Premium Member

to iam x
said by iam x:

Original article link:
»init.sh/?p=236
"While doing so, I was capturing all the traffic going into and out of the virtual network interface. Some interesting things showed.

During the first run, I simply picked out the DNS queries which were being requested during this process.

Here’s what showed up:

dns.msftncsi.com
ipv6.msftncsi.com
win10.ipv6.microsoft.com
ipv6.msftncsi.com.edgesuite.net
a978.i6g1.akamai.net
win10.ipv6.microsoft.com.nsatc.net
en-us.appex-rf.msn.com
v10.vortex-win.data.microsoft.com
client.wns.windows.com
wildcard.appex-rf.msn.com.edgesuite.net
v10.vortex-win.data.metron.life.com.nsatc.net
wns.notify.windows.com.akadns.net
americas2.notify.windows.com.akadns.net
travel.tile.appex.bing.com
www.bing.com
any.edge.bing.com
fe3.delivery.mp.microsoft.com
fe3.delivery.dsp.mp.microsoft.com.nsatc.net
ssw.live.com
ssw.live.com.nsatc.net
login.live.com
login.live.com.nsatc.net
directory.services.live.com
directory.services.live.com.akadns.net
bl3302.storage.live.com
skyapi.live.net
bl3302geo.storage.dkyprod.akadns.net
skyapi.skyprod.akadns.net
skydrive.wns.windows.com
register.mesh.com
BN1WNS2011508.wns.windows.com
settings-win.data.microsoft.com
settings.data.glbdns2.microsoft.com
OneSettings-bn2.metron.live.com.nsatc.net
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net"

So, if someone does block all these DNS queries, will it break their PC?

Good point.

Block them in your router "Website Filtering Rules"
Or reroute the IP's to invalid hosts.
route ADD destination MASK mask INVALID INVALID INVALID
said by OZO:

I remember time when m$ has started bypassing hosts file for name resolutions of some its own domain names. Here is the list of hardcoded hosts in WXP:


www.msdn.com
msdn.com
www.msn.com
msn.com
go.microsoft.com
msdn.microsoft.com
office.microsoft.com
microsoftupdate.microsoft.com
wustats.microsoft.com
support.microsoft.com
www.microsoft.com
microsoft.com
update.microsoft.com
download.microsoft.com
microsoftupdate.com
windowsupdate.com
windowsupdate.microsoft.com

You can't block above names with hosts file. They all were hardcoded in this DLL:
%WINDIR%\system32\dnsapi.dll

Is it still the case with those new spaying services now too?

»Microsoft DNS resolver sabotaged hosts-file lookup?

iam x
Sungazer
Premium Member
join:2005-02-23

iam x to OZO

Premium Member

to OZO
I didnt know that OZO See Profile, thats fascinating. So there is no way to block those addresses being contacted by the OS when connected to the internet? (other than modify the hosts file which as you say wouldnt work anyway)

Cartel
Intel inside Your sensitive data outside
Premium Member
join:2006-09-13
Chilliwack, BC

4 edits

1 recommendation

Cartel to iam x

Premium Member

to iam x
moar hosts :hmm:

# [Block M$]
 # [Block M$]
127.0.0.1  dns.msftncsi.com
127.0.0.1  ipv6.msftncsi.com
127.0.0.1  win10.ipv6.microsoft.com
127.0.0.1  ipv6.msftncsi.com.edgesuite.net
127.0.0.1  a978.i6g1.akamai.net
127.0.0.1  win10.ipv6.microsoft.com.nsatc.net
127.0.0.1  en-us.appex-rf.msn.com
127.0.0.1  v10.vortex-win.data.microsoft.com
127.0.0.1  client.wns.windows.com
127.0.0.1  wildcard.appex-rf.msn.com.edgesuite.net
127.0.0.1  v10.vortex-win.data.metron.life.com.nsatc.net
127.0.0.1  wns.notify.windows.com.akadns.net
127.0.0.1  americas2.notify.windows.com.akadns.net
127.0.0.1  travel.tile.appex.bing.com
127.0.0.1  any.edge.bing.com
127.0.0.1  fe3.delivery.mp.microsoft.com
127.0.0.1  fe3.delivery.dsp.mp.microsoft.com.nsatc.net
127.0.0.1  ssw.live.com
127.0.0.1  ssw.live.com.nsatc.net
127.0.0.1  login.live.com.nsatc.net
127.0.0.1  directory.services.live.com
127.0.0.1  directory.services.live.com.akadns.net
127.0.0.1  bl3302.storage.live.com
127.0.0.1  skyapi.live.net
127.0.0.1  bl3302geo.storage.dkyprod.akadns.net
127.0.0.1  skyapi.skyprod.akadns.net
127.0.0.1  skydrive.wns.windows.com
127.0.0.1  register.mesh.com
127.0.0.1  BN1WNS2011508.wns.windows.com
127.0.0.1  settings-win.data.microsoft.com
127.0.0.1  settings.data.glbdns2.microsoft.com
127.0.0.1  OneSettings-bn2.metron.live.com.nsatc.net
127.0.0.1  watson.telemetry.microsoft.com
127.0.0.1  watson.telemetry.microsoft.com.nsatc.net
127.0.0.1  vortex.data.microsoft.com
127.0.0.1  vortex-win.data.microsoft.com
127.0.0.1  telecommand.telemetry.microsoft.com
127.0.0.1  telecommand.telemetry.microsoft.com.nsatc.net
127.0.0.1  oca.telemetry.microsoft.com
127.0.0.1  oca.telemetry.microsoft.com.nsatc.net
127.0.0.1  sqm.telemetry.microsoft.com
127.0.0.1  sqm.telemetry.microsoft.com.nsatc.net
127.0.0.1  redir.metaservices.microsoft.com
127.0.0.1  choice.microsoft.com
127.0.0.1  choice.microsoft.com.nsatc.net
127.0.0.1  df.telemetry.microsoft.com
127.0.0.1  reports.wes.df.telemetry.microsoft.com
127.0.0.1  wes.df.telemetry.microsoft.com
127.0.0.1  services.wes.df.telemetry.microsoft.com
127.0.0.1  sqm.df.telemetry.microsoft.com
127.0.0.1  telemetry.microsoft.com
127.0.0.1  watson.ppe.telemetry.microsoft.com
127.0.0.1  telemetry.appex.bing.net
127.0.0.1  telemetry.urs.microsoft.com
127.0.0.1  telemetry.appex.bing.net:443
127.0.0.1  settings-sandbox.data.microsoft.com
127.0.0.1  vortex-sandbox.data.microsoft.com
127.0.0.1  survey.watson.microsoft.com
127.0.0.1  watson.live.com
127.0.0.1  watson.microsoft.com
127.0.0.1  statsfe2.ws.microsoft.com
127.0.0.1  corpext.msitadfs.glbdns2.microsoft.com
127.0.0.1  compatexchange.cloudapp.net
127.0.0.1  cs1.wpc.v0cdn.net
127.0.0.1  a-0001.a-msedge.net
127.0.0.1  statsfe2.update.microsoft.com.akadns.net
127.0.0.1  sls.update.microsoft.com.akadns.net
127.0.0.1  fe2.update.microsoft.com.akadns.net
127.0.0.1  diagnostics.support.microsoft.com
127.0.0.1  corp.sts.microsoft.com
127.0.0.1  statsfe1.ws.microsoft.com
127.0.0.1  pre.footprintpredict.com
127.0.0.1  i1.services.social.microsoft.com
127.0.0.1  i1.services.social.microsoft.com.nsatc.net
127.0.0.1  feedback.windows.com
127.0.0.1  feedback.microsoft-hohm.com
127.0.0.1  feedback.search.microsoft.com
127.0.0.1  preview.msn.com
127.0.0.1  ad.doubleclick.net
127.0.0.1  ads.msn.com
127.0.0.1  ads1.msads.net
127.0.0.1  a.ads1.msn.com
127.0.0.1  a.ads2.msn.com
127.0.0.1  adnexus.net
127.0.0.1  adnxs.com
127.0.0.1  az361816.vo.msecnd.net
127.0.0.1  az512334.vo.msecnd.net
# [End Block M$]
 

Not sure if adding these will help or not....

127.0.0.1 NS1.MSFT.NET
127.0.0.1 NS2.MSFT.NET
127.0.0.1 NS3.MSFT.NET
127.0.0.1 NS4.MSFT.NET
127.0.0.1 NS5.MSFT.NET
OZO
Premium Member
join:2003-01-17

1 recommendation

OZO to iam x

Premium Member

to iam x
said by iam x:

I didnt know that OZO See Profile, thats fascinating. So there is no way to block those addresses being contacted by the OS when connected to the internet? (other than modify the hosts file which as you say wouldnt work anyway)

In case if OS prevents you from blocking some specific hosts, there is the only way to deal with it - use another (a third party) device. E.g. if your router has firewall (many do), you may block those connections with your router.

BTW, it's just yet another example why one should be a bit more skeptical at suggestions to simply set "not-spy-me" options in Windows 10. That may not help. If m$ wants to track you now, they have all cards in their hands to do so. In this case you'll need a third party device (router), or return back and use an older version of Windows OS, or replace the Windows 10 entirely with something more trustworthy (Linux, Mac, etc)...

balloonshark
Lets Go Mountaineers
join:2006-08-11
WV

balloonshark to iam x

Member

to iam x
Does anyone know what "Vortex" does? I'm seeing this thing connecting in Windows 8.1. According to Online Armor firewall it connects to Singapore. This is one of the IP it uses 111.221.29.254 port 443.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

1 recommendation

NormanS

MVM

said by balloonshark:

Does anyone know what "Vortex" does?

Ironic name, perhaps? A whirlpool is an example of a vortex. They tend to suck everything up; like your personally identifying bits.
maffle
join:2015-08-11

maffle

Member

Could someone please post a list (easy to copy out too), which wont block normal services like mail, weather, skype, and onedrive. I used the list posted by Cartel, and now Onedrive isnt working anymore.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

I guess I am confused. Do you want to minimize your loss of privacy? Or do you like the convenience of OneDrive? Maybe there is another, less invasive cloud storage service than OneDrive; but MSFT is going to track and sell if you use their service. Period.

FWIW, I am trying to ensure that OneDrive, OneNote, and Cortana are reigned in on my system. I am not confident that I can break those things, but I am trying.

But, if you chose Windows 10 for the convenience of the cloud services, you should not be trying to block MSFT in your hosts file.

balloonshark
Lets Go Mountaineers
join:2006-08-11
WV

balloonshark to NormanS

Member

to NormanS
said by NormanS:

said by balloonshark:

Does anyone know what "Vortex" does?

Ironic name, perhaps? A whirlpool is an example of a vortex. They tend to suck everything up; like your personally identifying bits.

When I saw the name Vortex I was thinking the same thing. It sounds like a project code name used by a 3 lettered agency.

EGeezer
Premium Member
join:2002-08-04
Midwest

2 recommendations

EGeezer to balloonshark

Premium Member

to balloonshark
It's part of Microsoft's diagnostic tracking;

This update introduces the Diagnostics and Telemetry tracking service to existing devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights.

The 'benefits' aren't clearly specified ...

See »support.microsoft.com/en ··· /3068708

Here's the lookup for the IP address;

inetnum: 111.221.29.0 - 111.221.29.255
netname: Microsoft
descr: Microsoft
descr: Microsoft Corp, Singapore
country: SG
admin-c: MP234-AP
tech-c: SC1001-AP
status: ALLOCATED PORTABLE

I've gotten to the point where I have to read the KB articles on every optional update, since they're putting more data gathering patches on WIN 8.1.

Until Windows 10 gets better feedback, especially on the default sharing configurations, I think I'll pass on it and 'optional' updates that have to do with 'future versions/features of Windows'.

I long for the days when Windows was an operating system as opposed to a data gathering, information sharing, network sharing P2P marketing tool.

IOS may be no better, but at least user feedback tells me it's more stable.

Ian1
Premium Member
join:2002-06-18
ON

3 recommendations

Ian1 to iam x

Premium Member

to iam x
I am not sure quite what to make of these lists and utilities to stop Windows 10 from working as intended (as spyware). I think if the spying bothers you, there needs to be a very large motivating reason to install it in the first place. Playing whack-a-mole with DNS and hosts files and services for the next few years sounds annoying at best. Every new update runs the risk of "fixing" your settings. My 2 cents anyway.

ballmers
@teksavvy.com

ballmers to balloonshark

Anon

to balloonshark
It's not even what you see it's what you don't - games saving data to cloud hosts (crashlogs with full memory dumps), applications completely ignoring system resolvers (your host file overrides) for certain assets.

Abusing CDN's like Akamai since you can't really block them without affecting other things. Lack of network transparency.

Forcing SSL validation, thus preventing inspection. One one hand it should be more secure, on the other it also means they can hide behind SSL.

The list is long, the tactics are not new is just no one was dumb enough to do it publicly let alone make a profit off it.

The average person pretty much cannot get away from cloud services be it Google or Microsoft without what in any other context would be considered state sponsored level of censorship. Kind of ironic.

Something I've long since done is given up blocking specific hosts or addresses - it's an arms race we joke about other three letter agencies doing. They know it doesn't work but can say they are doing something.

The answer for now is to block companies outright that refuse even the most basic privacy. For me this is done on several levels from firewall to dns. At the moment that list is 71 domains (4 of which are Mozilla properties) and ~30 networks that are null routed entirely. Even that kids, is only a start.

So you can block those networks from Windows 10 all you want, it won't really gain you much if at the end of the day you install it anyway.

balloonshark
Lets Go Mountaineers
join:2006-08-11
WV

1 recommendation

balloonshark to EGeezer

Member

to EGeezer
Thanks for your reply EGeezer. Your information answered a question bugging me for a couple of months. I saw both the vortex and settings svchost.exes connecting to Singapore and they both were mentioned in the link you kindly provided.

I wonder if the info goes to Singapore to skirt US laws? At any rate I'm going to either uninstall the update or pay more attention to what program I have running when it connects out. I have auto updates disabled, I don't use apps and I normally go through settings or options on anything I install to disable updates and any data collecting.

I also long for a simple OS that does what I tell it to and nothing else. I guess I'm going to switch teams in the future.

EGeezer
Premium Member
join:2002-08-04
Midwest

2 recommendations

EGeezer

Premium Member

I can't speak to the reason for the Singapore data issue, but I do agree that you could uninstall the patch as long as you still have the uninstall files on your system.

I have a significant concern when defaults set to share in home and professional versions of Windows. I have customers with sensitive data and now we have to worry about spending hours or days plugging unneeded holes and shutting off unneeded services to protect business data, only to have a patch or update install automatically and/or switch them back on again.

I'm hoping that after all is said and done, there will be some user-friendly consideration, default settings and tools for people who prefer - or are legally obligated to - secure against sharing their networks, system storage and information.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned) to iam x

Member

to iam x
break no stop updates yes if you block the wrong one. Same for live and bing.
maffle
join:2015-08-11

maffle

Member

Because Windows 10 is the best, fastest most supported (non real-time) OS out today, that's reason enough to use it. It's one total different thing to be spied on though which you cannot deactivate. And it's again a totally different thing to use OneDrive. So could now please tell someone which of those dns entries are for OneDrive? Thank you
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

I would say leage anything live.com such as login skyapi etc. Onedrive aka skydrive or livedrive is part of wihdows live (live.com).if in doubt try entering the url in to your browser.
maffle
join:2015-08-11

maffle

Member

So every dns with live in its name? Also skyapi.live.net?

ssw.live.com
ssw.live.com.nsatc.net
login.live.com.nsatc.net
directory.services.live.com
directory.services.live.com.akadns.net
bl3302.storage.live.com
skyapi.live.net
OneSettings-bn2.metron.live.com.nsatc.net
watson.live.com

? I dont want to activate more than I have to.

Chubbzie
join:2014-02-11
Greenville, NC

1 recommendation

Chubbzie

Member

Fire up TCPView from MS/Sysinternals and watch what connections spawn when launching & using OneDrive. That should give you the exact servers you need.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned) to maffle

Member

to maffle
disable 1 or 2 at a time till it wont work then simply re enable. Any with lonin or log on will be related to one of the live services.
bennor
Premium Member
join:2006-07-22
New Haven, CT

bennor to maffle

Premium Member

to maffle
said by maffle:

Could someone please post a list (easy to copy out too), which wont block normal services like mail, weather, skype, and onedrive. I used the list posted by Cartel, and now Onedrive isnt working anymore.

Hopefully someone (has anyone?) somewhere will compile one full list (and keep it updated) and break that list down a into groups so one can selectively block them in their host file if they want to keep certain features like OneDrive available.

I've seen several different sets of IP lists posted to various websites. Often there is overlap between each of the lists.

Tursiops_G
Technoid
MVM
join:2002-02-06
Brooksville, FL

Tursiops_G

MVM

A "Top 10" or "Top 15" list would be nice, as many Routers have a limited number of slots for web-blocking via URL...
gnome84
join:2014-04-12
Saint Paul, MN

1 edit

gnome84 to iam x

Member

to iam x
If I'm not mistaken windows 7 did not do this on boot up it makes a a number of udp connections to the primary DNS to allow for windows updates to occur. There certainly wasn't this many DNS lookups.

Perhaps something like Sphinx firewall control can show the initiating process however if something like msdll is requesting the DNS queries it might as well be a virus

Many of those connections look Skype related however I was under the impression that Skype did not rely on DNS perhaps 10 changed this
19579823 (banned)
An Awesome Dude
join:2003-08-04

2 recommendations

19579823 (banned) to MeDuZa

Member

to MeDuZa
said by MeDuZa :
Redirecting to 0.0.0.0 is better (faster) than redirecting to 127.0.0.1.
Indeed it is!!!!!

I have been directing to 0 for years...