5 recommendations |
Complete Win10 blocking host file.Here's a host file of every telemetry/spying aspect of Windows 10 we've found in the lab. It's taken us over 3 months of logging to gather all of these. In addition Microsoft added a couple recently which are on here (and probably nobody else has found yet). Replace your hosts file with it or add these domains to your UTM/NGFW/Router on the edge.
Note: To the best of our testing these do not break core windows functionality either in the home or enterprise environment. These do not block windows updates nor do they impact the activation/license checks for windows. Those IP's were specifically excluded. However I can't guarantee 100% there won't be 'something' coming up. But we've tested this on 18 systems of various configurations/networks without issue. A couple deployed at Fortune 500 firms to test these blocks and they were fine. If we have missed anyone I'd be curious to know, but no sniffing has revealed any missed ones over the last couple of months except the new ones MS sneaked in on an update which we added.
# Copyright (c) 1993-2009 Microsoft Corp. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # For example: # # 0.0.0.0 rhino.acme.com # source server # 0.0.0.0 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost
0.0.0.0 134.170.30.202 0.0.0.0 137.116.81.24 0.0.0.0 204.79.197.200 0.0.0.0 23.218.212.69 0.0.0.0 23.218.212.69 0.0.0.0 65.39.117.230 0.0.0.0 65.55.108.23 0.0.0.0 a.ads1.msn.com 0.0.0.0 a.ads2.msads.net 0.0.0.0 a.ads2.msn.com 0.0.0.0 a.rad.msn.com 0.0.0.0 a-0001.a-msedge.net 0.0.0.0 a-0002.a-msedge.net 0.0.0.0 a-0003.a-msedge.net 0.0.0.0 a-0004.a-msedge.net 0.0.0.0 a-0005.a-msedge.net 0.0.0.0 a-0006.a-msedge.net 0.0.0.0 a-0007.a-msedge.net 0.0.0.0 a-0008.a-msedge.net 0.0.0.0 a-0009.a-msedge.net 0.0.0.0 ac3.msn.com 0.0.0.0 ad.doubleclick.net 0.0.0.0 adnexus.net 0.0.0.0 adnxs.com 0.0.0.0 ads.msn.com 0.0.0.0 ads1.msads.net 0.0.0.0 ads1.msn.com 0.0.0.0 aidps.atdmt.com 0.0.0.0 aka-cdn-ns.adtech.de 0.0.0.0 a-msedge.net 0.0.0.0 apps.skype.com 0.0.0.0 az361816.vo.msecnd.net 0.0.0.0 az512334.vo.msecnd.net 0.0.0.0 b.ads1.msn.com 0.0.0.0 b.ads2.msads.net 0.0.0.0 b.rad.msn.com 0.0.0.0 bs.serving-sys.com 0.0.0.0 c.atdmt.com 0.0.0.0 c.msn.com 0.0.0.0 cs1.wpc.v0cdn.net 0.0.0.0 rpt.msn.com 0.0.0.0 arc.msn.com 0.0.0.0 flex.msn.com 0.0.0.0 g.msn.com 0.0.0.0 h1.msn.com 0.0.0.0 cdn.atdmt.com 0.0.0.0 cds26.ams9.msecn.net 0.0.0.0 choice.microsoft.com 0.0.0.0 choice.microsoft.com.nsatc.net 0.0.0.0 compatexchange.cloudapp.net 0.0.0.0 corp.sts.microsoft.com 0.0.0.0 corpext.msitadfs.glbdns2.microsoft.com 0.0.0.0 db3aqu.atdmt.com 0.0.0.0 df.telemetry.microsoft.com 0.0.0.0 diagnostics.support.microsoft.com 0.0.0.0 ec.atdmt.com 0.0.0.0 edge.quantserve.com 0.0.0.0 fe2.update.microsoft.com.akadns.net 0.0.0.0 feedback.microsoft-hohm.com 0.0.0.0 feedback.search.microsoft.com 0.0.0.0 feedback.windows.com 0.0.0.0 fpt.live-partner.com 0.0.0.0 i1.services.social.microsoft.com 0.0.0.0 i1.services.social.microsoft.com.nsatc.net 0.0.0.0 lb1.www.ms.akadns.net 0.0.0.0 live.rads.msn.com 0.0.0.0 m.adnxs.com 0.0.0.0 m.hotmail.com 0.0.0.0 msedge.net 0.0.0.0 msnbot-65-55-108-23.search.msn.com 0.0.0.0 msntest.serving-sys.com 0.0.0.0 oca.telemetry.microsoft.com 0.0.0.0 oca.telemetry.microsoft.com.nsatc.net 0.0.0.0 onesettings-bn2.metron.live.com.nsatc.net 0.0.0.0 onesettings-cy2.metron.live.com.nsatc.net 0.0.0.0 onesettings-db5.metron.live.com.nsatc.net 0.0.0.0 onesettings-hk2.metron.live.com.nsatc.net 0.0.0.0 pre.footprintpredict.com 0.0.0.0 preview.msn.com 0.0.0.0 pricelist.skype.com 0.0.0.0 rad.live.com 0.0.0.0 rad.msn.com 0.0.0.0 redir.metaservices.microsoft.com 0.0.0.0 reports.wes.df.telemetry.microsoft.com 0.0.0.0 s.gateway.messenger.live.com 0.0.0.0 s0.2mdn.net 0.0.0.0 schemas.microsoft.akadns.net 0.0.0.0 secure.adnxs.com 0.0.0.0 secure.flashtalking.com 0.0.0.0 services.wes.df.telemetry.microsoft.com 0.0.0.0 settings.data.glbdns2.microsoft.com 0.0.0.0 settings-sandbox.data.microsoft.com 0.0.0.0 settings-win.data.microsoft.com 0.0.0.0 sls.update.microsoft.com.akadns.net 0.0.0.0 sqm.df.telemetry.microsoft.com 0.0.0.0 sqm.telemetry.microsoft.com 0.0.0.0 sqm.telemetry.microsoft.com.nsatc.net 0.0.0.0 ssw.live.com 0.0.0.0 static.2mdn.net 0.0.0.0 statsfe1.ws.microsoft.com 0.0.0.0 statsfe2.update.microsoft.com.akadns.net 0.0.0.0 statsfe2.ws.microsoft.com 0.0.0.0 survey.watson.microsoft.com 0.0.0.0 telecommand.telemetry.microsoft.com 0.0.0.0 telecommand.telemetry.microsoft.com.nsatc.net 0.0.0.0 telecommand.telemetry.microsoft.com.nsatc.net 0.0.0.0 telemetry.appex.bing.net 0.0.0.0 telemetry.appex.bing.net:443 0.0.0.0 telemetry.microsoft.com 0.0.0.0 telemetry.urs.microsoft.com 0.0.0.0 v10.vortex-win.data.microsoft.com 0.0.0.0 v10.vortex-win.data.metron.live.com.nsatc.net 0.0.0.0 view.atdmt.com 0.0.0.0 vortex.data.glbdns2.microsoft.com 0.0.0.0 vortex.data.microsoft.com 0.0.0.0 vortex.data.metron.live.com.nsatc.net 0.0.0.0 vortex-bn2.metron.live.com.nsatc.net 0.0.0.0 vortex-cy2.metron.live.com.nsatc.net 0.0.0.0 vortex-db5.metron.live.com.nsatc.net 0.0.0.0 vortex-hk2.metron.live.com.nsatc.net 0.0.0.0 vortex-sandbox.data.microsoft.com 0.0.0.0 vortex-win.data.microsoft.com 0.0.0.0 vortex-win.data.metron.live.com.nsatc.net 0.0.0.0 watson.live.com 0.0.0.0 watson.microsoft.com 0.0.0.0 watson.ppe.telemetry.microsoft.com 0.0.0.0 watson.telemetry.microsoft.com 0.0.0.0 watson.telemetry.microsoft.com.nsatc.net 0.0.0.0 wes.df.telemetry.microsoft.comnet 0.0.0.0 wes.df.telemetry.microsoft.com |
|
8 recommendations |
said by Itguy2016:Here's a host file of every telemetry/spying aspect of Windows 10 we've found in the lab.
... If I remember correctly, if you block them in the hosts file Windows puts out errors in the log and then silently queries the DNS and connects nevertheless. This file should be set in the router's kill file, not on the Windows machine itself. |
|
DonoftheDeadOld diver Premium Member join:2004-07-12 Clinton, WA
2 recommendations |
to Itguy2016
Thanks for that. Will put in my router. Easier that way then putting it in each machine. I assume the telemetry crap for W10 is the same crap they've been trying to "update" W7/8.1 with. I can't believe how long that list is! WTF! |
|
1 recommendation |
to Itguy2016
i have noticed some of that telemetry stuff even on my win xp computer, recently.. i have noticed it, sometimes, when viewing MS webpages, where my firewall-log showed that it blocked some connections to "Microsoft Asian Data Centers in Singapore": » www.robtex.com/en/adviso ··· /29/254/i have heard that the connections cannot be blocked with a HOSTS file, that they are "hardcoded" into windows.. |
|
2 recommendations |
to Black Box
said by Black Box:said by Itguy2016:Here's a host file of every telemetry/spying aspect of Windows 10 we've found in the lab.
... If I remember correctly, if you block them in the hosts file Windows puts out errors in the log and then silently queries the DNS and connects nevertheless. This file should be set in the router's kill file, not on the Windows machine itself. This is true in 'some' cases, which is why you see the IP entries at the top. Those are the ones we isolated that MS falls back to. They don't fall back on every telemetry action blocked, rather they have a few they 'enforce'. So we blocked the DNS entries for those as well. But you are correct, it is possible they will alter this in the future. As a result it is recommended to enter these into your blocklists in your router/UTM/NGFW. In the event a user doesn't have a proper router to do this the host file is a good temporary solution until a proper router is deployed. Part of the reason the list is long is Microsoft has attempted to circumvent some 'common' blocking by adding additional entries. rpt.msn.com and arc.msn.com are two new ones that appeared just recently. We can assume rpt = report, and blocking it seems to have no negative side effects. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC
2 recommendations |
to Itguy2016
Someone will add lines to a current Hosts file or run it independently but I suspect it will slow ever a fast PC due to it's sheer size aimed at Win 10 Telemetry only - but I may be wrong. I'm the one that's socially shared this as there are surely others that will want to play with these entries. |
|
BlackbirdBuilt for Speed Premium Member join:2005-01-14 Fort Wayne, IN
5 recommendations |
to Itguy2016
129 telemetry/spying URL entries (excluding one of the two duplicates in the list at positions 4 & 5) simply to 'report' on an OS is outrageous. Microsoft has turned their OS into little more than a gigantic data reporting siphon. It's clear that once this OS is installed on a user's computer, Microsoft views it as their computer, entitling them to know every conceivable thing that's happening with it. The best part for Microsoft is that the users pay for the hardware, the Internet report-traffic loading, and in many cases the OS itself. The day can't be far off when Microsoft will start telling users what they can and cannot do with Microsoft's computer. /rant |
|
1 edit
1 recommendation |
to Itguy2016
i had the idea that the data was being collected just so "the NSA" will know what vulnerabilites are available for attacking, if desired.. |
|
RayMahnahmahna Premium Member join:2001-04-02 85120
1 recommendation |
to Itguy2016
0.0.0.0 telemetry.appex.bing.net 0.0.0.0 telemetry.appex.bing.net:443 I don't believe the hosts file understands port numbers (:443, which is https), just host names, so the second line there should not be needed. I also don't recall it translating one IP to another, so I don't think those first few lines will do anything, either. |
|
|
sporky
Anon
2016-Apr-2 3:24 pm
is there a way to write a bat file that will create outbound blocking rules on windows firewall for these IPs? |
|
DonoftheDeadOld diver Premium Member join:2004-07-12 Clinton, WA
1 recommendation |
I was thinking the same thing, but I suspect that MS would just use updates to reset the firewall. Their sense of ethics seems to be almost nonexistent at this point. |
|
4 recommendations |
to Itguy2016
....(yaawwn) |
|
19579823 (banned)An Awesome Dude join:2003-08-04
1 recommendation |
to Black Box
quote: This file should be set in the router's kill file, not on the Windows machine itself.
Yes I imagine so!! -- Windows will probably take the stuff out automatically!! (Unless you mark the file READ ONLY and then reboot instantly) |
|
trparky Premium Member join:2000-05-24 Cleveland, OH
1 recommendation |
to Itguy2016
Does this break user logins with Microsoft accounts? OneDrive? OneNote OneDrive syncing? |
|
CartelIntel inside Your sensitive data outside Premium Member join:2006-09-13 Chilliwack, BC
1 recommendation |
to Itguy2016
Not so sure about IP's in the hosts file (the hosts file only block a ip address tied to a host name) but its gotta start like this:
# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
127.0.0.1 localhost
::1 localhost #[IPv6]
# Important! 0.0.0.0 0.0.0.0 # fix for network status and diagnostic tools |
|
1 recommendation |
to Blackbird
said by Blackbird:129 telemetry/spying URL entries (excluding one of the two duplicates in the list at positions 4 & 5) simply to 'report' on an OS is outrageous. Microsoft has turned their OS into little more than a gigantic data reporting siphon. It's clear that once this OS is installed on a user's computer, Microsoft views it as their computer, entitling them to know every conceivable thing that's happening with it. The best part for Microsoft is that the users pay for the hardware, the Internet report-traffic loading, and in many cases the OS itself. The day can't be far off when Microsoft will start telling users what they can and cannot do with Microsoft's computer. /rant Windows 10 is a keylogger based on the telemetry we've seen going on. Some pretty substantial file sizes containing data that looks like sentence grabs. Maybe to help prediction, but still - scary. I haven't found hosts files to slow a PC except in the case of VERY large ones. 129 isn't actually that large in comparison to third party ones like MVPS which can run thousands of lines, and slow DNS resolution. Nobody should notice any difference. Personally, I block them in HOSTS and on the UTM/NGFW/Router, that way a machine is well protected internally and externally if the device is taken offsite to an unprotected network. Also loopback isn't needed in host files after Windows Vista, so this hosts file is correct in that regard. If you run old versions of Windows before 7 you will need the loopbacks. |
|
|
to Itguy2016
Sorry I don't want to interfere into this topic, but can someone can explain me how do you block an IP address (or a bunch) using a HOSTS file. ? In my mind HOSTS file is used to block domains names by blocking DNS resolution, but trying to block an IP in decimal format goes through (No DNS needed). said by Itguy2016:# Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # For example: # # 0.0.0.0 rhino.acme.com # source server # 0.0.0.0 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost
0.0.0.0 134.170.30.202 0.0.0.0 137.116.81.24 0.0.0.0 204.79.197.200 0.0.0.0 23.218.212.69 0.0.0.0 23.218.212.69 0.0.0.0 65.39.117.230 0.0.0.0 65.55.108.23 0.0.0.0 a.ads1.msn.com 0.0.0.0 a.ads2.msads.net 0.0.0.0 a.ads2.msn.com 0.0.0.0 a.rad.msn.com 0.0.0.0 a-0001.a-msedge.net Thanks |
|
(Software) OPNsense Ubiquiti UniFi UAP-AC-PRO
2 recommendations |
to 19579823
said by 19579823:quote: This file should be set in the router's kill file, not on the Windows machine itself.
Yes I imagine so!! -- Windows will probably take the stuff out automatically!! (Unless you mark the file READ ONLY and then reboot instantly) If you think windows can/will do that, what makes you think marking read only would do anything. |
|
|
Napsterbater
1 recommendation |
to Old Computer8
said by Old Computer8:can explain me how do you block an IP address (or a bunch) using a HOSTS file. ? You cant, not with the host file, it for hard coding DNS names to IPs locally. |
|
dave Premium Member join:2000-05-04 not in ohio
1 recommendation |
to Old Computer8
quote: Sorry I don't want to interfere into this topic, but can someone can explain me how do you block an IP address (or a bunch) using a HOSTS file. ?
First answer: You can't. Second answer: It might work sometimes. I've probably written code that works like this: // given 'address_or_name' string if looking up address_or_name as a name returns succesfully: use the resulting address; else parse address_or_name as an address; So, if it's coded like that -and- the standard lookup function blindly treats the second thing on a hosts line as a 'name', then you can do address mapping. Of course, I've also written code like: // given 'address_or_name' string if address_or_name can be parsed as an address: use the supplied address; else lookup address_or_name as a name; if successful: use the resulting address |
|
|
to Itguy2016
said by sporky :is there a way to write a bat file that will create outbound blocking rules on windows firewall for these IPs? Windows routing, perhaps? ie. route add (destination) mask (subnet mask) (gateway) metric (costmetric) if (interface) said by Old Computer8:but can someone can explain me how do you block an IP address (or a bunch) using a HOSTS file. ? 2nd previous posters, that's not what a HOSTS file does. My 00000010bits Regards |
|
Hitron CDA3 (Software) OpenBSD + pf
|
to sporky
said by sporky :is there a way to write a bat file that will create outbound blocking rules on windows firewall for these IPs? netsh advfirewall firewall add rule name="Block Outbound Telemetry" dir=out action=block remoteip=ip,ip,iprange-iprange,ip
Netsh AdvFirewall Firewall Commands |
|
1 recommendation |
to DonoftheDead
Just out of curiosity, what kind of router has a 'kill file'? I can't find anything like that in the menus of my Linksys router. Would this be on an industrial grade multithousand dollar router? |
|
sd70mac Premium Member join:2015-10-18 Woodstock, IL Netgear CM1200 Linksys WRT1900ACS Ooma Telo
1 recommendation |
sd70mac
Premium Member
2016-Apr-8 12:10 am
said by ampexperts :Just out of curiosity, what kind of router has a 'kill file'? I can't find anything like that in the menus of my Linksys router. Would this be on an industrial grade multithousand dollar router? said by ampexperts :Just out of curiosity, what kind of router has a 'kill file'? I can't find anything like that in the menus of my Linksys router. Would this be on an industrial grade multithousand dollar router? My Netgear router has a filtering section that allows website blocking. So did my old one I was using for an access point. I know that expensive industry-grade routers definitely have this feature, too. |
|
lorennerol Premium Member join:2003-10-29 Seattle, WA
1 recommendation |
to Itguy2016
My understanding is that MS hard-coded some of these translations into dns.dll, so attempting to block them via a hosts file won't work; they're resolved via the DLL.
If this is so, the IPs would have to be blocked at the software firewall or router. |
|
SipSizzurpFo' Shizzle Premium Member join:2005-12-28 Houston, TX
1 recommendation |
to ampexperts
said by ampexperts :.. what kind of router has a 'kill file'? An ASUS RT-N16 with Tomato firmware would do very nicely. You can block access to specific IP addresses and ranges of addresses. Router is approx $80. Tomato firmware free. » tomato.groov.pl/?page_id=164I once used it to white list only one webpage containing a company database. With 5 or 6 rules I blocked access to the entire internet with exception of that one single server. Eliminates employees goofing around on facebook |
|
1 recommendation |
ampexperts to sd70mac
Anon
2016-Apr-8 11:01 am
to sd70mac
Thanks for the comment about the Linksys. I guess my WR54G is too old to have this feature. |
|
1 recommendation |
See if it is in the OpenWRT HCL. If you are looking for a new one, take a look at the Buffalo hardware too. |
|
|
ampexperts
Anon
2016-Apr-8 11:39 am
Thanks. I think some of these Linksys can be re flashed with custom firmware. I haven't played with mine because the need hasn't arisen yet, but I was curious about how people are doing blocking at their routers. |
|
1 recommendation |
As noted, it's best to block it on the edge.
Once we verify blocking integrity on a larger scale we are going to implement a blocking policy for edge device deployment at work. Then we will deploy these on managed edge devices wholesale. With the advent of BYOD it's become more difficult to control telemetry without doing this so we're planning accordingly. The amount of data MS leaks could be used to compromise enterprise infrastructure/privacy.
Everyone could run Untangle. Pick up a cheap refurb computer and install it in about 15 minutes. It's only $49 a year now for home use and I can give you a JSON with all of the blocking rules ready to go. (or do your own - very easy) |
|