Artarga

After a couple of days running this local DNS I can say I'm pretty satisfied with how it works. Since the last post I had to add only one line into Acrylic hosts file (0.0.0.0 *.xboxlive.com) it came from WinStore.Mobile.exe application accessing the settings-ssl.xboxlive.com domain. Still looking for updates to see how WSUS offline really works. BTW I had also to whitelist definitionupdates.microsoft.com. There is also one more thing I found - C:\Windows\System32\taskhostw.exe was trying to access ocsp.verisign.com and crl.verisign.com domains. Looks like something related to certificates but I'm not sure if I need this to be permitted. Does anyone know if verisign.com can be safely blocked?

Upd to the previous post. With only download.windowsupdate.com and download.microsoft.com allowed Windows Update does not go. However WSUS Offline works perfectly fine. And I'm completely OK with this approach if it helps me avoid maintaining huge rule-sets inside my firewall. Still the approach needs verification since I have my system up-to-date and the only thing WSUS tells me in the end is "No missing update found. Nothing to do!"

Can you complete a Windows Update with that? That's the difference. It's not really a viable solution if you can't do a Windows Update. -Noel Yes and no. To make an update I was using http://www.wsusoffline.nettool and while running that tool I was slightly opening the defense. In fact my Acrylic hosts file looks like this: 127.0.0.1 localhost 0.0.0.0 *.a-msedge.net0.0.0.0 *.bing.com0.0.0.0 *.microsoft.com.akadns.net0.0.0.0 *.microsoft.com.nsatc.net0.0.0.0 *.msn.com0.0.0.0 *.live.com #############################################################################0.0.0.0 *.microsoft.com0.0.0.0 *.windowsupdate.com # Comment 2 rules above and uncomment 2 below while doing an update. #0.0.0.0 *.microsoft.com -download.microsoft.com#0.0.0.0 *.windowsupdate.com -download.windowsupdate.com And it worked since WSUS needs only download.windowsupdate.com and download.microsoft.com to get those updates. Need to be confirmed by anyone else though. I haven't tried yet to live these lines permanently #0.0.0.0 *.microsoft.com -download.microsoft.com#0.0.0.0 *.windowsupdate.com -download.windowsupdate.comand run Windows Update instead of WSUS. But I'm planning to do so.

Here is what I have so far. I'm running a local DNS service (Acrylic) to block all traffic by domain name. Like hosts but without an ability for the OS to bypass that. So far I have came up with the following tiny list of rules 0.0.0.0 *.a-msedge.net0.0.0.0 *.bing.com0.0.0.0 *.microsoft.com.akadns.net0.0.0.0 *.microsoft.com.nsatc.net0.0.0.0 *.msn.com0.0.0.0 *.live.com0.0.0.0 *.microsoft.com0.0.0.0 *.windowsupdate.com And so far during a couple of hours of running and 5-6 reboots the VM with Win10 Pro was not contacting anything from outside. Of course WinUpdates is not working and networking icon in system tray shows "connection is limited". However it works well as far the Internet browsing is concerned. So I'm interested in scenarios you observe that triggers Win10 to "call home". It looks like I'm missing something. The solution so far looks very simple.

It looks like that the answer could become like this. Block everything even updates. Do updates through wsusoffline.net or something. This is another tool I'm going to play with

And more about DNS... interesting is it possible to set up a sort of a commuity DNS server that will fall back to 8.8.8.8 in all cases except of MS domain names. So people can just put this DNS as a primary and be sure that at least "phoning home by a domain name" is blocked and the list of domain names does not get outdated.

jaclaz, this pretty aligns with my thinking. However here are a couple of thing I'd like to expand in: The reason I'm talking about an SW firewall (not an external one) is because more people have possibility to install that. And it will also work for a mobile woking station that is not always connected to a specific external firewall. I'm going to keep playing with my WM with Win10+Comodo and collect outgoing traffic to see if firewall does not get bypassed.As of DNS service. Well I think of it like of saving time to put specific IPs into firewall rules. And as you correctly mentioned to keep them actual. E.g. with the example I described several comment above (fe2.update.microsoft.com) - it's easier to me to block the only domain name and not 4-5 IP addresses.As for your comment about continuos updates then I think the opposite. Block all MS connection (including updates) and do maual updates once in a while. I mean explicitly allow certain conections. Press "check 4 updates". and close all connections back. does not seem to be the perfect scenario though

And one more "BTW". Does anyone know why there are efforts being put to hack into Win registry/services/tasks while in the end the idea is to break the connection b/w your PC and MS servers? I was already mentioned (e.g. here in a separate thread) that you can't be sure all the tracking tools are disabled. So why not to focus only on monitoring connections of Win10 with the outer network and block them via DNS and/or a firewall? The 1st answer that came into my head was "one can't trust your SW firewall as Win10 can bypass it". It that the case? Though I was searching through Internet about this but haven't found a clue. So what's the point in all that scripts and bat files being worked on? A local DNS and a set of firewall rules should be a way to go. Or no?

BTW. When I set up a local DNS service (Acrylic) I was able to block that domain name. So as I understand in this case the only solution to bypass this block would be to hard-code IPs

Yep that makes a lot of scene. And the way I think about this is that mechanism Redmond guys can make an update once that enables hosts bypass for telemetry services. If not already done so.

Huh. Didn't know that, thanks. So does it mean that we actually can't rely on hosts when talking about disabling data collection?

Folks, I have found something interesting in regards the hosts file. It looks like patching it will not always prevent the OS to resolve domain names. Here is what I do: In a VM I have Win10. All network traffic of this VM is captured into a pcap filehosts file is patched per this topic headlinein addition to that the following lines are added as I saw them in the pcap file 0.0.0.0 win10.ipv6.microsoft.com0.0.0.0 dns.msftncsi.com0.0.0.0 fe2.update.microsoft.com0.0.0.0 fe2.update.microsoft.com.akadns.net0.0.0.0 v10.vortex-win.data.microsoft.com0.0.0.0 v4.download.windowsupdate.com0.0.0.0 geo-prod.do.dsp.mp.microsoft.comI do ipconfig /flushdns and go to check for updates manuallyWhat I see in pcap file is still a DNS request to resolve fe2.update.microsoft.com and a DNS response with CNAME: fe2.update.microsoft.com.akadns.netAm I doing something wrong? Or it's the OS simply ignores hosts file.

aviv00, can you please help me understand what is needed for this step #2? I assume the screen-shot shows the list of trusted certificates and the idea is to set up a new one for *.vortex.data.microsoft.com but what are the exact steps?

Sure thing. I was actually referring to an old joke here in Russia. It says even if you are paranoid it does not mean you aren't being looked after. PS thanks for putting efforts into forging and sharing these workarounds to keep sniffing in control. I gonna translate that dna share in Russian segment of the Internet

... not only an advanced but paranoid as well Yep, sure. Thanks for double-clicking on that