Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


xper

Windows 10 - Deeper Impressions

Recommended Posts

I don't propose it as the best approach in the world, just he best approach that I've been able to come up with to suit MY needs.  You (rightly) point out that using a hosts file is not as good as having the name resolution server manage the blacklist.

 

If I had the ability to reconfigure my router to load that large name resolution blacklist I would do so.  I have been thinking of upgrading my router so as to be able to achieve that capability...  Such activity would then protect every system in my LAN.

 

In my case I run a script that compiles blacklists obtained from several sources (and I'm always looking for more well-managed sources), including:

 

What specific hardware are you using to accomplish blacklisting, if I may ask?  Whether a router is willing to accept blacklist entries isn't usually a feature listed on the outside of consumer packaging.

 

    Thank you for sharing this list of HOSTS providers.  It is surprisingly hard to find quality results of that sort on Google for some reason.

 

    Anyway, after some of our past conversations, I decided to look into blocking some hosts on my home network just to see how it went, particularly because there are several mobile users on my network who surf with no protection.  Additionally, since I wanted to get an idea of what was getting blocked, I changed the HOSTS rules to redirect all blacklisted traffic to my computer, which is running a dummy server.  I was surprised not only how much was getting past Ghostery on the PCs, but also how much information was readily available in these requests.  So thank you for prompting me to step up my security to the next level!  These nefarious sites literally track nearly every page one has been to on the web, and all for ads I don't even want.

 

    Regarding hardware, right now I am using a Tenda N80 router running Tomato Shibby firmware.  For its price, that router performs great, but I would not recommend it to someone else at this time because it is hard to flash, and has some up-time reliability issues.  Tomato firmware supports a long list of routers (click the "Search by model" dropdown).  My recommendations for most people right now are the Asus RT-N66U (N450/450), Asus RT-AC66U (N450/AC1300), and Asus RT-AC68U (N600/AC1300).

    The Tomato firmware has its own DNS server called DNSmasq which in addition to caching DNS requests, can also be used to enforce HOSTS files.  There are several ways of doing it, but I have mine configured to load the HOSTS files from a USB drive I have plugged into the router.

Edited by Techie007
  • Upvote 1

Share this post


Link to post
Share on other sites

Found this during a search for information about Mozilla's moving to force add-on developers to "sign" their code, something that Adobe has failed to do so far and which it's doubtful they will do for previous (non-cloud) versions of Acrobat. It's fitting on so many fronts:

 

I don't like the current model that software companies just continually change their products and we just race to love them. This model comes from apps - toys - on phones. It is not suitable for serious software, in which people might have been trained and need retraining. Not everyone learns by clicking wildly til they understand, though people young enough to have grown up with software cannot understand this (or don't care). And people with this world view are now senior enough to be pushing it. Everyone is on the bandwagon now: Microsoft, Apple, FireFox, Adobe are just four of them. Worse, as all the software depends on the other software, NOBODY can get off the rollercoaster.

 

 

Hear, hear.

 

--JorgeA

 

Share this post


Link to post
Share on other sites

Found this during a search for information about Mozilla's moving to force add-on developers to "sign" their code, something that Adobe has failed to do so far and which it's doubtful they will do for previous (non-cloud) versions of Acrobat. It's fitting on so many fronts:

 

I don't like the current model that software companies just continually change their products and we just race to love them. This model comes from apps - toys - on phones. It is not suitable for serious software, in which people might have been trained and need retraining. Not everyone learns by clicking wildly til they understand, though people young enough to have grown up with software cannot understand this (or don't care). And people with this world view are now senior enough to be pushing it. Everyone is on the bandwagon now: Microsoft, Apple, FireFox, Adobe are just four of them. Worse, as all the software depends on the other software, NOBODY can get off the rollercoaster.

 

 

Hear, hear.

 

--JorgeA

Absolutely. These major companies just want to "make it more simple for users", but they are in fact doing the opposite.  Mozilla Co. uses malware as an excuse for the add-on signing, saying that it will make it more simple and easier to use, when it just makes it more complicated. I know first hand from helping out in Firefox support forums that more people are actually having issues with the signing than without. In the past few weeks I saw at least 20 different threads asking why their add-ons were removed and how to restore them, while previously we received about one or two a month involving an infected install. As the user from Adobe's support forums said, this also creates major problems with backward compatibility and software interdependence.

Share this post


Link to post
Share on other sites

Regarding hardware, right now I am using a Tenda N80 router running Tomato Shibby firmware.  For its price, that router performs great, but I would not recommend it to someone else at this time because it is hard to flash, and has some up-time reliability issues.  Tomato firmware supports a long list of routers (click the "Search by model" dropdown).  My recommendations for most people right now are the Asus RT-N66U (N450/450), Asus RT-AC66U (N450/AC1300), and Asus RT-AC68U (N600/AC1300).

    The Tomato firmware has its own DNS server called DNSmasq which in addition to caching DNS requests, can also be used to enforce HOSTS files.  There are several ways of doing it, but I have mine configured to load the HOSTS files from a USB drive I have plugged into the router.

 

 

I'm glad to hear you say that, actually.

 

I have considered on and off trying to "go it on my own" and flash Tomato into my router, but every time I get cold feet because if I brick the thing suddenly my whole house/home office is offline.  Even flashing Linksys/Cisco's own software is pretty iffy with the thing.

 

I really need to bite the bullet and just buy another router, then play with that until I have this name resolution setup just right.  If / when something goes wrong, I could just plug in the old one to restore service.  Thing is, I really LIKE the one I have (Cisco E4200v2, which has powerful wifi, excellent uptime, and is easy to configure to do everything else I want).

 

I really do want to assert better control over name resolution LAN-wide, as that seems to be a sticky point with the my non-Windows systems here (well, one in particular:  My wife's iPad 2 has grown nearly impossible for her to browse with since so many extra things are being done on virtually every web page).

 

-Noel

Share this post


Link to post
Share on other sites

I really do want to assert better control over name resolution LAN-wide, as that seems to be a sticky point with the my non-Windows systems here (well, one in particular:  My wife's iPad 2 has grown nearly impossible for her to browse with since so many extra things are being done on virtually every web page).

 

-Noel

 

 

I have a jailbroken iPad 2 that I use when I don't feel like lugging my Laptop around, and I have a hosts file installed. One thing I will caution you about is, for some reason, the iPad browser stops loading the whole page occasionally when it can't connect to a XSS provider. For example, whenever my iPad tries to connect to googlesyndication.com, the entire page throws an error and I have to reload a few times to get it to display properly. I don't know if a network-wide blocklist will prevent this, but it's worth a try.

Share this post


Link to post
Share on other sites

 

Regarding hardware, right now I am using a Tenda N80 router running Tomato Shibby firmware.  For its price, that router performs great, but I would not recommend it to someone else at this time because it is hard to flash, and has some up-time reliability issues.  Tomato firmware supports a long list of routers (click the "Search by model" dropdown).  My recommendations for most people right now are the Asus RT-N66U (N450/450), Asus RT-AC66U (N450/AC1300), and Asus RT-AC68U (N600/AC1300).

    The Tomato firmware has its own DNS server called DNSmasq which in addition to caching DNS requests, can also be used to enforce HOSTS files.  There are several ways of doing it, but I have mine configured to load the HOSTS files from a USB drive I have plugged into the router.

 

 

I'm glad to hear you say that, actually.

 

I have considered on and off trying to "go it on my own" and flash Tomato into my router, but every time I get cold feet because if I brick the thing suddenly my whole house/home office is offline.  Even flashing Linksys/Cisco's own software is pretty iffy with the thing.

 

I really need to bite the bullet and just buy another router, then play with that until I have this name resolution setup just right.  If / when something goes wrong, I could just plug in the old one to restore service.  Thing is, I really LIKE the one I have (Cisco E4200v2, which has powerful wifi, excellent uptime, and is easy to configure to do everything else I want).

 

I really do want to assert better control over name resolution LAN-wide, as that seems to be a sticky point with the my non-Windows systems here (well, one in particular:  My wife's iPad 2 has grown nearly impossible for her to browse with since so many extra things are being done on virtually every web page).

 

-Noel

 

 

While we're on the topic of configurable routers, I'm wondering if it is feasible to place a router in front of or behind another router.

 

Reason I ask is that I'm using a Verizon-supplied DSL router/modem. I admit that my knowledge of networking technology remains very fuzzy, and so I don't know if (for example) Verizon might have either a technical or contractual problem with my outright replacing its router with a third-party router. And thus I'm wondering about putting a third-party router either in front of or behind VZ's router, for the purpose of using it to block unwanted connections to Microsoft without the OS objecting.

 

There is another factor to throw into the mix. A couple of years ago, my VZ-supplied Westell F90 router burned out and they sent me a new one. It was an arcane, convoluted process to get Verizon to recognize/authorize it or whatever the procedure is called, so I'm not eager to go through that again.  :ph34r:  I ended up having to make several phone calls to Verizon tech support (which in itself is a nightmarish experience) to get back on the 'Net.

 

--JorgeA

Edited by JorgeA

Share this post


Link to post
Share on other sites

Do they give you any control whatsoever of the configuration?

 

The providers will often tell you that plugging-in a router into the port they provide is "not supported".  I think this is to reduce their service costs.

 

The reality is that it really should and usually does work to plug a router into the Ethernet port they provide. 

 

I would not suggest trying to plug your router in between their device and whatever it goes to on their side, but rather on your LAN side.  That's probably a good idea for a number of reasons.  If you have no idea what functionality they're providing you, they might just forward every incoming connection request to your computer, which would open you up to additional risk.  A router normally only supports connections that are initiated by your computer, or which you pre-ordain (such as a specific incoming port for game playing or something).

 

For what it's worth, my router will even (if I so configure it) replicate my PC's MAC address (or any other I program) if the provider's device demands that the PC you connected be its long-term connection.  I've never run across a need for this, but the capability is there.

 

-Noel

Edited by NoelC

Share this post


Link to post
Share on other sites

Do they give you any control whatsoever of the configuration?

 

Actually, it does seem to give a pretty fair amount of configuration options. A few years ago, @Tripredacus even found a quite advanced manual for the Westell, which I made sure to download.

But the settings and much of the manual are beyond my pay grade.  :)   Here are a few screenshots to illustrate:

 

post-287775-0-14027000-1452469427_thumb. post-287775-0-63292700-1452469454_thumb.

 

post-287775-0-30929100-1452469535_thumb.

But I haven't seen anything in there expressly relating to an ability to blacklist specific addresses, let alone create a large Hosts-type file.

 

--JorgeA

Edited by JorgeA

Share this post


Link to post
Share on other sites

Isn't there any know simple hardware firewall, one that might be inserted between the modem and the router (be it wireless or not)?

Something based on a RaspberryPi or Arduino, or whatever? Not an expensive thing, one intended to be used by discerning home users... Nothing like that at all, that might be usable and easy to set up?

Share this post


Link to post
Share on other sites

Isn't there any know simple hardware firewall, one that might be inserted between the modem and the router (be it wireless or not)?

Something based on a RaspberryPi or Arduino, or whatever? Not an expensive thing, one intended to be used by discerning home users... Nothing like that at all, that might be usable and easy to set up?

 

There should be.

 

@jaclaz and I looked briefly into this a few pages upthread, but without reaching a firm conclusion (look also at the post following the one in the link).

 

--JorgeA

Share this post


Link to post
Share on other sites

While we're on the topic of configurable routers, I'm wondering if it is feasible to place a router in front of or behind another router.

 

Reason I ask is that I'm using a Verizon-supplied DSL router/modem. I admit that my knowledge of networking technology remains very fuzzy, and so I don't know if (for example) Verizon might have either a technical or contractual problem with my outright replacing its router with a third-party router. And thus I'm wondering about putting a third-party router either in front of or behind VZ's router, for the purpose of using it to block unwanted connections to Microsoft without the OS objecting

 

    Absolutely you can.  If you're not concerned about port forwarding (for accessing services or servers on your network), there's no reason you can't disable the WiFi on your cable/DSL modem, plug the WAN port of a quality router into one of your modem's LAN ports and use your new router's WiFi/LAN ports instead.  There's no risk of breaking anything since your new router will simply appear to the modem as another device.  In fact, this is highly recommended given that the WiFi on many ISP modems isn't that great to begin with.  The Asus routers I listed earlier all get top marks for wireless performance, in addition to being supported by Tomato.

 

 

There is another factor to throw into the mix. A couple of years ago, my VZ-supplied Westell F90 router burned out and they sent me a new one. It was an arcane, convoluted process to get Verizon to recognize/authorize it or whatever the procedure is called, so I'm not eager to go through that again.  :ph34r:  I ended up having to make several phone calls to Verizon tech support (which in itself is a nightmarish experience) to get back on the 'Net.

 

 

Actually, it does seem to give a pretty fair amount of configuration options. A few years ago, @Tripredacus even found a quite advanced manual for the Westell, which I made sure to download.

But the settings and much of the manual are beyond my pay grade.  :)   Here are a few screenshots to illustrate:

 

attachicon.gifWestell Advanced.jpg attachicon.gifWestell Custom Firewall.jpg

 

attachicon.gifWestell Firewall.jpg

But I haven't seen anything in there expressly relating to an ability to blacklist specific addresses, let alone create a large Hosts-type file.

 

    Those look like the Westell 7500 modem configuration pages.  These modems offer little as far as customizability is concerned.  I've had many of these where a customer wanted content filtering and I couldn't even specify the DNS servers without turning off DHCP on the Internet side, which would cause problems of its own.  Such a basic setting!

    Anyway, I have quite a bit of experience setting up networks of various sizes, and would gladly assist you guys if you would like.  Just create a thread over in the Networking section, and PM/link me so I find it.  Noel, if I don't show up for awhile, you might need to get my attention elsewhere.  My MSFN email notifications worked great when I joined, but suddenly stopped working on July 20 and haven't worked since.  I'm only here now because I used a disposable email address to get re-confirmed.  My half-dozen PMs regarding the issue have gone completely unanswered.  :unsure:

Edited by Techie007

Share this post


Link to post
Share on other sites

I think I may need to get one just like yours, Techie007.  :yes:

 

-Noel

Share this post


Link to post
Share on other sites

Since we are talking about routers running third-party firmware, I would advise getting one that is supported by OpenWRT. OpenWRT is much more up-to-date when it comes to kernel and packages versions and offers great flexibility in terms of network configuration. I personally have 2 WRT1900AC's (running the latest 4.4 kernel) plus a few other development boards sitting behind an Ubiquity Edgerouter Lite that actually handles my PPPoE gigabit internet connection and they all work just fine.

 

@NoelC

 

Should you need more info, you can usually find me on freenode IRC server on channel #openwrt, same username as here.

 

nitroshift

Share this post


Link to post
Share on other sites

To complete the thought...  Can OpenWrt support the inclusion of an external hosts file (e.g. a large number of static name resolution entries)?  I think I see that Dnsmasq is part of it, but I don't see anything about size limitations and I'm still unfamiliar with this whole realm of custom router firmware.

 

-Noel

Share this post


Link to post
Share on other sites

[...] Can OpenWrt support the inclusion of an external hosts file (e.g. a large number of static name resolution entries)? [...]

 

-Noel

 

It does.

 

nitroshift

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×