How to disable Windows 10 tracking using ipset + Entware

[john9527]

That one-line patch is pretty easy to manage, and shouldn't make future merge a problem

Sounds good....just trying to keep things simple

And thanks for the tomato pointer. I'm going to run with this for now (trying to button up my next release) then will take a look at that.

 

[themiron]

Modern routers have more than sufficient flash now-a-days, so issues of space isn't a concern.

I was talking not about flash, but about memory footprint.

 

[ryzhov_al]

Maybe a better solution for this application would be to include ipset-dns in the build?

I was wrong. No ipset IPv6 support on MIPS for eternity, as long as it based on old ipset-4.5 branch. External ipset-dns utility got the same parameters for both older or newer ipset branches: it require IPv6 IP set as command line parameter even on old ipset-4.5 branch, which is completely useless.

But, don't we get back to the same point of needing the new ipset for IPv6. And it would only be supported on ARM, since the new ipset doesn't work on the older MIPS kernel.

Indeed. Unless someone backport new ipset-6.2 branch to older kernels. And even if it's happen, I'm not sure @RMerlin will going to merge it.

So, we may accept ipset as IPv4-only tool and use dnsmasq ipset=/.../.../ lines with those ugly patch above to change kernel version detection.

 

[ASAT]

Am I doing it right? It is not working for RT-AC68U 378.55 Merlin firmware.

ipset -N blockedsites iphash
ipset -A blockedsites 173.194.74.28
iptables -I FORWARD -m set --match-set blockedsites src,dst -j DROP
ping 173.194.74.28

 

[RMerlin]

Am I doing it right? It is not working for RT-AC68U 378.55 Merlin firmware.

ipset -N blockedsites iphash
ipset -A blockedsites 173.194.74.28
iptables -I FORWARD -m set --match-set blockedsites src,dst -j DROP
ping 173.194.74.28

Test from outside your router. The FORWARD chain isn't processed when you generate traffic from the router itself.

 

[ASAT]

Test from outside your router.

It works. The computers cannot ping 173.194.74.28.

 

[tsunami2311]

Ttsunami2311 you are not alone. I definitely need baby steps and not even close to doing any of this stuff!

we can hope lol

Consider 10520 build supposedly locking down all this or so i hear, So doing threw router might be only choice.

so stuff like this
http://www.oo-software.com/en/shutup10
probably wont cut it

 

[Wisiwyg]

I'm going to run with this for now (trying to button up my next release) then will take a look at that.

Are you planning to include this in the next release? Would be great if you can!

 

[tsunami2311]

maybe we can have this implemented in the routers as option for the dumb that cant fiqure this out? lol

 

[Syaoran]

maybe we can have this implemented in the routers as option for the dumb that cant fiqure this out? lol

Please! I just don't have the time to sit down and read through the whole thread, Wiki's, and so on to figure this stuff out.

 

[ASAT]

It works great with ipset-dns. However, is there a way to use TOR as the upstream DNS resolver for ipset-dns? So my ISP does not see the DNS lookups. Here is my wish:

ipset-dns Win10tracking Win10tracking 1919 127.0.0.1:9053

 

[cosmoxl]

It works great with ipset-dns. However, is there a way to use TOR as the upstream DNS resolver for ipset-dns? So my ISP does not see the DNS lookups. Here is my wish:

ipset-dns Win10tracking Win10tracking 1919 127.0.0.1:9053

similarly, I assume the DNS requests sent to 8.8.8.8 (in the default script) go through the openvpn tunnel if it's up? how would I get the script to just use the DNS forced by openvpn knowing that I use two or three different VPN providers from day to day? It can't be a fixed IP but must look up the proper IP being used by the system.

 

[cosmoxl]

oh, and can anybody explain to this dummy exactly what ipset-dns does? I understand the concept of using iptables to block a request. but the guide says ipset-dns is used to add new unwanted IPs... how exactly?

 

[ASAT]

ipset-dns is used to add new unwanted IPs... how exactly?

ipset-dns is a DNS forwarder that uses ipset to collect IP addresses from DNS lookups. Then the firewall rule can blacklist those IPs in realtime. To see the IPs collected by ipset-dns, type:

ipset --list

Or, you can manually add IPs, this way:

ipset -A Win10tracking 65.52.108.11

 

[lancethepants]

@theMIROn
DNSMasq + DNSSEC activated < 1 MB Memory
DNSCrypt < 1MB Memory.
Modern ARM Routers >= 256MB Memory.

Even running Asterisk 11 on my router only takes 11MB Memory, for a system total of <50MB.

The only time I've seen memory usage >100MB was me attempted to compile llvm on the router with tomatoware. (hint: can't be done with 256MB. llvm needs more than that to be compiled I come to find out.)
Basically, there's an excessive amount of memory to work with, even when doing much more than the original manufacturer intended. Memory is no issue, especially for programs justifiably useful for a router's primary function.

 

[themiron]

@theMIROn
DNSMasq + DNSSEC activated < 1 MB Memory
DNSCrypt < 1MB Memory.
Modern ARM Routers >= 256MB Memory.

Even running Asterisk 11 on my router only takes 11MB Memory, for a system total of <50MB.

The only time I've seen memory usage >100MB was me attempted to compile llvm on the router with tomatoware. (hint: can't be done with 256MB. llvm needs more than that to be compiled I come to find out.)
Basically, there's an excessive amount of memory to work with, even when doing much more than the original manufacturer intended. Memory is no issue, especially for programs justifiably useful for a router's primary function.

Well, it's only your respective opinion based on your own respective experience, especially taking in account it includes llvm compilation tries on the router
Using any of torrent/upnp/dlna/mt-daap/ftp/samba/nfs or similar software which is about to read (and to cache, yeah) a lot of files an excessive ammount of memory magically turns into swap usage, so any additional percent of free physical ram is valuable for sure.

Curious, can you tell the real advantages of DNSSEC, considering router without RTC?

 

[ASAT]

I want to extend this approach for ad blocking too. So, for that firewall rule, what's the difference between DROP and REJECT?

For the Microsoft tracking I think it is appropriate to DROP their requests on the floor without responding, causing their programs to timeout while waiting for a response.

However, for ad blocking in a web browser it may be better to REJECT the requests with an immediate response, indicating that the site is unreachable, so it doesn't have to wait to timeout?

Does a web page render faster when the firewall is blocking ads with a REJECT instead of a DROP?

 

[kvic]

Does a web page render faster when the firewall is blocking ads with a REJECT instead of a DROP?

Neither of them ideal. Ad requests need to be served promptly. That gives you optimal user experience in terms of response time and visual display. Or else all sort of weird issues can occur. Check out pixelserv.

 

[ASAT]

Check out pixelserv.

I've been propagating the Microsoft tracking domains and my Ad blocking domains plus their resolved IP addresses to Privoxy. So now I tell Privoxy to handle the Ad blocking domains differently as: +handle-as-image. It resolves the URL to a GIF image (4x4 pixels), similar to Pixelserv. Additionally, I've got it configured so that the Microsoft domains throw a Privoxy error page saying that the URL is blocked because it is a Microsoft tracking site.

When I'm not going through Privoxy, the firewall handles the blocking directly.

So now I have just one blacklist and it updates both dnsmasq and Privoxy with the same information.

 

[sfx2000]

MS has backported some of the Telemetry items back to updates for Win7/Win8 as optional items in Windows Update - so might consider this even if one isn't running Win10.