How to disable Windows 10 tracking using ipset + Entware

ryzhov_al

Very Senior Member
Please refer to this how-to on asuswrt-merlin releases newer then 378.55. Solution below is for 378.55 version and older.

Some guides offers to block unwanted sites via hosts file, but it's not working (in some cases) with Windows 10, which can detect DNS resolution is changed by user and use hardcoded IP addresses. So, it's better to resolve DNS names right and block traffic to this sites later.

My solution includes two independent parts:
  • creating set of unwanted IPs with ipset and block it with iptables. It's a part from firmware.
  • adding new unwanted IPs with ipset-dns. This is part from Entware.
I assume that you have installed Entware. First, put a list of unwanted sites to /jjfs/Win10tracking.txt file:
Code:
a.ads1.msn.com
a.ads2.msads.net
a.ads2.msn.com
a.rad.msn.com
a-0001.a-msedge.net
a-0002.a-msedge.net
a-0003.a-msedge.net
a-0004.a-msedge.net
a-0005.a-msedge.net
a-0006.a-msedge.net
a-0007.a-msedge.net
a-0008.a-msedge.net
a-0009.a-msedge.net
ac3.msn.com
ad.doubleclick.net
adnexus.net
adnxs.com
ads.msn.com
ads1.msads.net
ads1.msn.com
aidps.atdmt.com
aka-cdn-ns.adtech.de
a-msedge.net
apps.skype.com
az361816.vo.msecnd.net
az512334.vo.msecnd.net
b.ads1.msn.com
b.ads2.msads.net
b.rad.msn.com
bs.serving-sys.com
c.atdmt.com
c.msn.com
cdn.atdmt.com
cds26.ams9.msecn.net
choice.microsoft.com
choice.microsoft.com.nsatc.net
compatexchange.cloudapp.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
cs1.wpc.v0cdn.net
db3aqu.atdmt.com
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
ec.atdmt.com
fe2.update.microsoft.com.akadns.net
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
flex.msn.com
g.msn.com
h1.msn.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
lb1.www.ms.akadns.net
live.rads.msn.com
m.adnxs.com
m.hotmail.com
msedge.net
msftncsi.com
msnbot-65-55-108-23.search.msn.com
msntest.serving-sys.com
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
preview.msn.com
pricelist.skype.com
rad.live.com
rad.msn.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
s.gateway.messenger.live.com
s0.2mdn.net
schemas.microsoft.akadns.net
secure.adnxs.com
secure.flashtalking.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
settings-win.data.microsoft.com
sls.update.microsoft.com.akadns.net
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
static.2mdn.net
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.microsoft.com
telemetry.urs.microsoft.com
view.atdmt.com
vortex.data.microsoft.com
vortex-bn2.metron.live.com.nsatc.net
vortex-cy2.metron.live.com.nsatc.net
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
wes.df.telemetry.microsoft.com
www.msftncsi.com
I borrowed this list from here. Now we need to resolve this DNS names via separate resolver. Put following content to /jffs/scripts/firewall-start:
Code:
#!/bin/sh
DNSMASQ_CFG=/jffs/configs/dnsmasq.conf.add
if [ ! -f $DNSMASQ_CFG ] || [ "$(grep Win10tracking $DNSMASQ_CFG)" = "" ];
then
  rm -f $DNSMASQ_CFG
  for i in `cat /jffs/Win10tracking.txt`;
  do
    echo "server=/$i/127.0.0.1#1919" >> $DNSMASQ_CFG
  done
  service restart_dnsmasq
fi

# Load ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
  insmod $module
done

# Create ip set
if [ "$(ipset --swap Win10tracking Win10tracking 2>&1 | grep 'Unknown set')" != "" ];
then
  ipset -N Win10tracking iphash
fi

# Apply iptables rule
iptables-save | grep Win10tracking > /dev/null 2>&1 || \
  iptables -I FORWARD -m set --set Win10tracking src,dst -j DROP
Make a start script /opt/etc/init.d/S01ipset-dns with this content:
Code:
#!/bin/sh

ENABLED=yes
PROCS=ipset-dns
ARGS="Win10tracking Win10tracking 1919 8.8.8.8"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func
Don't forget to make scripts executable and reboot router to take effect:
Code:
chmod +x /jffs/scripts/firewall-start
chmod +x /opt/etc/init.d/S01ipset-dns
reboot

You may check it's working by trying to open some site from list (view.atdmt.com for example). Then check "black list" is filling with some IPs:
Code:
ipset --list Win10tracking
 
Last edited:

thelonelycoder

Part of the Furniture
Thank you @ryzhov_al, this came at the right time. I was watching my dnsmasq log and had suspicion of them doing some shady stuff.
As always: Good work!

My hosts file atm includes these:
Code:
# Microsoft stuff
vortex.data.microsoft.com
vortex-win.data.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
redir.metaservices.microsoft.com
choice.microsoft.com
choice.microsoft.com.nsatc.net
df.telemetry.microsoft.com
reports.wes.df.telemetry.microsoft.com
wes.df.telemetry.microsoft.com
services.wes.df.telemetry.microsoft.com
sqm.df.telemetry.microsoft.com
telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
telemetry.appex.bing.net
telemetry.urs.microsoft.com
telemetry.appex.bing.net:443
settings-sandbox.data.microsoft.com
vortex-sandbox.data.microsoft.com
survey.watson.microsoft.com
watson.live.com
watson.microsoft.com
statsfe2.ws.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
compatexchange.cloudapp.net
cs1.wpc.v0cdn.net
a-0001.a-msedge.net
statsfe2.update.microsoft.com.akadns.net
sls.update.microsoft.com.akadns.net
fe2.update.microsoft.com.akadns.net
diagnostics.support.microsoft.com
corp.sts.microsoft.com
statsfe1.ws.microsoft.com
pre.footprintpredict.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
feedback.windows.com
feedback.microsoft-hohm.com
feedback.search.microsoft.com
rad.msn.com
preview.msn.com
ad.doubleclick.net
ads.msn.com
ads1.msads.net
ads1.msn.com
a.ads1.msn.com
a.ads2.msn.com
adnexus.net
adnxs.com
aidps.atdmt.com
apps.skype.com
az361816.vo.msecnd.net
az512334.vo.msecnd.net
a.rad.msn.com
a.ads2.msads.net
ac3.msn.com
aka-cdn-ns.adtech.de
b.rad.msn.com
b.ads2.msads.net
b.ads1.msn.com
bs.serving-sys.com
c.msn.com
cdn.atdmt.com
cds26.ams9.msecn.net
c.atdmt.com
db3aqu.atdmt.com
ec.atdmt.com
flex.msn.com
g.msn.com
h2.msn.com
h1.msn.com
live.rads.msn.com
msntest.serving-sys.com
m.adnxs.com
m.hotmail.com
preview.msn.com
pricelist.skype.com
rad.msn.com
rad.live.com
secure.flashtalking.com
static.2mdn.net
s.gateway.messenger.live.com
secure.adnxs.com
sO.2mdn.net
ui.skype.com
www.msftncsi.com
msftncsi.com
view.atdmt.com
settings-win.data.microsoft.com
 

System Error Message

Part of the Furniture
aside from blacklist you can however force name resolution by hijacking DNS requests which will work with the host/DNS server entries. If thats not enough just identify the ports used by those hardcoded IP addresses and block it via the forward chain dstnat of those hardcoded ports. except for the DNS server that you use.
 

kvic

Part of the Furniture
@ryzhov_al I read MS using hardcoded IPs to talk to their servers. Have folks found some evidence on this?

EDIT:
Thanks for the list of hosts (and that from @thelonelycoder). I added to my adblock and see...but I've no Win clients to test..lol
 
Last edited:

hatescrapware

New Around Here
This is nice guys, but HOSTS files or anything that requires updating (several?) individual machines doesn't cut it.
Here is my blacklist for DNS Redirector - now it's centrally updated for everything on my LAN, and I don't have to list out each and every fully-qualified-domain-name everytime MS comes out with a new iteration.

Code:
choice.microsoft.com
compatexchange.cloudapp.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
cs1.wpc.v0cdn.net
diagnostics.support.microsoft.com
fe2.update.microsoft.com
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
i1.services.social.microsoft.com
pre.footprintpredict.com
redir.metaservices.microsoft.com
settings-sandbox.data.microsoft.com
settings-win.data.microsoft.com
sls.update.microsoft.com
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com
statsfe2.ws.microsoft.com
telemetry.appex.bing.net
telemetry.microsoft.com
telemetry.urs.microsoft.com
vortex.data.microsoft.com
vortex-bn2.metron.live.com
vortex-cy2.metron.live.com
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
watson.live.com
watson.microsoft.com
^a-\d*\.a-msedge\.net$
;below_causes_issues_with_apps_using_Windows_Push_Notification_Services
;for_example_live_tiles_and_onedrive
^.*\.wns\.windows\.com$
 

ColinTaylor

Part of the Furniture
This is nice guys, but HOSTS files or anything that requires updating (several?) individual machines doesn't cut it.
I think you're missing the point. Try re-reading the first paragraph. [Either that, or I'm missing the point :eek:]
 

thelonelycoder

Part of the Furniture
This is nice guys, but HOSTS files or anything that requires updating (several?) individual machines doesn't cut it.
How about doing exactly that LAN wide on the router itself?
I have made a script that automatically updates once per week. The AdBlocking script would work for you too I guess.
 

AdvHomeServer

Senior Member
https://www.iblocklist.com/lists.php

I have no idea if this is relevant or capable of blocking Win10 and its intrusiveness but this site offers lists usable by pfBlockerNG and pfSense. pfBlockerNG provides blocking (in/out/both), in a variety of ways, via lists you feed to it. The lists are based on IP address. Microsoft is a list you can block. I'm not using it as I'm not a Win10 user and have no reason otherwise to block MS, but this has the potential of offsetting Win10's curiosity. Having said that, it's easy to figure out ways MS can defeat that approach ... basically, if you can't/won't initiate a talk with them then they will snub you in all ways ... remember they know you by your unique win10 identifier.
 

ryzhov_al

Very Senior Member
https://www.iblocklist.com/lists.php

I have no idea if this is relevant or capable of blocking Win10 and its intrusiveness but this site offers lists usable by pfBlockerNG and pfSense.
I've posted How to use ipset with iblockilst examples about two years ago:)

I just read up on ipset with dnsmasq. Didnt know that existed. Pretty nice. Do you have a binary you can share? I didn't see it in entware. I hope merlin includes this soon.
Done. I'l fix first post after next release.
 

RMerlin

Asuswrt-Merlin dev
I merged it in. I should know later if it does compile properly for the ARM platform.
 

ryzhov_al

Very Senior Member
I'm going to try and pick it up for my fork as well. Would you PM me your instructions for setting up the dnsmasq integrated ipset so I can test? Thanks.
I've made a how-to on Wiki.

PS. Some feedback is needed from ARM-based routers users. I'll remove my Wiki article if my last PR causes some troubles for them.
 
Last edited:

ryzhov_al

Very Senior Member
Thanks! One comment if I'm reading correctly....I already have a dnsmasq.conf.add and it looks like you'll clear my exiting entries?
Sure. As for me, I'm using /jffs/scripts/dnsmasq.win10.conf on my router. Just add
Code:
### ipset-dns redirections
conf-file=/jffs/configs/dnsmasq.win10.conf
at the end of /jffs/configs/dnsmasq.conf.add and replace dnsmasq.conf.add to dnsmasq.win10.conf in /jffs/scripts/firewall-start script.
 

ryzhov_al

Very Senior Member
BTW, I've discovered initial TCP packets can bypass iptables rule:
Code:
iptables -I FORWARD -m set --set Win10tracking src,dst -j DROP
Take a look at tcpdump output while trying to access some forbidden site from PC:
Code:
$ tcpdump host 216.189.149.82 -i ppp0 -vvv     # ppp0 got 5.145.229.190 IP address, it's me.  216.189.149.82 is forbidden site.
...
21:16:55.272233 IP (tos 0x0, ttl 127, id 9276, offset 0, flags [DF], proto TCP (6), length 52)
    5.145.229.190.52140 > 216.189.149.82.https: Flags [S], cksum 0xacb9 (correct), seq 1196045395, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
21:16:55.491828 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    216.189.149.82.https > 5.145.229.190.52140: Flags [S.], cksum 0x7332 (correct), seq 2738453799, ack 1196045396, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:16:55.523353 IP (tos 0x0, ttl 127, id 9279, offset 0, flags [DF], proto TCP (6), length 52)
    5.145.229.190.52141 > 216.189.149.82.https: Flags [S], cksum 0x6461 (correct), seq 38191534, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
21:16:55.739720 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    216.189.149.82.https > 5.145.229.190.52141: Flags [S.], cksum 0xc803 (correct), seq 12485241, ack 38191535, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:16:56.491227 IP (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    216.189.149.82.https > 5.145.229.190.52140: Flags [S.], cksum 0x7332 (correct), seq 2738453799, ack 1196045396, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

6 packets captured
7 packets received by filter
0 packets dropped by kernel
So, I see how SYN packet bypasses iptables rule and reaches forbidden site. After then, server on forbidden site tries to replay with SYN/ACK packets for some time. I suspect it's because of this (default) rule:
Code:
iptables-save
...
# Generated by iptables-save v1.3.8 on Tue Aug 25 16:53:05 2015
*mangle
:PREROUTING ACCEPT [71713:16880990]
:INPUT ACCEPT [68597:16130384]
:FORWARD ACCEPT [1448:119679]
:OUTPUT ACCEPT [69119:22418896]
:POSTROUTING ACCEPT [70459:22539766]
-A PREROUTING -d 5.145.252.24 -i ! ppp0 -j MARK --set-mark 0xb400
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Aug 25 16:53:05 2015
...

Correct me if I wrong, I've got very low skills in iptables.
 

john9527

Part of the Furniture
Well, first pass testing on ARM (AC68R) with dnsmasq-ipset isn't working....nothing gets added to the ipset. I'll try and do some more debugging later today.

Also, your script needs to be modified for the non-Entware environment. The default Busybox 'find' command doesn't support -maxdepth, -type or -newer parameters.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top