How to disable Windows 10 tracking using ipset + Entware

[ryzhov_al]

The default Busybox 'find' command doesn't support -maxdepth, -type or -newer parameters.

Fixed, thanks.

Well, first pass testing on ARM (AC68R) with dnsmasq-ipset isn't working....nothing gets added to the ipset. I'll try and do some more debugging later today

We need to find out which part is failed: system (kernel, ipset utility) or dnsmasq itself.

The first one is quite easy to check: try this example and make sure IP sets is populated:

ipset --list

The second one requires strace, gdb and so on. I can ask @theMIROn for assistance, he is active dnsmasq contributor.

 

[HardCat]

Post #1 appears to have a syntax error on line 8 of the firewall-start script. The append symbol >> appears twice.

 

[mirage22]

This is excellent work, been hoping something like this showed up...

it's good to have the ability to block everything at the router level. But the moment I move my laptop to any other location and access the internet, won't Windows 10 send all the previous unsent information to Microsoft once the connection is finally established?

 

[ryzhov_al]

The append symbol >> appears twice.

Fixed. Thank you.

But the moment I move my laptop to any other location and access the internet, won't Windows 10 send all the previous unsent information to Microsoft once the connection is finally established?

IMHO, there is no sense to block Win 10 tracking on the one network if devices are moved between several ones.

Also, some IPs can hold several virtual hosts, so when you block one virtual server there, you block all others.
a-0001.a-msedge.net = 204.79.197.200 = www.bing.com as example.

And more. dnsmasq will "black list" all subdomains for given domain. Blocking msftncsi.com track site lead to blocking www.msftncsi.com which is used by Network Connectivity Status Indicator.

No one says post #1 gives perfect protection from tracking, IMHO, there is no good solution for that. It offers an approach, which is never been used on our routers before.

 

[VANT]

any chance for ipset gui in firmware ? it's very important and usefull feature

 

[cofetym]

I'd like to see this as a permanent feature on our routers, with an add or delete feature as needed!

What's the game plan Merlin, John and Ryzhov al ?

Sounds like the three of you have something special cooking for our routers!

 

[GSpock]

Hello,
thanks for this ryzhov_al.
Is this also preventing Windows Updates and updates of Windows Defender ?
Thanks,
GS

 

[AdvHomeServer]

Again, this is still speculative ...

Since Windows 10 installs unique identifiers in each PC that installs Win 10, what prevents MS from completely ignoring individual and easily identifiable PCs that aren't reachable due to blocking software?

What will prevent MS from denying you something you want for your Win 10 PC, as singled out by a record in their database that is keyed by your PCs unique identifier, if it states you are snubbing them in ways they do not approve of?

Not that I disapprove of ways to maintain privacy, whether extremely complicated to implement or not. I just have a pesky habit of looking for problems inherent in proposed solutions. This practice always ticks off the enthusiasts of the moments, but it also ends up creating more solid solutions.

 

[GSpock]

Again, this is still speculative ...

Since Windows 10 installs unique identifiers in each PC that installs Win 10, what prevents MS from completely ignoring individual and easily identifiable PCs that aren't reachable due to blocking software?

What will prevent MS from denying you something you want for your Win 10 PC, as singled out by a record in their database that is keyed by your PCs unique identifier, if it states you are snubbing them in ways they do not approve of?

Not that I disapprove of ways to maintain privacy, whether extremely complicated to implement or not. I just have a pesky habit of looking for problems inherent in proposed solutions. This practice always ticks off the enthusiasts of the moments, but it also ends up creating more solid solutions.

... and so, what is your "more solid solution" then ? ....

 

[RMerlin]

I'd like to see this as a permanent feature on our routers, with an add or delete feature as needed!

What's the game plan Merlin, John and Ryzhov al ?

Sounds like the three of you have something special cooking for our routers!

No plan to, for many different reasons.

 

[ASAT]

Is this also preventing Windows Updates and updates of Windows Defender ?

It would prevent MSFT from tracking my movements while on the road. However, once back at home (MSFT already knows where I live), you turn it off so that the Windows Update and the Windows Defender can function normally. Take it with you when you travel. Bring it on the airplane.

 

[ASAT]

It is not working for me on ARMv7 router. I changed -DNO_IPSET to -DHAVE_IPSET in release/src/router/Makefile, and rebuilt the 378.55 firmware for RT-AC68U router.

I have confirmed that dnsmasq has the ipset feature now, by typing: dnsmasq --ipset=zzz
No longer getting an error about needing to define HAVE_IPSET.

This shows that Win10tracking has no members: ipset --list

Name: Win10tracking
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:

When I ping ad.doubleclick.net, it is not blocked.

I'm also using dnscrypt-proxy, if that matters.

 

[kvic]

It is not working for me on ARMv7 router. I changed -DNO_IPSET to -DHAVE_IPSET in release/src/router/Makefile, and rebuilt the 378.55 firmware for RT-AC68U router.

I have confirmed that dnsmasq has the ipset feature now, by typing: dnsmasq --ipset=zzz
No longer getting an error about needing to define HAVE_IPSET.

This shows that Win10tracking has no members: ipset --list

Name: Win10tracking
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:

When I ping ad.doubleclick.net, it is not blocked.

I'm also using dnscrypt-proxy, if that matters.

I assume you see some advantages in using dnsmasq+ipset over the usual dnsmasq (such as the one in #8) for adblock.

Curious to know...what are the advantages?

 

[ASAT]

I assume you see some advantages in using dnsmasq+ipset over the usual dnsmasq (such as the one in #8) for adblock.

Curious to know...what are the advantages?

I'm already using a hosts file to block certain sites. I assumed that there was something special about ipsets that I wasn't aware of. For example if the Microsoft servers attempt to make inbound connections to my systems without my knowledge or consent.

 

[john9527]

It is not working for me on ARMv7 router. ...

I have confirmed that dnsmasq has the ipset feature now, by typing: dnsmasq --ipset=zzz
No longer getting an error about needing to define HAVE_IPSET.

This shows that Win10tracking has no members: ipset --list

I can confirm the same behavior with dnsmasq compiled with the ipset option on my fork on an AC68R. Also verified all the required ipset modules are loaded correctly with lsmod.

Can also confirm that ipset is working. If I manually add the member address to ipset with

ipset -A Win10tracking xxx.xxx.xxx.xxx

everything works and I can see the packet counts for the iptables rule increasing. So it looks like the breakdown is with dnsmasq being able to successfully add the ipset member.

 

[kvic]

So it looks like the breakdown is with dnsmasq being able to successfully add the ipset member.

See if this one can shed some light on the issue. But we already have the newer version. So assume the fix is already in. Maybe worth compiling in DNSSEC?

 

[AdvHomeServer]

... and so, what is your "more solid solution" then ? ....

if you're saying "Don't complain unless you can improve the process" then you must like going out to sea with boats that have holes in the bottom.

 

[john9527]

See if this one can shed some light on the issue. But we already have the newer version. So assume the fix is already in. Maybe worth compiling in DNSSEC?

Good searching! small problem though.....DNSSEC requires nettle crypto library which isn't present.
But, I did track down the referenced fix (in forward.c) and confirmed that it's in dnsmasq 2.75.

 

[lancethepants]

dnsmasq + DNSSEC -> nettle -> libgmp, so a couple additional dependencies.

dnsmasq does have a nice compile time option to link the libraries statically. Still have to compile them and make a few changes that take DNSSEC into account.

https://github.com/lancethepants/Toastman-Tinc/commit/07fc93c642833b95e2c4fe4c14518a02216cb47f
(tomato implementation)

 

[themiron]

See if this one can shed some light on the issue. But we already have the newer version. So assume the fix is already in.

Not really. dnsmasq expects newer ipset in-kernel api, since it 2.6.36.
But kernel has ipset module with old API for 2.4 & <2.6.32 (which doesn't support ipv6 at all).
So, either kernel need proper ipset (as stated at http://ipset.netfilter.org/install.html), or... patch dnsmasq in hope old ipset actually works on 2.6.36.