Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Chrysalis]

Someone beat me to it.

http://www.snbforums.com/threads/how-to-disable-windows-10-tracking-using-ipset-entware.26615/

(This may work on any router/firmware supporting entware.)

[AArdvark]

Thank you very useful.

[Chrysalis]

by the way it blocked a request to 65.52.108.153 with the win10 machine not on my network, so win7 is doing something naughty :p

Both merlin's next firmware and the next version of john's fork wont need ipset-dns as they patched ipset support into dnsmasq.

There is this for those who have routers that cannot filter, but I would trust my router to filter more than a windows app. http://www.oo-software.com/en/shutup10

[Chrysalis]

hmmmm, more requests been made and blocked.

admin@RT-AC68U:/jffs/scripts# ipset --list Win10tracking
Name: Win10tracking
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:
191.232.139.254
65.52.108.153
191.232.139.253
65.55.44.109
131.107.255.255

[Dray]

Presumably you've already added _optout and _nomap to your wifi SSID? http://www.theregister.co.uk/2015/06/30/windows_10_wi_fi_sense/

[AArdvark]

@Chrysalis
Here is my latest ...... very interesting is it not!
I am on Win 7 and I have removed all the updates that supposedly switched all this on!

admin@RT-AC56U:/tmp/mnt/usb-data/hosts# ipset --list
Name: Win10tracking
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:
104.72.177.27
65.55.252.93
23.62.53.58
191.232.139.253
65.55.252.71
191.234.5.88
23.62.53.67
131.107.255.255
212.56.73.33
212.56.73.66
65.55.252.92
191.232.139.254
65.52.108.29

[Chrysalis]

indeed.

I am opted out of CEIR.

I have disabled 20 or so tasks that send back data to microsoft.

Yet this is my current list.

admin@RT-AC68U:/jffs/scripts# ipset --list Win10tracking
Name: Win10tracking
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:
191.232.139.254
65.52.108.153
191.232.139.253
65.55.44.109
131.107.255.255

By the way it seems the FCC is trying to ban all custom router firmwares, I wonder why

[AArdvark]

By the way it seems the FCC is trying to ban all custom router firmwares, I wonder why

Back Story for new Readers: 
This relates to the issues with the ASUS firmware where the Wi-Fi channels and Power output were locked to the US standards.
(After threats from FCC due to ASUS not sticking to the rules and being reported by a competitor!! )
The FCC wants to stop people boosting their power output in domestic locations due to interference etc.
ASUS decided that the FCC rules globally  and forced non-US kit to the same US standards.

[Chrysalis]

yep, but now the FCC is taking it one step further.  Seems they unhappy dd-wrt etc. allows people to choose the region.

What really annoyed me with asus is they used a sledgehammer to keep the FCC happy, e.g. in their EU region they dont allow the higher channels even tho the EU officially allows them, that kind of behavior will make people change the region or use older firmware (hence me using a fork of older firmware).

The original wifi guidelines were much looser then as if by magic they got changed and its as if they never existed, so basically they moved the goalposts after it was ratified.  How hard can it be to allocate frequencies large enough to handle access point congestion and not conflict with other systems? maybe its hard as they been busy selling it all of for £££ to mobile companies?

The global banning of custom firmwares I expect has other reasons behind it and the wifi situation is just a convenient reason put in place publically.

[AArdvark]

What really annoyed me with asus is they used a sledgehammer to keep the FCC happy, e.g. in their EU region they dont allow the higher channels even tho the EU officially allows them, that kind of behavior will make people change the region or use older firmware (hence me using a fork of older firmware).

That is what I meant by 'FCC rules globally'.
It annoyed me no end. I am not in the USofA and UK/EU regs allow more, that I should be able to get 
The FCC driver is the ability to change region allows selection of channels or power levels that are not allowed by the FCC.
They know that people are working around the rules and if they can put enough pressure on the Manufacturers to remove the region change it solves their problem.
Along with that change they will then ban the import of kit that does not comply i.e. allows region change.
That is another area they cannot control now as the kit is compatible if you change region to USA but people are using other region settings.

This pressure will work as the manufacturers will not want to lose the US market.
The problem is that like ASUS they may decide to make the changes to all kit to save time/money of having different/special kit for the US only.
The rest of the world should rattle their cage over this as the local rules in EU etc are also important and the FCC should NOT trump everyone else. 

[AArdvark]

@Chrysalis
I have been looking at the original source of the Blocklist and there are a few addresses missing and there are also IP's that are blocked directly.
An updated Blocklist is attached (PC format not *nix)
Check section at end of quoted text (highlighted in Blue)

def domainblock(extra, undo):

    # List of tracking domains.
    normallist = ['a-0001.a-msedge.net', 'a-0002.a-msedge.net', 'a-0003.a-msedge.net',
                  'a-0004.a-msedge.net', 'a-0005.a-msedge.net', 'a-0006.a-msedge.net', 'a-0007.a-msedge.net',
                  'a-0008.a-msedge.net', 'a-0009.a-msedge.net', 'a-msedge.net', 'a.ads1.msn.com', 'a.ads2.msads.net',
                  'a.ads2.msn.com', 'a.rad.msn.com', 'ac3.msn.com', 'ad.doubleclick.net', 'adnexus.net', 'adnxs.com',
                  'ads.msn.com', 'ads1.msads.net', 'ads1.msn.com', 'aidps.atdmt.com', 'aka-cdn-ns.adtech.de',
                  'az361816.vo.msecnd.net', 'az512334.vo.msecnd.net', 'b.ads1.msn.com',
                  'b.ads2.msads.net', 'b.rad.msn.com', 'bs.serving-sys.com', 'c.atdmt.com', 'c.msn.com',
                  'cdn.atdmt.com', 'cds26.ams9.msecn.net', 'choice.microsoft.com', 'choice.microsoft.com.nsatc.net',
                  'compatexchange.cloudapp.net', 'corp.sts.microsoft.com', 'corpext.msitadfs.glbdns2.microsoft.com',
                  'cs1.wpc.v0cdn.net', 'db3aqu.atdmt.com', 'df.telemetry.microsoft.com',
                  'diagnostics.support.microsoft.com', 'ec.atdmt.com', 'feedback.microsoft-hohm.com',
                  'feedback.search.microsoft.com', 'feedback.windows.com', 'flex.msn.com', 'g.msn.com', 'h1.msn.com',
                  'i1.services.social.microsoft.com', 'i1.services.social.microsoft.com.nsatc.net',
                  'lb1.www.ms.akadns.net', 'live.rads.msn.com', 'm.adnxs.com', 'msedge.net',
                  'msftncsi.com', 'msnbot-65-55-108-23.search.msn.com', 'msntest.serving-sys.com',
                  'oca.telemetry.microsoft.com', 'oca.telemetry.microsoft.com.nsatc.net', 'pre.footprintpredict.com',
                  'preview.msn.com', 'rad.live.com', 'rad.msn.com', 'redir.metaservices.microsoft.com',
                  'schemas.microsoft.akadns.net ', 'secure.adnxs.com', 'secure.flashtalking.com',
                  'settings-sandbox.data.microsoft.com', 'settings-win.data.microsoft.com',
                  'sls.update.microsoft.com.akadns.net', 'sqm.df.telemetry.microsoft.com',
                  'sqm.telemetry.microsoft.com', 'sqm.telemetry.microsoft.com.nsatc.net', 'static.2mdn.net',
                  'statsfe1.ws.microsoft.com', 'statsfe2.ws.microsoft.com', 'telecommand.telemetry.microsoft.com',
                  'telecommand.telemetry.microsoft.com.nsatc.net', 'telemetry.appex.bing.net',
                  'telemetry.microsoft.com', 'telemetry.urs.microsoft.com',
                  'vortex-bn2.metron.live.com.nsatc.net', 'vortex-cy2.metron.live.com.nsatc.net',
                  'vortex-sandbox.data.microsoft.com', 'vortex-win.data.microsoft.com', 'vortex.data.microsoft.com',
                  'watson.live.com', 'www.msftncsi.com', 'ssw.live.com']

    extralist = ['fe2.update.microsoft.com.akadns.net', 'reports.wes.df.telemetry.microsoft.com', 's0.2mdn.net',
                 'services.wes.df.telemetry.microsoft.com', 'statsfe2.update.microsoft.com.akadns.net',
                 'survey.watson.microsoft.com', 'view.atdmt.com', 'watson.microsoft.com',
                 'watson.ppe.telemetry.microsoft.com', 'watson.telemetry.microsoft.com',
                 'watson.telemetry.microsoft.com.nsatc.net', 'wes.df.telemetry.microsoft.com', 'ui.skype.com',
                 'pricelist.skype.com', 'apps.skype.com', 'm.hotmail.com', 's.gateway.messenger.live.com']

    if not undo:
        if not extra:
            modifyhostfile(undo=False, domainlist=normallist, name="Domain block")
        else:
            modifyhostfile(undo=False, domainlist=extralist, name="Extra domain block")
    else:
        if not extra:
            modifyhostfile(undo=True, domainlist=normallist, name="Domain block")
        else:
            modifyhostfile(undo=True, domainlist=extralist, name="Extra domain block")


def blockips(undo):
    iplist = ['2.22.61.43', '2.22.61.66', '65.39.117.230', '65.55.108.23', '23.218.212.69',
              '134.170.30.202', '137.116.81.24', '157.56.106.189', '204.79.197.200', '65.52.108.33']

[Chrysalis]

ok add this above the '# Apply iptables rule' line

Code: [Select]

# Add hardcoded ip's to ip set
for ip in $(cat $WIN10IPS);
  do
  if [ "$(ipset -T Win10tracking $ip | grep 'is NOT in set Win10tracking')" != "" ];
    then
    ipset -A Win10tracking $ip
  fi
done

Also at top of the file add this line DNSMASQ_CFG line.

Code: [Select]

WIN10IPS=/tmp/mnt/OPTWARE/hosts.win10ips
obviously edit the filename and path to suit your needs.

And populate that file as such.

Code: [Select]

2.22.61.43
2.22.61.66
65.39.117.230
65.55.108.23
23.218.212.69
134.170.30.202
137.116.81.24
157.56.106.189
204.79.197.200
65.52.108.33

After rerunning firewall-start I now have this.

admin@RT-AC68U:/jffs/scripts# ipset --list Win10tracking         
Name: Win10tracking
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:
191.232.139.254
65.39.117.230
65.52.108.153
23.218.212.69
65.55.252.92
2.22.61.66
191.232.139.253
65.55.108.23
65.52.108.33
157.56.106.189
137.116.81.24
134.170.30.202
65.55.44.109
131.107.255.255
204.79.197.200
2.22.61.43

Thanks, will update the other forum.

[Chrysalis]

I personally have not ammended my hostname list yet, that is a very big list and I want to be sure that is all tracking related.  Just adding any hostname used without snooping on the traffic first to verify its tracking might not be a good idea.

[AArdvark]

I personally have not ammended my hostname list yet, that is a very big list and I want to be sure that is all tracking related.  Just adding any hostname used without snooping on the traffic first to verify its tracking might not be a good idea.

I may be misunderstanding you.
If you mean the blocklist I sent, it is the same as the list used + 3 missing hostnames.
I simply re-did the list with the missing hostnames (in sorted order).
I compared the lists and added what was missing.
Thanks for the script changes I had already done this also. 

I am searching for the definitive list to update from.
This method is flawed as I have previously mentioned, as MS can and will change the addresses used.
This will be via hidden updates to Win10 and Win7/8.
The information about what we think you need to block is just as accessible to MS as it is to everyone else.
If it gets too good MS will move the goalposts.

[Chrysalis]

ok. I am considering verifying all the hostnames anyway to be sure.

I do agree as well, this will be a game of whack a mole.

It's going to be a bit like web tracking lists, it will require someone to keep an up to date list in the right format, if they do that and make it downloadable, then one can cron a wget command in the router to keep it updated.