How to block in Windows10 Telemetry with pfsense
-
@KOM:
Make an URL alias.
That provides the same error and this:
The following input errors were detected:
The alias name must be less than 32 characters long, may not consist of only numbers, and may only contain the following characters a-z, A-Z, 0-9, _.
You must provide a valid URL. Could not fetch usable data from 'vortex.data.microsoft.com'.Sorry here is another example:
https://imgur.com/2R0sYVW
I did some searching for where pfsense stores those files on the server but have not been able to find it, any idea?
-
Don't. Use. SPACE. In. The. Name!
(Block MS Telemetry = wrong, Block_MS_Telemetry = correct) :-D
-
Don't. Use. SPACE. In. The. Name!
(Block MS Telemetry = wrong, Block_MS_Telemetry = correct) :-D
Ahh. That helped thanks. I changed the type to hosts and it works now, cheers!
-
Is there a way to block more than 5000 hosts in a single alias or rule? Intending to block inbound tor exit nodes and I think the list is 7000 IP's. Maybe on the command line alias file?
Thanks!
-
Tried Snort (on LAN interface) ? Afaik if blocks contacts to TOR servers (have seen it in my Snort alerts), no idea how up-to-date the list of servers is…
btw., how about a new thread, this all here is miles OT.... ;-)
-
to block telemetry in a single PC use DWS_lite
Open source,code on github.https://www.virustotal.com/en/file/bf600fc1517f65f15f4e174087759973837cfe99e419f2c52f6d248dee6eb72f/analysis/1449685802/
https://github.com/Nummer/Destroy-Windows-10-Spying/blob/master/DWS
string[] ipAddr = { "111.221.29.177", "111.221.29.253", "131.253.40.37", "134.170.30.202", "134.170.115.60", "134.170.165.248", "134.170.165.253", "134.170.185.70", "137.116.81.24", "137.117.235.16", "157.55.129.21", "157.55.133.204", "157.56.121.89", "157.56.91.77", "168.63.108.233", "191.232.139.254", "191.232.80.58", "191.232.80.62", "191.237.208.126", //"204.79.197.200", // BING.COM "207.46.101.29", "207.46.114.58", "207.46.223.94", "207.68.166.254", "212.30.134.204", "212.30.134.205", "23.102.21.4", "23.99.10.11", "23.218.212.69", "64.4.54.22", "64.4.54.32", "64.4.6.100", "65.39.117.230", "65.52.100.11", "65.52.100.7", "65.52.100.9", "65.52.100.91", "65.52.100.92", "65.52.100.93", "65.52.100.94", "65.52.108.29", "65.55.108.23", "65.55.138.114", "65.55.138.126", "65.55.138.186", "65.55.252.63", "65.55.252.71", "65.55.252.92", "65.55.252.93", "65.55.29.238", "65.55.39.10", "191.232.139.2", "64.4.23.0-64.4.23.255", "111.221.64.0-111.221.127.255", // singapure "157.55.235.0-157.55.235.255", "157.55.56.0-157.55.56.255", "157.55.52.0-157.55.52.255", "157.55.130.0-157.55.130.255", "65.55.223.0-65.55.223.255", "213.199.179.0-213.199.179.255", // Ireland "195.138.255.0-195.138.255.255", "23.223.20.82", // cache.datamart.windows.com "77.67.29.176", // NEW TH2 Spy IP "157.56.124.87", // NEW TH2 Spy IP "157.55.236.0-157.55.236.255", // NEW TH2 SPY IP "104.96.147.3", "23.57.107.27", "23.57.107.163", "23.57.101.163", "2.22.61.43", "2.22.61.66", "65.39.117.230", "23.218.212.69", "134.170.30.202", "137.116.81.24", "157.56.106.189", "204.79.197.200", "65.52.108.33" };string[] hostsdomains = { "statsfe2.update.microsoft.com.akadns.net", "fe2.update.microsoft.com.akadns.net", "s0.2mdn.net", "survey.watson.microsoft.com", "view.atdmt.com", "watson.microsoft.com", "watson.ppe.telemetry.microsoft.com", "vortex.data.microsoft.com", "vortex-win.data.microsoft.com", "telecommand.telemetry.microsoft.com", "telecommand.telemetry.microsoft.com.nsatc.net", "oca.telemetry.microsoft.com", "sqm.telemetry.microsoft.com", "sqm.telemetry.microsoft.com.nsatc.net", "watson.telemetry.microsoft.com", "watson.telemetry.microsoft.com.nsatc.net", "redir.metaservices.microsoft.com", "choice.microsoft.com", "choice.microsoft.com.nsatc.net", "wes.df.telemetry.microsoft.com", "services.wes.df.telemetry.microsoft.com", "sqm.df.telemetry.microsoft.com", "telemetry.microsoft.com", "telemetry.appex.bing.net", "telemetry.urs.microsoft.com", "telemetry.appex.bing.net:443", "settings-sandbox.data.microsoft.com", "watson.live.com", "statsfe2.ws.microsoft.com", "corpext.msitadfs.glbdns2.microsoft.com", "compatexchange.cloudapp.net", "a-0001.a-msedge.net", "sls.update.microsoft.com.akadns.net", "diagnostics.support.microsoft.com", "corp.sts.microsoft.com", "statsfe1.ws.microsoft.com", "feedback.windows.com", "feedback.microsoft-hohm.com", "feedback.search.microsoft.com", "rad.msn.com", "preview.msn.com", "ad.doubleclick.net", "ads.msn.com", "ads1.msads.net", "ads1.msn.com", "a.ads1.msn.com", "a.ads2.msn.com", "adnexus.net", "adnxs.com", "az361816.vo.msecnd.net", "az512334.vo.msecnd.net", "ssw.live.com", "ca.telemetry.microsoft.com", "i1.services.social.microsoft.com", "i1.services.social.microsoft.com.nsatc.net", "df.telemetry.microsoft.com", "reports.wes.df.telemetry.microsoft.com", "cs1.wpc.v0cdn.net", "vortex-sandbox.data.microsoft.com", "oca.telemetry.microsoft.com.nsatc.net", "pre.footprintpredict.com", "spynet2.microsoft.com", "spynetalt.microsoft.com", "fe3.delivery.dsp.mp.microsoft.com.nsatc.net", "cache.datamart.windows.com", "db3wns2011111.wns.windows.com", // NEW TH2 spy hosts //"deploy.static.akamaitechnologies.com", //"akamaitechnologies.com" "settings-win.data.microsoft.com", "v10.vortex-win.data.microsoft.com", "win10.ipv6.microsoft.com", "ca.telemetry.microsoft.com", "i1.services.social.microsoft.com.nsatc.net" };Windows Update is not blocked !!!
-
Hi, any details where this list comes from?
-
Hi, any details where this list comes from?
It appears the list comes from various people and have noticed it's also used in Spyboy Anti-Beacon program too.
I found doing DNSBL as a quicker way to block Windows Telemetry on pfSense. I just setup my pfsense to use DNSBL, which is included in the latest package of pfblockerNG. I told my DNSBL to use as it appears to be updated often:
https://raw.githubusercontent.com/WindowsLies/BlockWindows/master/hostslist -
Hi, any details where this list comes from?
It appears the list comes from various people and have noticed it's also used in Spyboy Anti-Beacon program too.
I found doing DNSBL as a quicker way to block Windows Telemetry on pfSense. I just setup my pfsense to use DNSBL, which is included in the latest package of pfblockerNG. I told my DNSBL to use as it appears to be updated often:
https://raw.githubusercontent.com/WindowsLies/BlockWindows/master/hostslistDo you have a guide or basic steps on how to set it up? Never used either before. is DNSBL a preconfigured list found in pfblockerNG?
-
This is a good starting point https://forum.pfsense.org/index.php?topic=102470.0
-
In topic 102470 (line above), look for reply #18 on Nov 20, 2015. Reply #18 walks you through the setup.
-
In topic 102470 (line above), look for reply #18 on Nov 20, 2015. Reply #18 walks you through the setup.
This is a good starting point https://forum.pfsense.org/index.php?topic=102470.0
Thanks guys.
In addition to the guide, id like to add that DNSBL is not seperate to pfBlockerNG, it must be enabled for DNSBL to be enabled. Spent 20 mins trying to figure out why DNSBL wouldnt work :D
EDIT: Why does it take a few lookups for the IP to be blocked?
[2.2.6-RELEASE][root@pfSense.local.lan]/root: drill rad.msn.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 17580 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; rad.msn.com. IN A ;; ANSWER SECTION: rad.msn.com. 690 IN CNAME rad.msn.com.nsatc.net. rad.msn.com.nsatc.net. 299 IN A 111.221.29.189 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 472 msec ;; SERVER: 8.8.4.4 ;; WHEN: Sat Jan 23 10:51:18 2016 ;; MSG SIZE rcvd: 80 [2.2.6-RELEASE][root@pfSense.local.lan]/root: drill rad.msn.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 11622 ;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; rad.msn.com. IN A ;; ANSWER SECTION: rad.msn.com. 60 IN A 10.10.10.1 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; SERVER: 127.0.0.1 ;; WHEN: Sat Jan 23 10:51:26 2016 ;; MSG SIZE rcvd: 45 [2.2.6-RELEASE][root@pfSense.local.lan]/root: drill rad.live.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 59304 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; rad.live.com. IN A ;; ANSWER SECTION: rad.live.com. 3276 IN CNAME rad.msn.com. rad.msn.com. 576 IN CNAME rad.msn.com.nsatc.net. rad.msn.com.nsatc.net. 299 IN A 111.221.29.189 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 334 msec ;; SERVER: 8.8.8.8 ;; WHEN: Sat Jan 23 10:51:53 2016 ;; MSG SIZE rcvd: 103 [2.2.6-RELEASE][root@pfSense.local.lan]/root: drill rad.live.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53764 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; rad.live.com. IN A ;; ANSWER SECTION: rad.live.com. 3266 IN CNAME rad.msn.com. rad.msn.com. 566 IN CNAME rad.msn.com.nsatc.net. rad.msn.com.nsatc.net. 299 IN A 111.221.29.189 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 1306 msec ;; SERVER: 8.8.4.4 ;; WHEN: Sat Jan 23 10:51:57 2016 ;; MSG SIZE rcvd: 103 [2.2.6-RELEASE][root@pfSense.local.lan]/root: drill rad.live.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 45495 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; rad.live.com. IN A ;; ANSWER SECTION: rad.live.com. 3268 IN CNAME rad.msn.com. rad.msn.com. 568 IN CNAME rad.msn.com.nsatc.net. rad.msn.com.nsatc.net. 299 IN A 111.221.29.189 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 351 msec ;; SERVER: 8.8.8.8 ;; WHEN: Sat Jan 23 10:52:01 2016 ;; MSG SIZE rcvd: 103 [2.2.6-RELEASE][root@pfSense.local.lan]/root: drill rad.live.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 28183 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; rad.live.com. IN A ;; ANSWER SECTION: rad.live.com. 3262 IN CNAME rad.msn.com. rad.msn.com. 562 IN CNAME rad.msn.com.nsatc.net. rad.msn.com.nsatc.net. 295 IN A 111.221.29.189 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 165 msec ;; SERVER: 8.8.8.8 ;; WHEN: Sat Jan 23 10:52:03 2016 ;; MSG SIZE rcvd: 103 [2.2.6-RELEASE][root@pfSense.local.lan]/root: drill rad.live.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 43314 ;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; rad.live.com. IN A ;; ANSWER SECTION: rad.live.com. 60 IN A 10.10.10.1 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; SERVER: 127.0.0.1 ;; WHEN: Sat Jan 23 10:52:04 2016 ;; MSG SIZE rcvd: 46 -
Maybe it is the time for pfBlockerNG to rebuild the database after you made a change.
Go to pfBlockerNG: Update, View log to see when the process is done.
-
EDIT: Why does it take a few lookups for the IP to be blocked?
Looks like that domain was previously cached by Unbound…
rad.msn.com.nsatc.net. 299 IN A 111.221.29.189 -
So basically you think it's Firefox? But I have no Bing (removed it from search options in Firefox), I use no Bing, I've never been there in my whole live… Firefox was running in PRIVATE mode all the time btw...
So: why does my OS/Browser try to contact OVER AND OVER AGAIN something I've never asked to contact? Things are not really getting better at this point...
2chemlud I believe various other search engines resell Bing results. Is it possible you are using one of these search engines. I am thinking of yahoo in particular, but I would bet there are others.
-
Hi jc2it!
See below, only search machines installed in Firefox are Startpage, Wikipedia adn Duckduckgo…
So which one is your suspect? :-)
-
-
…more than once I feel like this with all this techy stuff
scnr…
-
So which one is your suspect? :-)
:D Well, that is a good question.
DuckDuckGo would be my guess. From their Wikipedia page:
"DuckDuckGo emphasizes getting information from the best sources rather than the most sources, generating its search results from key crowdsourced sites such as Wikipedia and from partnerships with other search engines like Yandex, Yahoo!, Bing, and Yummly."
