Blocking MS telemetry

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2, 3
Author Message
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Tue May 23, 2023 17:33    Post subject: Reply with quote
Perhaps you could use your expertise in examining the code to come up with a patch that would solve this?

AsX wrote:
Figured it out. On Access Restriction page, Status also has to set to Enabled (DUH!) Then dnsmasq_ms_telemetry in nvram is set to 1 and filters are engaged.

Internally in firewall.c, function lan2wan_chains checks "STAT" in filter rules and if not zero, in the end calls advgrp_chain, which processes filters. If status is not enabled on the Web, the "STAT" is zero and everything is bypassed.

Ideally, disabling Status on the Web should hide or grey out all other options as they are not used. Right now it's a bit misleading.

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Tue May 23, 2023 20:28    Post subject: Reply with quote
AsX wrote:
Figured it out. On Access Restriction page, Status also has to set to Enabled (DUH!) Then dnsmasq_ms_telemetry in nvram is set to 1 and filters are engaged.

Internally in firewall.c, function lan2wan_chains checks "STAT" in filter rules and if not zero, in the end calls advgrp_chain, which processes filters. If status is not enabled on the Web, the "STAT" is zero and everything is bypassed.

Ideally, disabling Status on the Web should hide or grey out all other options as they are not used. Right now it's a bit misleading.


The thing is.... I already know that...I even give a name to this policy Cool and this is the way how restriction policy work...as all the page is about a certain policy...1-20.. but...even if you enable it (i always do) and select facebook,youtube, ebay, amazon and Hotmail..
i can still access those...tried with or without VPN or even with no SmartDNS and DNSmasq only...tons of save (apply) and reboot..still the same on my R7000.. no idea why..??


_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Fri Jun 09, 2023 9:34    Post subject: Reply with quote
more testing on the ndpi rules

My testing system is R7800(52894) with Stubby for DoT and DNSmasq is (enabled)/not disabled, and has some other rules too..i do not use VPN client on this system...

on Access restriction page i have :

Policy - enabled
Name - BlockNdpi
Source - Any
clients - 1 mac address, x2 IP ranges
Selected rules.. quite few risk rules, dpi and L7

I can see those rules are made:

root@R7800:~# nvram show | grep telemetry
dnsmasq_ubnt_telemetry=0
size: 42335 bytes (88737 left)
dnsmasq_ms_telemetry=1
filter_port_grp1=ads_analytics_track<&nbsp;>anonymous subscriber<&nbsp;>binary app transfer<&nbsp;>clear-text credentials<&nbsp;>desktop/file sharing<&nbsp;>dns message fragmented<&nbsp;>dns susp dga domain<&nbsp;>dns traffic susp<&nbsp;>error code<&nbsp;>http susp content<&nbsp;>http susp header<&nbsp;>http susp user-agent<&nbsp;>http susp url<&nbsp;>http/tls/quic numeric hostname/sni<&nbsp;>idn domain name<&nbsp;>malformed packet<&nbsp;>malicious ja3 fingerp.<&nbsp;>malicious ssl cert/sha1 fingerp.<&nbsp;>minor issues<&nbsp;>missing sni tls extn<&nbsp;>possible exploit<&nbsp;>rce injection<&nbsp;>risky domain name<&nbsp;>smb insecure vers<&nbsp;>sql injection<&nbsp;>ssh obsolete cli ver/cipher<&nbsp;>ssh obsolete ser ver/cipher<&nbsp;>susp entropy<&nbsp;>tcp connection issues<&nbsp;>text with non-printable chars<&nbsp;>tls fatal alert<&nbsp;>uncommon tls alpn<&nbsp;>unsafe protocol<&nbsp;>windows-telemetry<&nbsp;>xss attack<&nbsp;>
dnsmasq_telemetry=0

filter_mac_grp1=xx:xx:xx:xx:xx:xx
filter_ip_grp1=0 0 0 0 0 0 192.168.1.100-192.168.1.123 192.168.2.100-192.168.2.254

filter_rule1=$STAT:2$NAME:BlockNdpi$DENY:0$IF:Any$$

lsmod shows
xt_ndpi 755041 0


If ndpi rules are enabled (R7800/52894) iptables -vnL shows strange output of - only INPUT, FORWARD and OUTPUT chains..nothing else, as before there ware few other lines in this output...where you can see some other stuff..grp, lan2lan and ect....

So my question is...
-How to make those rules to work...?
-Do i have to use plain DNS and DNSmasq exclusivity..only - (ive made those rules to work only once on my R7000 running previous builds, but no idea what i did.., but there ware some filtered packets counted)
-Do i have to click or add something else..
-Are those rules suppose to work with VPN client on the router side too...?
-Is there any other particular way to add and set up the rules, as i clicked lots of save & apply/reboots, so far...? (tried via nvram values too)

If i add some extra dpi(youtube, facebook instagram and ect.) or l7 i can still access those via selected clients, that exists on the block list..and filtered packets stays 0

I can even perform some of the risk rules attacks..(im not gonna explain how) and still dont see any filtered packets on the page....

I'll let the router with those rules enabled for a day, to see if there will be any count on those..filtered packets...so far no heavy load on the CPU yet...

please forgive me my poor knowledge on the subject...however im eager to learn Wink

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sat Jun 10, 2023 11:04    Post subject: Reply with quote
Ok after a day of testing those ndpi rules and filtered packets still on 0,
i restored my previous nvram back up file (with no ndpi rules policy) and now i can see appropriate output of iptables -vnL
if i enable ndpi iptables -vnL output show's only input, forward and output chain and nothing else..
I guess enabling ndpi policy interferes with building the firewall and adding the correct rules..
or...iptables -vnL just gets bugged and doesn't show the full output...yes i also have quite few iptables rules..in save firewall script...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
gilius
DD-WRT Novice


Joined: 18 Oct 2022
Posts: 23

PostPosted: Sun Jun 11, 2023 10:08    Post subject: Reply with quote
Alozaros wrote:
more testing on the ndpi rules

My testing system is R7800(52894) with Stubby for DoT and DNSmasq is (enabled)/not disabled, and has some other rules too..i do not use VPN client on this system...


Alozaros, this was an excellent analysis, thank you for posting
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun Jun 11, 2023 11:34    Post subject: Reply with quote
gilius wrote:
Alozaros wrote:
more testing on the ndpi rules

My testing system is R7800(52894) with Stubby for DoT and DNSmasq is (enabled)/not disabled, and has some other rules too..i do not use VPN client on this system...


Alozaros, this was an excellent analysis, thank you for posting


What i forgot to try was to add those 2 lines to the firewall script (as advised by Mile-Lile)
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=334560&postdays=0&postorder=asc&start=30

iptables -t mangle -I PREROUTING -m ndpi --dpi_check
iptables -t mangle -I POSTROUTING -m ndpi --dpi_check

will do try all those again soon...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Goto page Previous  1, 2, 3 Display posts from previous:    Page 3 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum