Posted: Sun May 14, 2023 15:38 Post subject: Blocking MS telemetry
I see that in file firewall.c there is code that can block Microsoft telemetry if "dnsmasq_ms_telemetry" is enabled. There some logic in function advgrp_chain() that checks parameter "windows-telemetry" to enable it, but I cannot figure out what this parameter is. Is it an option to dnsmasq? Does anybody know how to use this?
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sun May 14, 2023 17:47 Post subject:
If your question was directed for this option...
filterwin2k
Later versions of windows make periodic DNS requests which don't get sensible answers from the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option to filter such requests. The requests blocked are for records of type ANY where the requested name has underscores, to catch LDAP requests, and for all records of types SOA and SRV.
just add the command as you see it in advanced DNSmasq rules..
or use ndpi filters in relation, to block windows telemetry...active restriction page (p2p section)
Otherwise, you can find lots of windows firewall rules or small apps that will add/ban rules to windows firewall to stop/restrict the windows telemetry...in all the cases make sure you don't cut off win-updates and still will be able to updated your OS... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
No, I'm referring to this original changeset and updates to it since then. Seems that DD-WRT can internally block MS (also Ubiquiti) telemetry and BS maintains list of needed addresses. So would be nice to be able to enable it. Even nicer if from UI...
Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Mon May 15, 2023 0:52 Post subject:
I'm going to take a guess that it's related to Access Restrictions / WAN Access. I don't see windows-telemetry or ubnt-telemetry as choices on 52485 on my TL-WR1043NDv2, so I presume this is for devices with more flash space or supported commercial / customer devices. Unless this is something to add to the Additional configs for dnsmasq, if that is what Alozaros was suggesting. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Usually, something like "HAVE_OPENDPI" means the device config should have "CONFIG_OPENDPI". Conditional compilation rules. There is no definite pointer in the compiler flags that I can find in a pinch, but knock yourself out. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 06 Jun 2006 Posts: 7463 Location: Dresden, Germany
Posted: Mon May 15, 2023 7:20 Post subject:
there is a filter option at access restrictions named "windows-telemetry" and "ubnt-telemetry" both do not require dpi since they simply filter known ip and hostnames by simple rules. (it uses dnsmasq filter options but also adds iptables filters for the direct ip addresses.
unfortunatly they got lost in a update. i added them now in 52577. again _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Mon May 15, 2023 9:39 Post subject:
Alozaros wrote:
windows-telemetry
ubnt-telemetry
kernel-panic69 wrote:
I'm going to take a guess that it's related to Access Restrictions / WAN Access. I don't see windows-telemetry or ubnt-telemetry as choices on 52485 on my TL-WR1043NDv2
BrainSlayer wrote:
there is a filter option at access restrictions named "windows-telemetry" and "ubnt-telemetry" both do not require dpi since they simply filter known ip and hostnames by simple rules. (it uses dnsmasq filter options but also adds iptables filters for the direct ip addresses.
unfortunatly they got lost in a update. i added them now in 52577. again
Thanks for the response to my email. I forgot where all to look and nothing came up searching for either option in the webUI. Found the slip-up:
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Mon May 15, 2023 10:16 Post subject:
Alozaros wrote:
or use ndpi filters in relation, to block windows telemetry...active restriction page (p2p section)
correct !!! ndpi/access restrictions/layer 7
sadly, i never looked, to see that those ware not there yet as, i don't use ndpi...in general...
Thanks BS, this option seems legit...and i hope it wont be that CPU intensive..i may give it a try when it gets available...(just wonder if, it will prevent form win updates...will see)...
BS I guess, with same success you can make filters for Apple, Google, FB, and ect. other nastiness..
I do have lots in windows firewall in the same manner...but on router level will be cooler..
Thanks anyway ! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Also, as already noted, not all fall under NDPI, but L7. Won't see fixes until next public release unless they were included in today's build. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio