Blocking MS telemetry

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2, 3  Next
Author Message
AsX
DD-WRT User


Joined: 15 Jun 2010
Posts: 50

PostPosted: Sun May 14, 2023 15:38    Post subject: Blocking MS telemetry Reply with quote
I see that in file firewall.c there is code that can block Microsoft telemetry if "dnsmasq_ms_telemetry" is enabled. There some logic in function advgrp_chain() that checks parameter "windows-telemetry" to enable it, but I cannot figure out what this parameter is. Is it an option to dnsmasq? Does anybody know how to use this?
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun May 14, 2023 17:47    Post subject: Reply with quote
If your question was directed for this option...

filterwin2k
Later versions of windows make periodic DNS requests which don't get sensible answers from the public DNS and can cause problems by triggering dial-on-demand links. This flag turns on an option to filter such requests. The requests blocked are for records of type ANY where the requested name has underscores, to catch LDAP requests, and for all records of types SOA and SRV.

just add the command as you see it in advanced DNSmasq rules..

Also you can research IPset and make rules for all windows telemetry.. https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261 (ipset is router dependent and you didn't mention router model and build running)


or use ndpi filters in relation, to block windows telemetry...active restriction page (p2p section)

Otherwise, you can find lots of windows firewall rules or small apps that will add/ban rules to windows firewall to stop/restrict the windows telemetry...in all the cases make sure you don't cut off win-updates and still will be able to updated your OS...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
AsX
DD-WRT User


Joined: 15 Jun 2010
Posts: 50

PostPosted: Sun May 14, 2023 18:44    Post subject: Reply with quote
No, I'm referring to this original changeset and updates to it since then. Seems that DD-WRT can internally block MS (also Ubiquiti) telemetry and BS maintains list of needed addresses. So would be nice to be able to enable it. Even nicer if from UI...

https://svn.dd-wrt.com/changeset/45399
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Sun May 14, 2023 19:00    Post subject: Reply with quote
https://svn.dd-wrt.com/browser/src/router/services/networking/generic/firewall.c
https://svn.dd-wrt.com/browser/src/router/services/services/dnsmasq.c

r45399 "option to block windows telemetry"
r45487 "fix telemetry count"
r45488 "fix file pointer and line break"
r46071 "add filter for ubiquiti telemetry ip addresses which cannot be disabled in the ubnt firmware itself"
r46072 "add domain to"
r46073 "add more tracking ip's"
r46074 "there is more"
r47124 "update list"
r47125 "add mask"
r47734 "get_wan_safe is not thread safe, lets fix that"
r48915 "update servers"
r48916 "update servers"
r48999 "fix typo which causes a defect in firewall if window telemetry is selected"
r52193 "add more windows spy crap"
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun May 14, 2023 20:57    Post subject: Reply with quote
windows-telemetry
ubnt-telemetry

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
AsX
DD-WRT User


Joined: 15 Jun 2010
Posts: 50

PostPosted: Mon May 15, 2023 0:29    Post subject: Reply with quote
Going to my first post - so I already new those variables exist. How do I use them? They are options to what?

Anybody?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Mon May 15, 2023 0:52    Post subject: Reply with quote
I'm going to take a guess that it's related to Access Restrictions / WAN Access. I don't see windows-telemetry or ubnt-telemetry as choices on 52485 on my TL-WR1043NDv2, so I presume this is for devices with more flash space or supported commercial / customer devices. Unless this is something to add to the Additional configs for dnsmasq, if that is what Alozaros was suggesting.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Mon May 15, 2023 2:26    Post subject: Reply with quote
This feature depends on NDPI (CONFIG_OPENDPI) in the target device .config files, I presume.

https://github.com/mirror/dd-wrt/search?q=CONFIG_OPENDPI

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Mon May 15, 2023 3:10    Post subject: Reply with quote
Wrong, it is netfilter iptables layer 7 protocols.
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Mon May 15, 2023 4:28    Post subject: Reply with quote
https://svn.dd-wrt.com/browser/src/router/services/networking/generic/firewall.c#L1614

Usually, something like "HAVE_OPENDPI" means the device config should have "CONFIG_OPENDPI". Conditional compilation rules. There is no definite pointer in the compiler flags that I can find in a pinch, but knock yourself out.

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Mon May 15, 2023 4:59    Post subject: Reply with quote
Allow me to introduce you to #endif, dnsmasq and layer7.
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Mon May 15, 2023 7:20    Post subject: Reply with quote
there is a filter option at access restrictions named "windows-telemetry" and "ubnt-telemetry" both do not require dpi since they simply filter known ip and hostnames by simple rules. (it uses dnsmasq filter options but also adds iptables filters for the direct ip addresses.

unfortunatly they got lost in a update. i added them now in 52577. again

_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Mon May 15, 2023 9:39    Post subject: Reply with quote
Alozaros wrote:
windows-telemetry
ubnt-telemetry

kernel-panic69 wrote:
I'm going to take a guess that it's related to Access Restrictions / WAN Access. I don't see windows-telemetry or ubnt-telemetry as choices on 52485 on my TL-WR1043NDv2

BrainSlayer wrote:
there is a filter option at access restrictions named "windows-telemetry" and "ubnt-telemetry" both do not require dpi since they simply filter known ip and hostnames by simple rules. (it uses dnsmasq filter options but also adds iptables filters for the direct ip addresses.

unfortunatly they got lost in a update. i added them now in 52577. again

Thanks for the response to my email. I forgot where all to look and nothing came up searching for either option in the webUI. Found the slip-up:

https://github.com/mirror/dd-wrt/commit/df44653762dc2153be9615c2a26b2b761b26e0a6
https://svn.dd-wrt.com/changeset/49989

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon May 15, 2023 10:16    Post subject: Reply with quote
Alozaros wrote:
or use ndpi filters in relation, to block windows telemetry...active restriction page (p2p section)


correct !!! ndpi/access restrictions/layer 7

sadly, i never looked, to see that those ware not there yet Laughing Laughing as, i don't use ndpi...in general...

Thanks BS, this option seems legit...and i hope it wont be that CPU intensive..i may give it a try when it gets available...(just wonder if, it will prevent form win updates...will see)...
BS I guess, with same success you can make filters for Apple, Google, FB, and ect. other nastiness..

I do have lots in windows firewall in the same manner...but on router level will be cooler..
Thanks anyway !

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Mon May 15, 2023 14:57    Post subject: Reply with quote
May want to check current release for it, but the protocols and some bits seem to already be present:

https://github.com/mirror/dd-wrt/blob/master/src/router/shared/l7protocols.h

https://github.com/mirror/dd-wrt/blob/master/src/router/services/networking/generic/firewall.c

Also, as already noted, not all fall under NDPI, but L7. Won't see fixes until next public release unless they were included in today's build.

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum