Windows 10 hosts file not able to block certain Microsoft sites?

Discussion in 'Windows 10' started by luxflux, Aug 1, 2015.

  1. luxflux

    luxflux MDL Novice

    Mar 19, 2014
    30
    23
    0
    #1 luxflux, Aug 1, 2015
    Last edited: Aug 4, 2015
    I use the hosts files to block some websites from resolving and it has never failed me before.

    Today I noticed a few Microsoft addresses completely ignore the hosts file, such as windowsupdate.com, microsoft.com, etc. (also including www prefix). They are still making connections. It seems only something like PeerBlock can block them successfully (though only by IP).

    I've tried flushing the DNS cache through ipconfig, and disabled Firefox DNS cache as well. I've even tried restarting after hosts changes just in case. No matter what I do, as long as svchost.exe is allowed in the firewall (even just UDP port 53) the Microsoft sites will not be blocked. Every other non-Microsoft site is blocked/redirected properly.

    Anybody else have this problem, or is something overriding certain Microsoft host entries?

    [Edit: Yes, Microsoft hardcodes a list of domains into certain DLLs which cannot be blocked through the hosts file. The domains can be added to a 3rd-party software firewall, router firewall, or the DLLs themselves could possibly be patched — see below for more details.]
     
  2. bs0d

    bs0d MDL Novice

    Dec 8, 2009
    1
    0
    0
    i noticed it with other sites that i would normally route to 127.0.0.1
     
  3. luxflux

    luxflux MDL Novice

    Mar 19, 2014
    30
    23
    0
    Were any of them Microsoft-owned domains? I route them to 0.0.0.0, which is quicker, but neither have any effect.
     
  4. Tomwa

    Tomwa MDL Novice

    May 14, 2012
    20
    5
    0
    Stupid question but have you turned off the DNS Cache service?
     
  5. murphy78

    murphy78 MDL DISM Enthusiast

    Nov 18, 2012
    6,682
    10,139
    210
    This is on purpose. They had to make sure malware couldn't block your system from getting updates and monthly malware scans.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. pjoter

    pjoter MDL Novice

    Nov 2, 2014
    49
    29
    0
  7. TheOldScout

    TheOldScout MDL Novice

    Nov 7, 2009
    48
    8
    0
    Block the URL and addresses with your router. I do that to avoid editing the Hosts file on every PC that I own. ;)
     
  8. dummekuehe

    dummekuehe MDL Senior Member

    Jan 11, 2009
    460
    100
    10
    as if their updates could ever clean an already infected system
    it's just so they can keep up their spying
     
  9. dubur

    dubur MDL Novice

    Jul 30, 2015
    6
    2
    0
    What's the workaround for this for users who know what they're doing (so malware threats aren't an issue, we just want MS sites blocked)?
     
  10. luxflux

    luxflux MDL Novice

    Mar 19, 2014
    30
    23
    0
    I found 22 hardcoded domains in the DLL (can't list them here because I don't have enough posts), which is totally manageable in my router's firewall. Done and dusted. I might look at patching the DLL later. Thanks a lot!
     
  11. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    6,861
    2,029
    210
    Also the use of an 3.party Firewall would do the job if configured correctly!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. ZaForD

    ZaForD MDL Expert

    Jan 26, 2008
    1,180
    177
    60
    While I get and understand way MS have done this. It does leave a bad taste in the month.
    Googles reasons for by passing the HOSTS file are pretty much the same, yet 'Some' of their Ad Servers are also on their Whitelists.

    And weren't MS going to send Adverts to the LockScreen and Start Menu :confused:

    Can some post this list, I'll probably burn the house trying to cut my way into a DLL. :p
     
  13. luxflux

    luxflux MDL Novice

    Mar 19, 2014
    30
    23
    0
    pastebin[.]com/tpXB37jN

    I think that's all of them.
     
  14. ZaForD

    ZaForD MDL Expert

    Jan 26, 2008
    1,180
    177
    60
    Most of those are the URL's in the secure section of IE on Windows Servers anyway. :cool:
     
  15. luxflux

    luxflux MDL Novice

    Mar 19, 2014
    30
    23
    0
    #15 luxflux, Aug 3, 2015
    Last edited: Aug 3, 2015
    (OP)
    Just recently observed connections to ctldl.windowsupdate[.]com even with it blocked in hosts. Any idea where that one's whitelisted? Because it's not in dnsapi.dll. In any case, another one added to the router firewall.
     
  16. windooooooooows

    windooooooooows MDL Novice

    Aug 3, 2015
    12
    14
    0

    I think ctldl is certificate trust list (ctl)


    ctldl.windowsupdate[.]com/msdownload/update/v3/static/trustedr/en/authrootstl.cab


    Great job on all these posts by the way :) I'm trying to log every connection myself. I will also post my findings :)
     
  17. luxflux

    luxflux MDL Novice

    Mar 19, 2014
    30
    23
    0
    I know what it is, but I'm curious to know where it's being whitelisted from (i.e., bypassing hosts file entries), similar to the dnsapi.dll list.
     
  18. pjoter

    pjoter MDL Novice

    Nov 2, 2014
    49
    29
    0
  19. luxflux

    luxflux MDL Novice

    Mar 19, 2014
    30
    23
    0
    Oh cool, I didn't even think I could do a mass search like that. That's handy.
     
  20. luxflux

    luxflux MDL Novice

    Mar 19, 2014
    30
    23
    0
    #20 luxflux, Aug 4, 2015
    Last edited: Aug 4, 2015
    (OP)
    OK, so it seems those hosts are constantly resolving to different IPs and my router can't update them fast enough, so it's kinda like playing whac-a-mole in the firewall (one minute something's blocked, the next it's not, until it decides to resolve the new IPs).

    I see two options here: look into a better software firewall, though I really don't want all the extra bloat; or block by IP—tedious and time consuming, but doable I suppose. I don't know how surefire that method would be.

    For now I'm using Fiddler's host remapper to block them, and it's working perfectly, but that's not even the intended purpose of that program. If anybody has a better suggestion for a simple host blocker I'd like to hear it.