These are great questions! [Answer 1] Yes, I will document the steps you need to set up an Acrylic DNS proxy as either a portable or installed service. I will do that in a fresh thread and not hijack this one. [Answer 2] I've done some tests on two systems with minimal privacy improvement changes and using the Acrylic DNS proxy server with a wildcard hosts file (The Acrylic Approach). The Acrylic Approach has successfully blocked the known MS telemetry domains (MS-TD). The Acrylic Approach also flagged two 'new' or 'new to me' MS-TD one of which was automatically blocked by the use of a wildcard domain name in the Acrylic hosts file! The second one I added to the hosts file as a wildcard. [Answer 3] The Acrylic portable version runs as a console that sits on your toolbar and looks like a command prompt terminal window. The Acrylic console widow displays a stream of real-time network domain requests from good and bad "client" applications on your PC.Clients include: browsers, Adobe software, MS updates, MS OneDrive, MS Metro and MS snooping applications (MS-SA). Basically any application that is calling out to give or receive content. Browser applications are requesting to talk to external servers to get content to display. MS-SA want to make contact with an external server to give them content its gathered from you. The Acrylic console window shows your PCs response to all "client" application requests. If your PC (or really the Acrylic DNS Proxy) responds to a client application with "from hosts cache" than basically the client application gets told "0.0.0.0" or "0" That means if the client application making a request to talk to an external server is an MS-SA it gets blocked. So the MS-SA waits a bit and makes a second request and then a third and so on. So you see a lot of chatter coming from MS-SAs not because they are sending out heaps of your personal information, but the MS-SA is desperately trying to change the "0" response it keeps getting from your network to a "1" which means it's finally made contact with the 'mothership!' I will include in the "Acrylic How to Thread" easy to do tests to show that the Acrylic hosts file is truly blocking access to external domains. Will this categorically 'prove' that it's blocking MS-SA? Not completely. If you look around on the web you'll see that MS has 'hard-coded' some domain access capability into a specific DLLHowever, you can open the DLL in a special text editor and see the actual domains listed. The domain names are essentially related to maintaining your connection with Windows Update or getting assistance from Microsoft. Which, of course, makes complete sense for MS to do! You could go crazy and wildcard "*microsoft.com" in the Acrylic hosts file and then complain when you get exploited because you didn't get the latest security update!! I'll put the name of the dll and the program you can easily open it with in the How To Acrylic Thread. You can see for yourself all MS hard coded domains and be somewhat assured that they aren't trying to 'get away' with some underhanded privacy abuse. Microsoft's Corporate customers are not total sheep. [Answer 4] My test set-up was a Insider account running on hardware and a local account running on a virtual machine.They were both basically 'wide-open' with three bloat reducing/privacy changes. Windows Search Service Disabled Defender Disabled in Group Policies Cortana slider slid to "off" (which AFAIK doesn't do much) All other servers and Metro applications are active. My goal Spoiler To run Windows 10 with my Insider account as my main day-to-day device! And not share anything with MS that I don't want to share.I'm probably living in a fantasy world!I'm happy to give MS feedback. In fact, I don't even mind being prompted to give MS feedback... I just want to control the content I send them and not have them drink up all my activities because their vaguely worded EULA says they can! So the short answer to [Questin 4] is that it seems like you can exclusively apply the "Acrylic Approach" to maintain your privacy and not be forced to change anything. The wildcard hosts file I posted above even blocks the spying part of Defender. So you could probably leave that running as well, if you wanted to. I don't want to go into all the benefits/pitfalls of a hosts approach v.s. the firewall approach, but I suspect I'll have to at least talk a little about it in the How To Set up an Acrylic DNS server thread. So stay tuned!
At first I though there might be a conflict, but I went to the dnscrypt.org website and right there on the main page is a section titled DNSCrypt developers recommend using DNS crypt with a DNS cache "For optimal performance". Acrylic is a DNS cache! In fact, the developer of the free application "Acrylic DNS Proxy" promotes it as a very fast DNS cache. As far as he's concerned, Acrylic's claim to fame is its ability to super efficiently store and serve up a local DNS cache! I'm more interested in Acrylic's ability to read your OS's hosts file as well as it's own internal Acrylic hosts file. The Acrylic hosts file allows you to use wildcards in the domain names you want to block as well as use domain names written as Regular Expressions--which I imagine would be really cool! Wildcards allow it to handle some degree of protection from MS playing around with the actual names it uses for its privacy stealing domain servers. So to directly answer your question: Your way ahead of the game and in total luck! Using Acrylic DNS cache with DNSCrypt is exactly what you're meant to be doing! How to specifically do it, I can't answer at this moment. However, if you've already figured out DNSCrypt then Acrylic DNS cache is a piece of cake! Looking at the DNSCrypt set-up page I can already see it's more complicated then Acrylic to set-up. Acrylic is bloody easy, but there are enough little tricks that I think I better post the "how to" in a new thread.
What do people think? Do you think it might get all confusing here with a Hosts DNS servers discussion intermingled with very interesting and maybe somewhat related Firewall Discussion. What do you guys think? I've started a new thread about Acrylic DNS with a Wildcard Host File
Sorry! I'm NOT trying to be a big tease. But my day has just begun and i wanted to answer the earlier questions before diving into the how to! While you were waiting, I was sleeping!
Yo! New Thread. You got it! Before I leave this thread I'll hang out here a bit longer and add some thoughts I have about port blocking Firewalls and domain blocking Host Files.
Compare Port-based (Firewall) & Domain-based (Custom Hosts file) blocklists If you are interested ... Open TinyWall Frequently Asked Questions page (tinywall.pados.hu/faq) and search for "What is the difference between port-based and domain-based blocklists?" It's a very neutral explanation comparing the firewall approach to the custom hosts file approach.
Port-based (Firewall) vs Domain-based (Custom Hosts file) blocklists Solutions I really appreciate CODYQX4's complete honesty in declaring why he's chosen to use a firewall to meet his Windows 10 needs. If I was in his shoes and was only using a couple of coding programs and maybe Office on a Windows VirtualBox then a port-based firewall is a really a great solution! Man, his daily-driver is a Apple! Lucky him! And I say that with complete honesty. I'm not just trying to suck-up to CODYQX4! Well maybe a little Unfortunately, I'm the unofficial IT guy for a small home-office made up of all window's machines. There is one re-purposed Linux mint laptop which I occasional fire-up to run a KMS server. I need a different solution. That is why interested in the custom hosts file blocklist approach lucky for me Acrylic DNS server lets you create the mac-daddy, kick-ass, custom hosts file blocklist!
@lomticksoftoast, Hi mate, what about Acrylic DNS Proxy tutorial you were about to post for blocking MS sypware habits? Is that under cooking or still you have issues with permissions to post the new thread?