How to disable Windows 10 tracking using ipset + Entware

[Chrysalis]

long post coming.
someone alerted me some hostnames were missing and hardcoded ips.

I ammended the script as follows.

Add this below the DNSMASQ-CFG line.

WIN10IPS=/tmp/mnt/OPTWARE/hosts.win10ips

Add this above # Apply iptables rule

# Add hardcoded ip's to ip set
for ip in $(cat $WIN10IPS);
  do
  if [ "$(ipset -T Win10tracking $ip | grep 'is NOT in set Win10tracking')" != "" ];
    then
    ipset -A Win10tracking $ip
  fi
done

and in the WIN10IPS file, add this.

2.22.61.43
2.22.61.66
65.39.117.230
65.55.108.23
23.218.212.69
134.170.30.202
137.116.81.24
157.56.106.189
204.79.197.200
65.52.108.33

then reunning the firewall-start script should add the ips. Remember also to add the extra hostnames

I did try to post the full info but this forum has a forum post limit, so instead will link to the other site.

Is here http://forum.kitz.co.uk/index.php?topic=16125

By the way I think there is an issue with the firewall preserving existing rules, from what I can observe running diff the QOS rules get lost, when this script is executed.

I lost the following iptables rules.

-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A PREROUTING -i eth0 -j CONNMARK --restore-mark --nfmask 0x7 --ctmask 0x7
-A FORWARD -o eth0 -j QOSO
@@ -110,12 +110,12 @@
-A QOSO -j CONNMARK --set-return 0x2/0xffffffff
-A QOSO -j RETURN

 

[cosmoxl]

I added the other hardcoded IPs you list here into win10tracking and reran the script but they weren't blocked. Why?

I then did it exactly as you've written here (except in entware folder, not optware) and they were blocked. Does that mean the original setup didn't block any of the hardcoded IPs which I did have in win10tracking? (My win10tracking file has more hosts and IPs to block than the original post.)

 

[tsunami2311]

I come to the conclusion this

Spoiler

a.ads1.msn.com
a.ads2.msads.net
a.ads2.msn.com
a.rad.msn.com
a-0001.a-msedge.net
a-0002.a-msedge.net
a-0003.a-msedge.net
a-0004.a-msedge.net
a-0005.a-msedge.net
a-0006.a-msedge.net
a-0007.a-msedge.net
a-0008.a-msedge.net
a-0009.a-msedge.net
ac3.msn.com
ad.doubleclick.net
adnexus.net
adnxs.com
ads.msn.com
ads1.msads.net
ads1.msn.com
aidps.atdmt.com
aka-cdn-ns.adtech.de
a-msedge.net
apps.skype.com
az361816.vo.msecnd.net
az512334.vo.msecnd.net
b.ads1.msn.com
b.ads2.msads.net
b.rad.msn.com
bs.serving-sys.com
c.atdmt.com
c.msn.com
cdn.atdmt.com
cds26.ams9.msecn.net
choice.microsoft.com
choice.microsoft.com.nsatc.net
compatexchange.cloudapp.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
cs1.wpc.v0cdn.net
db3aqu.atdmt.com
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
ec.atdmt.com
fe2.update.microsoft.com.akadns.net
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
flex.msn.com
g.msn.com
h1.msn.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
lb1.www.ms.akadns.net
live.rads.msn.com
m.adnxs.com
m.hotmail.com
msedge.net
msftncsi.com
msnbot-65-55-108-23.search.msn.com
msntest.serving-sys.com
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
preview.msn.com
pricelist.skype.com
rad.live.com
rad.msn.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
s.gateway.messenger.live.com
s0.2mdn.net
schemas.microsoft.akadns.net
secure.adnxs.com
secure.flashtalking.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
settings-win.data.microsoft.com
sls.update.microsoft.com.akadns.net
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
static.2mdn.net
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.microsoft.com
telemetry.urs.microsoft.com
view.atdmt.com
vortex.data.microsoft.com
vortex-bn2.metron.live.com.nsatc.net
vortex-cy2.metron.live.com.nsatc.net
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
wes.df.telemetry.microsoft.com
www.msftncsi.com

Can possible be done VIA URL block in router too, and actual block and terminates those connections atlest it seem to terminate connections on few i actual tested, problem being there is limit to how long these urls can be when inputing them manual in the router settings

Is there way I edit the UrlBlock VIA putty and put them all in that way? not sure if there perfhit to block that many sites that way either. not that i expect to answer about this either.

 

[strumf666]

Sorry for being a noob, but how do I copy both files, the list and the script to the jffs? Tried with putty/pscp but I get the following error:

sh: /opt/libexec/sftp-server: not found
Fatal: Received unexpected end-of-file from server

 

[RMerlin]

Sorry for being a noob, but how do I copy both files, the list and the script to the jffs? Tried with putty/pscp but I get the following error:

sh: /opt/libexec/sftp-server: not found
Fatal: Received unexpected end-of-file from server

Use the SCP protocol instead of SFTP.

 

[strumf666]

Thanks. I copied the files and set the script as executable, rebooted and tried to check with:
ipset --list Win10tracking
ipset v4.5: Unknown set

And I am stuck again :-/

 

[thelonelycoder]

Thanks. I copied the files and set the script as executable, rebooted and tried to check with:
ipset --list Win10tracking
ipset v4.5: Unknown set

And I am stuck again :-/

Did you install Entware?

 

[strumf666]

Is it still needed with 378.56_beta1? https://github.com/RMerl/asuswrt-merlin/wiki/Disable-Windows-10-tracking

 

[TheOldMan]

Al Ryzhov and RMerlin, good job with the win10tracking scripts. Results of the ipset --list Win10tracking as of 10-19-2015. I must say wow, the Win10 builds want to call home! Crazy Microsoft.

RT-ac68u with 378.56.beta2

 

[RMerlin]

Al Ryzhov and RMerlin, good job with the win10tracking scripts.

It's all his work, I wasn't involved at all in them (beside adding ipset to the firmware a few years ago).

 

[bayern1975]

is this win10tracking configured inside the router or we have to configured over scripts?

 

[TheOldMan]

is this win10tracking configured inside the router or we have to configured over scripts?

It is configured inside the router. You need a usb thumb drive or a small hard drive for entware. The scripts are on the /jffs partition. Do a search for rmerlin and entware using the search tool above.

 

[TheOldMan]

Is it normal for Microsoft to have 600 plus ip addresses as shown in Win10tracking??? Check the attached text file.

 

[kvic]

Is it normal for Microsoft to have 600 plus ip addresses as shown in Win10tracking??? Check the attached text file.

Given Microsoft is serving an Earth of users and perhaps soon another Mars, a few hundred servers are still not many. I'm surprised though a single user like yourself can harvest so many..

Your anecdotal evidence confirms that the approach of this thread is probably not as efficient (and simple) as blocking in dnsmasq.

 

[strumf666]

Did you install Entware?

Took some time to get back to this...
I followed this instructions - https://github.com/RMerl/asuswrt-merlin/wiki/Disable-Windows-10-tracking
I copied the Win10tracking.txt to /jffs and the script ot jffs/script (created a txt file, copy&paste, rename to correct filename and scp to the router), used the chmod command to make it executable.
After that and according to your advice I installed entware (didn't see it as a requirement per above instruction??), no error meseages during install.
Reboot and test... no difference:
ipset --list Win10tracking
ipset v4.5: Unknown set

Help please :-/

 

[ryzhov_al]

@strumf666, what router are you using?

I see somebody "fixed" my how on wiki. There is a difference in syntax between ARM and MIPS based routers:

• ARM: iptables -I INPUT -m set --match-set ...
• MIPS: iptables -I INPUT -m set --set ...

 

[strumf666]

@strumf666, what router are you using?

I see somebody "fixed" my how on wiki. There is a difference in syntax between ARM and MIPS based routers:

• ARM: iptables -I INPUT -m set --match-set ...
• MIPS: iptables -I INPUT -m set --set ...

AC87U

 

[ASAT]

AC87U

Yours is an ARM router, so you must change "--set" to "--match-set" in the script.

Here's an auto-detect logic to pick the correct one. I have not tested it.

# Apply iptables rule
if [ $(/usr/sbin/iptables-save | /bin/grep -q Win10tracking > /dev/null 2>&1) -ne 0 ]; then
  if [ $(/usr/sbin/iptables -m set 2>&1 | /bin/grep -qe "--match-set") -eq 0 ]; then
    /usr/sbin/iptables -I FORWARD -m set --match-set Win10tracking src,dst -j DROP
  else
    /usr/sbin/iptables -I FORWARD -m set --set Win10tracking src,dst -j DROP
  fi
fi

 

[ryzhov_al]

I've fixed both wiki articles where ipset is used.

 

[strumf666]

Replaced the script with corrected version to no effect I am afraid. I still get "ipset v4.5: Unknown set" :-/