Full Disclosure mailing list archives
Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup
From: Joachim Schipper <j.schipper () math uu nl>
Date: Fri, 14 Apr 2006 02:13:21 +0200
On Thu, Apr 13, 2006 at 06:29:15PM +0100, Dave Korn wrote:
Hey, guess what I just found out: Microsoft have deliberately sabotaged their DNS client's hosts table lookup functionality.
(...) I'd try to block (Windows Media Player) it in my hosts file.
Microsoft DNS client special-cases 'go.microsoft.com' and refuses to look it up in the hosts file.
I'm running fully up-to-date Windows XP SP2. I don't have any pfw software that could conceivably be interfering, and the windows firewall is running with more-or-less the default settings (I've only added a couple of exceptions, no other changes). I don't think this is a false positive. On reading through %WINDIR%\system32\dnsapi.dll with 'strings', I find the following hostnames listed. I assume they are all also singled out for special treatment:- www.msdn.com msdn.com www.msn.com msn.com go.microsoft.com msdn.microsoft.com office.microsoft.com microsoftupdate.microsoft.com wustats.microsoft.com support.microsoft.com www.microsoft.com microsoft.com update.microsoft.com download.microsoft.com microsoftupdate.com windowsupdate.com windowsupdate.microsoft.com [ I've verified that the same behaviour occurs for office.microsoft.com, exactly as for go.microsoft.com, but haven't tried any of the others yet. I'd bet real money on it, though. ]
What's your point? It's not like it's the first piece of software ever to bypass the hosts file, is it? And if you're a software giant, that's easy to do at a lower level. Blacklisting IP addresses by /etc/hosts or equivalent is an extremely broken way of blocking, anyway; and vague hacks like that need not be supported. Use a real, non-host-based firewall. Of course, you might wish to stop certain software from phoning home. Fine, but use something that works - MS is evil in many ways, but not because this particular hack happens not to work. Switching to OSS quite nicely solves all these problems, though. Joachim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft DNS resolver: deliberately sabotaged hosts-file lookup Dave Korn (Apr 13)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup Brandon S. Allbery KF8NH (Apr 13)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup Stan Bubrouski (Apr 13)
- Re: Microsoft DNS resolver: deliberately sabotagedhosts-file lookup Dave Korn (Apr 13)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup J.A. Terranson (Apr 13)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup A . L . M . Buxey (Apr 13)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup John Doe (Apr 13)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup Nick FitzGerald (Apr 13)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup dumdidumdideldey (Apr 13)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup John Doe (Apr 13)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup Joachim Schipper (Apr 13)
- RE: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup Mario Contestabile (Apr 19)
- RE: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup Nick FitzGerald (Apr 20)
- RE: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup Mario Contestabile (Apr 19)
- <Possible follow-ups>
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup imipak (Apr 14)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup Vidar Løkken (Apr 14)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup Jurjen Oskam (Apr 14)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup Vidar Løkken (Apr 14)
- Re: Microsoft DNS resolver: deliberately sabotaged hosts-file lookup Brandon S. Allbery KF8NH (Apr 13)