Microsoft DNS resolver not looking at hosts file

Discussion in 'Windows Desktop Systems' started by fitz, Mar 7, 2007.

  1. fitz

    fitz Just Floating Along Staff Member Political User Folding Team

    Messages:
    4,076
    Location:
    Chicagoland
    Hmm.. not sure how i missed this last year (well, the thread probably got lost in the flood of other mail I get from mailing lists..) but I found this extremely interesting that MS is basically breaking the RFC standard for DNS and host file lookups.

    While their reasons may be "pure" (in the sense that it does prevent a malware utility from adding items into the hosts file and prevent updates to sites like windowsupdate.microsoft.com, it is a fairly egregious breach of standard and the fact that it is never documented anywhere.

    It also gives Microsoft anti-malware/update utilities an advantage over competitors who won't have this "feature".

    The full thread/article can be found here

    edit:
    I have verified that the same "functionality" exists in Vista Business (x86) as well and can only assume that it is also a part of over Vista suites (and Longhorn in the future)

     
  2. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    the dns resolver shouldn't look at hosts. Its the job of the OS to do that. The DNS resolver should only ever query dns servers.
     
  3. fitz

    fitz Just Floating Along Staff Member Political User Folding Team

    Messages:
    4,076
    Location:
    Chicagoland
    I'm not talking about the nslookup utility, I'm talking about windows built in resolver in the TCP/IP stack.

    I am fully aware that if I specifically lookup via DNS (ie: Nslookup or other 3rd party DNS resolver) it will not look at the hosts file. But, if I have a hosts file that points say, "windowsupdate.microsoft.com" to 127.0.0.1 and then open by browser to http://windowsupdate.microsoft.com, I would expect the browser to connect to the server on the localhost (or error out if there is no web server on the local machine). However, on a XP/SP2 or Vista machine, if I add that hosts entry and point the browser, it will still connect to Microsoft's site.
     
  4. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    Then your install is broken :)

    Worked for me when I was using XP not checked since installing vista so can't confirm either way.
     
  5. fitz

    fitz Just Floating Along Staff Member Political User Folding Team

    Messages:
    4,076
    Location:
    Chicagoland
    Really? I have a brand new XP SP2 install with all updates and nothing else and just ran the following tests:

    ping www.google.com
    result: pings one of google's addresses, in this case, 64.233.167.147

    ping windowsupdate.microsoft.com
    result: pings 207.46.18.94

    ping wwindowsupdate.microsoft.com
    result: does not resolve (could not find host)

    I then update my c:\windows\system32\drivers\etc\hosts file with the following entries:
    127.0.0.1 www.google.com
    127.0.0.1 windowsupdate.microsoft.com
    127.0.0.1 wwindowsupdate.microsoft.com

    Try the same tests:

    ping www.google.com
    result: pings the localhost address (127.0.0.1)

    ping windowsupdate.microsoft.com
    result: pings 207.46.18.94

    ping wwindowsupdate.microsoft.com
    result: pings and replies from localhost (127.0.0.1)

    Same results in Vista Business (x86). I don't have any other copies of Vista to compare with.
     
  6. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    I don't think your install is broken, fitz. I just added "127.0.0.1 windowsupdate.microsoft.com" to my hosts file, flushed the DNS cache, and opened the URL in a browser, and it went right to WU instead of localhost. This is on Vista Ultimate.

    Lord, can you check to see what happens on your box?
     
  7. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    I don't have a Vista box around here anymore, can you check the values in this registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider



    That is where you can adjust the lookup order in XP, I am not sure if that value is even read any longer in Vista as they have changed numerous parameters in their TCP stack.
     
  8. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Contents of the key in Vista:

    Code:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
    "Class"=dword:00000008
    "DnsPriority"=dword:000007d0
    "HostsPriority"=dword:000001f4
    "LocalPriority"=dword:000001f3
    "Name"="TCP/IP"
    "NetbtPriority"=dword:000007d1
    "ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
      00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
      77,00,73,00,6f,00,63,00,6b,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00
     
  9. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Ok, that is correct, cached is first, then host file, dns lookup, and netbt transports. That is the same order as XP by default.
     
  10. fitz

    fitz Just Floating Along Staff Member Political User Folding Team

    Messages:
    4,076
    Location:
    Chicagoland
    My point is that it is looking at the hosts file for all other requests (note my tests above - if I add www.google.com, it will pick up the host file entry instead of going through DNS. But for certain domains in the microsoft address space, it bypasses the hosts file altogether.

    Please look at the link I posted in my first post in the thread for more info and more specifics as to what addresses are bypassing the hosts file.

    I don't view this as a problem since it is more or less confirmed that it is a "feature" in windows XP SP2 and Vista. I'm not trying to "fix" it since it can't really be fixed (short of installing a non-MS OS).

    The point of this thread was more a conversation starter as to the validity of such a "feature" in windows.
     
  11. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    I see your point, fitz.
    Do you see any legitimate reasons for needing to override these hard-coded defaults though?
     
  12. fitz

    fitz Just Floating Along Staff Member Political User Folding Team

    Messages:
    4,076
    Location:
    Chicagoland
    no.. in some ways I don't mind it under the theory that it will always ensure that the sites like windowsupdate is always reachable. In the arguement of "malware" protection, a piece of malware will not be able to redirect users through the use of the hosts file (ala MyDoom).

    I think it is a little underhanded in that it was never published.. and if they do publish it, gives them an unfair "advantage" in the anti-malware market (tag line: "malware will have a harder time preventing updates because our product will always connect to the right place!"). I don't see any non-Microsoft sites that bypass the hosts file..

    *shrug* It's more an issue of purity and doing things the "right way" (right meaning, the way things are supposed to work, or the way they have always been done - dang, I must be getting old!) But it can set a dangerous precident.