Microsoft DNS resolver not looking at hosts file

**fitz** · March 7th, 2007

Hmm.. not sure how i missed this last year (well, the thread probably got lost in the flood of other mail I get from mailing lists..) but I found this extremely interesting that MS is basically breaking the RFC standard for DNS and host file lookups.

While their reasons may be "pure" (in the sense that it does prevent a malware utility from adding items into the hosts file and prevent updates to sites like windowsupdate.microsoft.com, it is a fairly egregious breach of standard and the fact that it is never documented anywhere.

It also gives Microsoft anti-malware/update utilities an advantage over competitors who won't have this "feature".

The full thread/article can be found here

edit:
I have verified that the same "functionality" exists in Vista Business (x86) as well and can only assume that it is also a part of over Vista suites (and Longhorn in the future)

Microsoft have deliberately
sabotaged their DNS client's hosts table lookup functionality.

Normally you can override DNS lookup by specifying a hostname and IP
directly in the hosts file, which is searched before any query is issued
to your dns server; this technique is often used to block ads, spyware
and phone-homes by aliasing the host to be blocked to 127.0.0.1 in your
hosts file.

--- snip ----

but then I found the staggering truth:
Microsoft DNS client special-cases 'go.microsoft.com' and refuses to
look it up in the hosts file.

**LordOfLA** · March 8th, 2007

the dns resolver shouldn't look at hosts. Its the job of the OS to do that. The DNS resolver should only ever query dns servers.

**fitz** · March 8th, 2007

I'm not talking about the nslookup utility, I'm talking about windows built in resolver in the TCP/IP stack.

I am fully aware that if I specifically lookup via DNS (ie: Nslookup or other 3rd party DNS resolver) it will not look at the hosts file. But, if I have a hosts file that points say, "windowsupdate.microsoft.com" to 127.0.0.1 and then open by browser to http://windowsupdate.microsoft.com, I would expect the browser to connect to the server on the localhost (or error out if there is no web server on the local machine). However, on a XP/SP2 or Vista machine, if I add that hosts entry and point the browser, it will still connect to Microsoft's site.

**LordOfLA** · March 8th, 2007

Then your install is broken

Worked for me when I was using XP not checked since installing vista so can't confirm either way.

**fitz** · March 8th, 2007

Originally Posted by LordOfLA

Then your install is broken

Worked for me when I was using XP not checked since installing vista so can't confirm either way.

Really? I have a brand new XP SP2 install with all updates and nothing else and just ran the following tests:

ping www.google.com
result: pings one of google's addresses, in this case, 64.233.167.147

ping windowsupdate.microsoft.com
result: pings 207.46.18.94

ping wwindowsupdate.microsoft.com
result: does not resolve (could not find host)

I then update my c:\windows\system32\drivers\etc\hosts file with the following entries:
127.0.0.1 www.google.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 wwindowsupdate.microsoft.com

Try the same tests:

ping www.google.com
result: pings the localhost address (127.0.0.1)

ping windowsupdate.microsoft.com
result: pings 207.46.18.94

ping wwindowsupdate.microsoft.com
result: pings and replies from localhost (127.0.0.1)

Same results in Vista Business (x86). I don't have any other copies of Vista to compare with.

**NetRyder** · March 8th, 2007

I don't think your install is broken, fitz. I just added "127.0.0.1 windowsupdate.microsoft.com" to my hosts file, flushed the DNS cache, and opened the URL in a browser, and it went right to WU instead of localhost. This is on Vista Ultimate.

Lord, can you check to see what happens on your box?

**j79zlr** · March 8th, 2007

I don't have a Vista box around here anymore, can you check the values in this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider

That is where you can adjust the lookup order in XP, I am not sure if that value is even read any longer in Vista as they have changed numerous parameters in their TCP stack.

**NetRyder** · March 9th, 2007

Originally Posted by j79zlr

I don't have a Vista box around here anymore, can you check the values in this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider

That is where you can adjust the lookup order in XP, I am not sure if that value is even read any longer in Vista as they have changed numerous parameters in their TCP stack.

Contents of the key in Vista:

Code:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"Class"=dword:00000008
"DnsPriority"=dword:000007d0
"HostsPriority"=dword:000001f4
"LocalPriority"=dword:000001f3
"Name"="TCP/IP"
"NetbtPriority"=dword:000007d1
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,6f,00,63,00,6b,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00

**j79zlr** · March 9th, 2007

Ok, that is correct, cached is first, then host file, dns lookup, and netbt transports. That is the same order as XP by default.

**fitz** · March 9th, 2007

My point is that it is looking at the hosts file for all other requests (note my tests above - if I add www.google.com, it will pick up the host file entry instead of going through DNS. But for certain domains in the microsoft address space, it bypasses the hosts file altogether.

Please look at the link I posted in my first post in the thread for more info and more specifics as to what addresses are bypassing the hosts file.

I don't view this as a problem since it is more or less confirmed that it is a "feature" in windows XP SP2 and Vista. I'm not trying to "fix" it since it can't really be fixed (short of installing a non-MS OS).

The point of this thread was more a conversation starter as to the validity of such a "feature" in windows.

**NetRyder** · March 9th, 2007

Originally Posted by fitz

The point of this thread was more a conversation starter as to the validity of such a "feature" in windows.

I see your point, fitz.
Do you see any legitimate reasons for needing to override these hard-coded defaults though?

**fitz** · March 9th, 2007

Originally Posted by NetRyder

I see your point, fitz.
Do you see any legitimate reasons for needing to override these hard-coded defaults though?

no.. in some ways I don't mind it under the theory that it will always ensure that the sites like windowsupdate is always reachable. In the arguement of "malware" protection, a piece of malware will not be able to redirect users through the use of the hosts file (ala MyDoom).

I think it is a little underhanded in that it was never published.. and if they do publish it, gives them an unfair "advantage" in the anti-malware market (tag line: "malware will have a harder time preventing updates because our product will always connect to the right place!"). I don't see any non-Microsoft sites that bypass the hosts file..

*shrug* It's more an issue of purity and doing things the "right way" (right meaning, the way things are supposed to work, or the way they have always been done - dang, I must be getting old!) But it can set a dangerous precident.

March 7th, 2007	Top \| #1
fitz *XPista7eopardix Joined: April 2004 Location: Chicagoland Posts: 4,028 Reputation: 2947 Power: 168**	Microsoft DNS resolver not looking at hosts file Hmm.. not sure how i missed this last year (well, the thread probably got lost in the flood of other mail I get from mailing lists..) but I found this extremely interesting that MS is basically breaking the RFC standard for DNS and host file lookups. While their reasons may be "pure" (in the sense that it does prevent a malware utility from adding items into the hosts file and prevent updates to sites like windowsupdate.microsoft.com, it is a fairly egregious breach of standard and the fact that it is never documented anywhere. It also gives Microsoft anti-malware/update utilities an advantage over competitors who won't have this "feature". The full thread/article can be found here edit: I have verified that the same "functionality" exists in Vista Business (x86) as well and can only assume that it is also a part of over Vista suites (and Longhorn in the future) Microsoft have deliberately sabotaged their DNS client's hosts table lookup functionality. Normally you can override DNS lookup by specifying a hostname and IP directly in the hosts file, which is searched before any query is issued to your dns server; this technique is often used to block ads, spyware and phone-homes by aliasing the host to be blocked to 127.0.0.1 in your hosts file. --- snip ---- but then I found the staggering truth: Microsoft DNS client special-cases 'go.microsoft.com' and refuses to look it up in the hosts file. Hee-hee! Evil makes my buttocks tingle.

March 8th, 2007	Top \| #2
LordOfLA Godlike! Joined: February 2004 Location: Salisbury, Wiltshire, UK Posts: 7,031 Blog Entries: 5 Reputation: 4137 Power: 213	Re: Microsoft DNS resolver not looking at hosts file the dns resolver shouldn't look at hosts. Its the job of the OS to do that. The DNS resolver should only ever query dns servers. If HK-47 and GLaDOS had a child, the character they create would cause the video game world to overdose on awesome. -sheridanmovieguy: Dragon age forum user.

March 8th, 2007	Top \| #3
fitz *XPista7eopardix Joined: April 2004 Location: Chicagoland Posts: 4,028 Reputation: 2947 Power: 168**	Re: Microsoft DNS resolver not looking at hosts file I'm not talking about the nslookup utility, I'm talking about windows built in resolver in the TCP/IP stack. I am fully aware that if I specifically lookup via DNS (ie: Nslookup or other 3rd party DNS resolver) it will not look at the hosts file. But, if I have a hosts file that points say, "windowsupdate.microsoft.com" to 127.0.0.1 and then open by browser to http://windowsupdate.microsoft.com, I would expect the browser to connect to the server on the localhost (or error out if there is no web server on the local machine). However, on a XP/SP2 or Vista machine, if I add that hosts entry and point the browser, it will still connect to Microsoft's site. Hee-hee! Evil makes my buttocks tingle.

March 8th, 2007	Top \| #4
LordOfLA Godlike! Joined: February 2004 Location: Salisbury, Wiltshire, UK Posts: 7,031 Blog Entries: 5 Reputation: 4137 Power: 213	Re: Microsoft DNS resolver not looking at hosts file Then your install is broken Worked for me when I was using XP not checked since installing vista so can't confirm either way. If HK-47 and GLaDOS had a child, the character they create would cause the video game world to overdose on awesome. -sheridanmovieguy: Dragon age forum user.

March 8th, 2007	Top \| #5
fitz *XPista7eopardix Joined: April 2004 Location: Chicagoland Posts: 4,028 Reputation: 2947 Power: 168**	Re: Microsoft DNS resolver not looking at hosts file Originally Posted by LordOfLA Then your install is broken Worked for me when I was using XP not checked since installing vista so can't confirm either way. Really? I have a brand new XP SP2 install with all updates and nothing else and just ran the following tests: ping www.google.com result: pings one of google's addresses, in this case, 64.233.167.147 ping windowsupdate.microsoft.com result: pings 207.46.18.94 ping wwindowsupdate.microsoft.com result: does not resolve (could not find host) I then update my c:\windows\system32\drivers\etc\hosts file with the following entries: 127.0.0.1 www.google.com 127.0.0.1 windowsupdate.microsoft.com 127.0.0.1 wwindowsupdate.microsoft.com Try the same tests: ping www.google.com result: pings the localhost address (127.0.0.1) ping windowsupdate.microsoft.com result: pings 207.46.18.94 ping wwindowsupdate.microsoft.com result: pings and replies from localhost (127.0.0.1) Same results in Vista Business (x86). I don't have any other copies of Vista to compare with. Hee-hee! Evil makes my buttocks tingle.

Latest News Posts

Latest Forum Posts

Latest Member Blogs

March 8th, 2007	Top \| #6
NetRyder Tech Junkie Joined: April 2002 Location: New York City Posts: 13,256 Reputation: 4260 Power: 298	Re: Microsoft DNS resolver not looking at hosts file I don't think your install is broken, fitz. I just added "127.0.0.1 windowsupdate.microsoft.com" to my hosts file, flushed the DNS cache, and opened the URL in a browser, and it went right to WU instead of localhost. This is on Vista Ultimate. Lord, can you check to see what happens on your box? http://kunal.kundaje.net

March 8th, 2007	Top \| #7
j79zlr Glaanies script monkey Joined: February 2003 Location: Chicago Posts: 2,725 Reputation: 1520 Power: 155	Re: Microsoft DNS resolver not looking at hosts file I don't have a Vista box around here anymore, can you check the values in this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider That is where you can adjust the lookup order in XP, I am not sure if that value is even read any longer in Vista as they have changed numerous parameters in their TCP stack. http://www.j79zlr.com

March 9th, 2007	Top \| #8
NetRyder Tech Junkie Joined: April 2002 Location: New York City Posts: 13,256 Reputation: 4260 Power: 298	Re: Microsoft DNS resolver not looking at hosts file Originally Posted by j79zlr I don't have a Vista box around here anymore, can you check the values in this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider That is where you can adjust the lookup order in XP, I am not sure if that value is even read any longer in Vista as they have changed numerous parameters in their TCP stack. Contents of the key in Vista: Code: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider] "Class"=dword:00000008 "DnsPriority"=dword:000007d0 "HostsPriority"=dword:000001f4 "LocalPriority"=dword:000001f3 "Name"="TCP/IP" "NetbtPriority"=dword:000007d1 "ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 77,00,73,00,6f,00,63,00,6b,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00 http://kunal.kundaje.net

March 9th, 2007	Top \| #9
j79zlr Glaanies script monkey Joined: February 2003 Location: Chicago Posts: 2,725 Reputation: 1520 Power: 155	Re: Microsoft DNS resolver not looking at hosts file Ok, that is correct, cached is first, then host file, dns lookup, and netbt transports. That is the same order as XP by default. http://www.j79zlr.com

March 9th, 2007	Top \| #10
fitz *XPista7eopardix Joined: April 2004 Location: Chicagoland Posts: 4,028 Reputation: 2947 Power: 168**	Re: Microsoft DNS resolver not looking at hosts file My point is that it is looking at the hosts file for all other requests (note my tests above - if I add www.google.com, it will pick up the host file entry instead of going through DNS. But for certain domains in the microsoft address space, it bypasses the hosts file altogether. Please look at the link I posted in my first post in the thread for more info and more specifics as to what addresses are bypassing the hosts file. I don't view this as a problem since it is more or less confirmed that it is a "feature" in windows XP SP2 and Vista. I'm not trying to "fix" it since it can't really be fixed (short of installing a non-MS OS). The point of this thread was more a conversation starter as to the validity of such a "feature" in windows. Hee-hee! Evil makes my buttocks tingle.

March 9th, 2007	Top \| #11
NetRyder Tech Junkie Joined: April 2002 Location: New York City Posts: 13,256 Reputation: 4260 Power: 298	Re: Microsoft DNS resolver not looking at hosts file Originally Posted by fitz The point of this thread was more a conversation starter as to the validity of such a "feature" in windows. I see your point, fitz. Do you see any legitimate reasons for needing to override these hard-coded defaults though? http://kunal.kundaje.net

March 9th, 2007	Top \| #12
fitz *XPista7eopardix Joined: April 2004 Location: Chicagoland Posts: 4,028 Reputation: 2947 Power: 168**	Re: Microsoft DNS resolver not looking at hosts file Originally Posted by NetRyder I see your point, fitz. Do you see any legitimate reasons for needing to override these hard-coded defaults though? no.. in some ways I don't mind it under the theory that it will always ensure that the sites like windowsupdate is always reachable. In the arguement of "malware" protection, a piece of malware will not be able to redirect users through the use of the hosts file (ala MyDoom). I think it is a little underhanded in that it was never published.. and if they do publish it, gives them an unfair "advantage" in the anti-malware market (tag line: "malware will have a harder time preventing updates because our product will always connect to the right place!"). I don't see any non-Microsoft sites that bypass the hosts file.. shrug It's more an issue of purity and doing things the "right way" (right meaning, the way things are supposed to work, or the way they have always been done - dang, I must be getting old!) But it can set a dangerous precident. Hee-hee! Evil makes my buttocks tingle.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
HOSTS file not being read	muzikool	Windows Desktop Systems	15	January 30th, 2009 8:45pm
HOSTS file help...	sidefx	Windows Desktop Systems	1	September 23rd, 2004 5:42pm
Operation failed: Purging the DNS Resolver cache	j-bird	Windows Desktop Systems	7	August 18th, 2004 5:02am
Bearshare & HOSTS File Problems???	sidefx	Windows Desktop Systems	0	August 3rd, 2004 7:47pm
HOSTS file to block ads (got a good one??)	PsychoSpongeBob	Windows Desktop Systems	2	March 24th, 2002 2:11pm