• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Microsoft DNS resolver not looking at hosts file

fitz

Woah.. I'm still here?
Staff member
Political User
#1
Hmm.. not sure how i missed this last year (well, the thread probably got lost in the flood of other mail I get from mailing lists..) but I found this extremely interesting that MS is basically breaking the RFC standard for DNS and host file lookups.

While their reasons may be "pure" (in the sense that it does prevent a malware utility from adding items into the hosts file and prevent updates to sites like windowsupdate.microsoft.com, it is a fairly egregious breach of standard and the fact that it is never documented anywhere.

It also gives Microsoft anti-malware/update utilities an advantage over competitors who won't have this "feature".

The full thread/article can be found here

edit:
I have verified that the same "functionality" exists in Vista Business (x86) as well and can only assume that it is also a part of over Vista suites (and Longhorn in the future)

Microsoft have deliberately
sabotaged their DNS client's hosts table lookup functionality.

Normally you can override DNS lookup by specifying a hostname and IP
directly in the hosts file, which is searched before any query is issued
to your dns server; this technique is often used to block ads, spyware
and phone-homes by aliasing the host to be blocked to 127.0.0.1 in your
hosts file.

--- snip ----

but then I found the staggering truth:
Microsoft DNS client special-cases 'go.microsoft.com' and refuses to
look it up in the hosts file.
 
#2
the dns resolver shouldn't look at hosts. Its the job of the OS to do that. The DNS resolver should only ever query dns servers.
 

fitz

Woah.. I'm still here?
Staff member
Political User
#3
I'm not talking about the nslookup utility, I'm talking about windows built in resolver in the TCP/IP stack.

I am fully aware that if I specifically lookup via DNS (ie: Nslookup or other 3rd party DNS resolver) it will not look at the hosts file. But, if I have a hosts file that points say, "windowsupdate.microsoft.com" to 127.0.0.1 and then open by browser to http://windowsupdate.microsoft.com, I would expect the browser to connect to the server on the localhost (or error out if there is no web server on the local machine). However, on a XP/SP2 or Vista machine, if I add that hosts entry and point the browser, it will still connect to Microsoft's site.
 
#4
Then your install is broken :)

Worked for me when I was using XP not checked since installing vista so can't confirm either way.
 

fitz

Woah.. I'm still here?
Staff member
Political User
#5
Then your install is broken :)

Worked for me when I was using XP not checked since installing vista so can't confirm either way.
Really? I have a brand new XP SP2 install with all updates and nothing else and just ran the following tests:

ping www.google.com
result: pings one of google's addresses, in this case, 64.233.167.147

ping windowsupdate.microsoft.com
result: pings 207.46.18.94

ping wwindowsupdate.microsoft.com
result: does not resolve (could not find host)

I then update my c:\windows\system32\drivers\etc\hosts file with the following entries:
127.0.0.1 www.google.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 wwindowsupdate.microsoft.com

Try the same tests:

ping www.google.com
result: pings the localhost address (127.0.0.1)

ping windowsupdate.microsoft.com
result: pings 207.46.18.94

ping wwindowsupdate.microsoft.com
result: pings and replies from localhost (127.0.0.1)

Same results in Vista Business (x86). I don't have any other copies of Vista to compare with.
 
#6
I don't think your install is broken, fitz. I just added "127.0.0.1 windowsupdate.microsoft.com" to my hosts file, flushed the DNS cache, and opened the URL in a browser, and it went right to WU instead of localhost. This is on Vista Ultimate.

Lord, can you check to see what happens on your box?
 

j79zlr

Glaanies script monkey
Political User
#7
I don't have a Vista box around here anymore, can you check the values in this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider



That is where you can adjust the lookup order in XP, I am not sure if that value is even read any longer in Vista as they have changed numerous parameters in their TCP stack.
 
#8
I don't have a Vista box around here anymore, can you check the values in this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider



That is where you can adjust the lookup order in XP, I am not sure if that value is even read any longer in Vista as they have changed numerous parameters in their TCP stack.
Contents of the key in Vista:

Code:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"Class"=dword:00000008
"DnsPriority"=dword:000007d0
"HostsPriority"=dword:000001f4
"LocalPriority"=dword:000001f3
"Name"="TCP/IP"
"NetbtPriority"=dword:000007d1
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,6f,00,63,00,6b,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00
 

j79zlr

Glaanies script monkey
Political User
#9
Ok, that is correct, cached is first, then host file, dns lookup, and netbt transports. That is the same order as XP by default.
 

fitz

Woah.. I'm still here?
Staff member
Political User
#10
My point is that it is looking at the hosts file for all other requests (note my tests above - if I add www.google.com, it will pick up the host file entry instead of going through DNS. But for certain domains in the microsoft address space, it bypasses the hosts file altogether.

Please look at the link I posted in my first post in the thread for more info and more specifics as to what addresses are bypassing the hosts file.

I don't view this as a problem since it is more or less confirmed that it is a "feature" in windows XP SP2 and Vista. I'm not trying to "fix" it since it can't really be fixed (short of installing a non-MS OS).

The point of this thread was more a conversation starter as to the validity of such a "feature" in windows.
 

fitz

Woah.. I'm still here?
Staff member
Political User
#12
I see your point, fitz.
Do you see any legitimate reasons for needing to override these hard-coded defaults though?
no.. in some ways I don't mind it under the theory that it will always ensure that the sites like windowsupdate is always reachable. In the arguement of "malware" protection, a piece of malware will not be able to redirect users through the use of the hosts file (ala MyDoom).

I think it is a little underhanded in that it was never published.. and if they do publish it, gives them an unfair "advantage" in the anti-malware market (tag line: "malware will have a harder time preventing updates because our product will always connect to the right place!"). I don't see any non-Microsoft sites that bypass the hosts file..

*shrug* It's more an issue of purity and doing things the "right way" (right meaning, the way things are supposed to work, or the way they have always been done - dang, I must be getting old!) But it can set a dangerous precident.
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,962
Messages
673,248
Members
89,017
Latest member
Seggar