Microsoft DNS resolver not looking at hosts file

fitz

Woah.. I'm still here?
Political Access
Joined
26 Apr 2004
Messages
4,086
Hmm.. not sure how i missed this last year (well, the thread probably got lost in the flood of other mail I get from mailing lists..) but I found this extremely interesting that MS is basically breaking the RFC standard for DNS and host file lookups.

While their reasons may be "pure" (in the sense that it does prevent a malware utility from adding items into the hosts file and prevent updates to sites like windowsupdate.microsoft.com, it is a fairly egregious breach of standard and the fact that it is never documented anywhere.

It also gives Microsoft anti-malware/update utilities an advantage over competitors who won't have this "feature".

The full thread/article can be found here

edit:
I have verified that the same "functionality" exists in Vista Business (x86) as well and can only assume that it is also a part of over Vista suites (and Longhorn in the future)

Microsoft have deliberately
sabotaged their DNS client's hosts table lookup functionality.

Normally you can override DNS lookup by specifying a hostname and IP
directly in the hosts file, which is searched before any query is issued
to your dns server; this technique is often used to block ads, spyware
and phone-homes by aliasing the host to be blocked to 127.0.0.1 in your
hosts file.

--- snip ----

but then I found the staggering truth:
Microsoft DNS client special-cases 'go.microsoft.com' and refuses to
look it up in the hosts file.
 
the dns resolver shouldn't look at hosts. Its the job of the OS to do that. The DNS resolver should only ever query dns servers.
 
I'm not talking about the nslookup utility, I'm talking about windows built in resolver in the TCP/IP stack.

I am fully aware that if I specifically lookup via DNS (ie: Nslookup or other 3rd party DNS resolver) it will not look at the hosts file. But, if I have a hosts file that points say, "windowsupdate.microsoft.com" to 127.0.0.1 and then open by browser to http://windowsupdate.microsoft.com, I would expect the browser to connect to the server on the localhost (or error out if there is no web server on the local machine). However, on a XP/SP2 or Vista machine, if I add that hosts entry and point the browser, it will still connect to Microsoft's site.
 
Then your install is broken :)

Worked for me when I was using XP not checked since installing vista so can't confirm either way.
 
Then your install is broken :)

Worked for me when I was using XP not checked since installing vista so can't confirm either way.

Really? I have a brand new XP SP2 install with all updates and nothing else and just ran the following tests:

ping www.google.com
result: pings one of google's addresses, in this case, 64.233.167.147

ping windowsupdate.microsoft.com
result: pings 207.46.18.94

ping wwindowsupdate.microsoft.com
result: does not resolve (could not find host)

I then update my c:\windows\system32\drivers\etc\hosts file with the following entries:
127.0.0.1 www.google.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 wwindowsupdate.microsoft.com

Try the same tests:

ping www.google.com
result: pings the localhost address (127.0.0.1)

ping windowsupdate.microsoft.com
result: pings 207.46.18.94

ping wwindowsupdate.microsoft.com
result: pings and replies from localhost (127.0.0.1)

Same results in Vista Business (x86). I don't have any other copies of Vista to compare with.
 
I don't think your install is broken, fitz. I just added "127.0.0.1 windowsupdate.microsoft.com" to my hosts file, flushed the DNS cache, and opened the URL in a browser, and it went right to WU instead of localhost. This is on Vista Ultimate.

Lord, can you check to see what happens on your box?
 
I don't have a Vista box around here anymore, can you check the values in this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider



That is where you can adjust the lookup order in XP, I am not sure if that value is even read any longer in Vista as they have changed numerous parameters in their TCP stack.
 
I don't have a Vista box around here anymore, can you check the values in this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider



That is where you can adjust the lookup order in XP, I am not sure if that value is even read any longer in Vista as they have changed numerous parameters in their TCP stack.
Contents of the key in Vista:

Code:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"Class"=dword:00000008
"DnsPriority"=dword:000007d0
"HostsPriority"=dword:000001f4
"LocalPriority"=dword:000001f3
"Name"="TCP/IP"
"NetbtPriority"=dword:000007d1
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,6f,00,63,00,6b,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00
 
Ok, that is correct, cached is first, then host file, dns lookup, and netbt transports. That is the same order as XP by default.
 
My point is that it is looking at the hosts file for all other requests (note my tests above - if I add www.google.com, it will pick up the host file entry instead of going through DNS. But for certain domains in the microsoft address space, it bypasses the hosts file altogether.

Please look at the link I posted in my first post in the thread for more info and more specifics as to what addresses are bypassing the hosts file.

I don't view this as a problem since it is more or less confirmed that it is a "feature" in windows XP SP2 and Vista. I'm not trying to "fix" it since it can't really be fixed (short of installing a non-MS OS).

The point of this thread was more a conversation starter as to the validity of such a "feature" in windows.
 
The point of this thread was more a conversation starter as to the validity of such a "feature" in windows.
I see your point, fitz.
Do you see any legitimate reasons for needing to override these hard-coded defaults though?
 
I see your point, fitz.
Do you see any legitimate reasons for needing to override these hard-coded defaults though?

no.. in some ways I don't mind it under the theory that it will always ensure that the sites like windowsupdate is always reachable. In the arguement of "malware" protection, a piece of malware will not be able to redirect users through the use of the hosts file (ala MyDoom).

I think it is a little underhanded in that it was never published.. and if they do publish it, gives them an unfair "advantage" in the anti-malware market (tag line: "malware will have a harder time preventing updates because our product will always connect to the right place!"). I don't see any non-Microsoft sites that bypass the hosts file..

*shrug* It's more an issue of purity and doing things the "right way" (right meaning, the way things are supposed to work, or the way they have always been done - dang, I must be getting old!) But it can set a dangerous precident.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back