This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Does WireShark/Windows ignore the hosts file?

0

Hi, i'm using wireshark (Windows 10 Pro x64 1607) to track my internet traffic and after 10 hours i got 30 outgoing hostnames (after some filtering) which i want to block, so i add them to my hosts file:

0.0.0.0 localhost
0.0.0.0 gateway.skyprod.akadns.net
0.0.0.0 db5wns1b.wns.windows.com
0.0.0.0 tsfe.tsws.mp.microsoft.com.nsatc.net
0.0.0.0 DB5SCH101100127.wns.windows.com
0.0.0.0 msnbot-191-232-139-174.search.msn.com
0.0.0.0 time.microsoft.akadns.net
0.0.0.0 login.live.com.nsatc.net
0.0.0.0 fe2.update.microsoft.com.nsatc.net
0.0.0.0 sls.update.microsoft.com.nsatc.net
0.0.0.0 fe3.delivery.dsp.mp.microsoft.com.nsatc.net
0.0.0.0 a1856.dspw65.akamai.net
0.0.0.0 a767.dscd.akamai.net
0.0.0.0 a1683.dspw65.akamai.net
0.0.0.0 e10198.b.akamaiedge.net
0.0.0.0 db5.settings.data.microsoft.com.akadns.net
0.0.0.0 fg.download.windowsupdate.com.c.footprint.net
0.0.0.0 e9659.dspg.akamaiedge.net
0.0.0.0 c-0001.c-msedge.net
0.0.0.0 4-c-0003.c-msedge.net
0.0.0.0 a1621.g.akamai.net
0.0.0.0 g.msn.com.nsatc.net
0.0.0.0 msnbot-191-232-139-174.search.msn.com
0.0.0.0 a23-60-200-231.deploy.static.akamaitechnologies.com

At least i disabled the service DNS-Client. After that i restarted the tracking with wireshark over 10 hours and after filtering again i got the same hostnames. I think that the hosts file works because when i ping the hostnames "ping a1621.g.akamai.net" its unreachable. Now iam confused. Can someone explain whats wrong here...why wireshark tracks the same hostnames which i already blocked?

Thanks in advance :)

asked 25 Oct '16, 15:35

Trolleule's gravatar image

Trolleule
6114
accept rate: 0%

Is that the Windows hosts file (%SystemRoot%\System32\drivers\etc\hosts, on all NT versions - so including Windows 10 - if the Wikipedia article is to be believed)?

(25 Oct '16, 23:19) Guy Harris ♦♦

yes it is. The path is %SystemRoot%\System32\drivers\etc\hosts

(26 Oct '16, 09:44) Trolleule

Is the entry 0.0.0.0 localhost going to be helpful?

(26 Oct '16, 10:20) grahamb ♦

@grahamb, my understanding of the quest is the following: to prevent connections to some server (fqdn) from establishing, instead of using an external firewall, we use a record in hosts file, believing it will prevent the machine from resolving the fqdn using an external DNS. Therefore, the 0.0.0.0 may be a good value if the whole model works.

Wireshark is used here as a tool to verify whether it works or not.

@Trolleule, I am afraid some caching in browser may interfere with the idea, as you say that ping f.qd.n indicates that the idea works, while the browser still manages to establish the sessions.

(26 Oct '16, 10:48) sindy

@sindy, I understand the intent, playing whack-a-mole with MS "phone-home" connections, but still don't think that null routing localhost is going to be a good idea.

(26 Oct '16, 11:18) grahamb ♦

@sindy i think iam lacking in basic Windows/Network knowledge cause i don't understand, why the browser relates to these connections that i try to block :/ like @grahamb said the intent is to stop that w10 spy and the only way i know to prove that is currently wireshark -> "Wireshark is used here as a tool to verify whether it works or not."

so thats the reason why i dont understand the role the browser has in this case? -> i don't want to block internet sites, i want to block the hidden traffic of windows.

@grahamb i will delete the "0.0.0.0 localhost" entry...that was only hopeless try :D

(26 Oct '16, 13:53) Trolleule
showing 5 of 6 show 1 more comments

One Answer:

1

The answer to your question is "yes". Wireshark does address -> host name resolution by itself, rather than by relying on the OS's resolution routines, and does it using its own hosts file (if you've provided one - Wireshark doesn't ship with one), your own personal hosts file (if you've provided one), and the C-ARES DNS resolution library. It does not use the system's hosts file.

And this isn't just on Windows - it's the same on UN*Xes.

answered 26 Oct '16, 11:25

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thank you. Consider pls that iam not interested in resolving ips. I use the windows hosts file to block hostnames. But if we mean the same: does this mean that my hosts file solution block the traffic but only wireshark still tracks these connections cause it ignores the file. So how can i check if the hidden traffic is really blocked ?

(26 Oct '16, 14:00) Trolleule

does this mean that my hosts file solution block the traffic but only wireshark still tracks these connections cause it ignores the file.

Probably not. If Wireshark is showing packets going to those host names, it probably means that, for whatever reason, your machine is still trying to contact those hosts. Perhaps some software has their IP addresses saved somewhere. Perhaps there are incoming connections or other incoming packets from those hosts, so that your machine gets the IP address from there.

(26 Oct '16, 14:19) Guy Harris ♦♦

Hmm iam helpless now :/ Meanwhile i did some further tweaks and tests:
1. I have the hosts file, that seems to work cause pings are unreachable
2. The router iam using is a Fritzbox 4790 and i added these hostnames to a blacklist that i can assign to the standard user profile
3. I unchecked IPv6 in LAN adapter properties
4. I played around woith windows firewall, blocked internet explorer and edge

I took some screenshots, i think they are helpfully:
http://imageshack.com/a/img922/3200/lgoF6N.png
http://imageshack.com/a/img922/4277/Yc3O2R.png
http://imageshack.com/a/img922/2189/fQnWTZ.png
http://imageshack.com/a/img923/2483/MbLJIh.png
http://imageshack.com/a/img922/2471/8m5QPU.png
http://imageshack.com/a/img921/7680/PmWG8U.png
http://imageshack.com/a/img923/8880/DdJtca.png
http://imageshack.com/a/img924/3395/BdbT3R.png

When i start capturing with wireshark over 5 hours, still getting these hostnames :/ Does somone have an idea what i can try now?

(27 Oct '16, 14:37) Trolleule

What exactly means you are "getting those hostnames"? To me, it should mean that the IP addresses to which these hostnames resolve occur in your captures, and Wireshark reverse-translates them to hostnames (or, more precisely, fqdns).

Now can you see from the capture whether the information exchanges with these IPs are initiated by your PC or by that IP?

I've missed that you were attempting to handle the "Windows 10 calling home" issue, so I've mentioned browser cache, but Windows may also cache DNS responses (and, unlike in the browser, it won't be easy to empty their cache).

Blocking Internet Explorer and Edge doesn't prevent the Microsoft Update or some other background process from establishing connections - the browsers are just applications like any other one, not the sole channels to internet which all other applications would have to use to get there.

(27 Oct '16, 14:45) sindy

"To me, it should mean that the IP addresses to which these hostnames resolve occur in your captures, and Wireshark reverse-translates them to hostnames (or, more precisely, fqdns)." -> yes thats what i mean. One of the screenshots shows the query i did with phpmyadmin (all outgoing ips with ports and hostnames that i captured within the 5 hours).

"Now can you see from the capture whether the information exchanges with these IPs are initiated by your PC or by that IP?" I dont really understand the question, sorry...engl is not my mother lang :/ maybe it helps if you have a look on the screenshot with the phpmyadmin query

Btw i disabled the windows service DNS Client.

(27 Oct '16, 15:28) Trolleule

Btw i disabled the windows service DNS Client.

That won't affect Wireshark, which uses its own DNS client.

(27 Oct '16, 16:11) Guy Harris ♦♦

None of the screenshots help, as none of them are Wireshark screenshots.

You said

After that i restarted the tracking with wireshark over 10 hours and after filtering again i got the same hostnames.

Could you show a screenshot from that, where Wireshark is displaying those host names?

(27 Oct '16, 16:14) Guy Harris ♦♦
(27 Oct '16, 17:24) Trolleule

Yes, it indicates that editing the hosts file does not prevent some piece of software on 192.168.178.51 from sending traffic to 157.55.240.89. Trying to look up that IP address on my machine fails, and attempting to resolve the host name "sls.update.microsoft.com" gets 134.170.51.188, but perhaps Microsoft resolves sls.update.microsoft.com resolves to different addresses at different times or in different locations.

(27 Oct '16, 17:38) Guy Harris ♦♦

I think if i would block some of these IPs, windows would take another route and we don't know how often one blocked IP will be replaced with another one :/ so thats the reason why i try to block the hostname instead of the IP -> correct me if iam wrong...a host like sls.update.microsoft.com.nsatc.net can be resolved to serveral IPs or?

As you can see here...same hostname
http://imageshack.com/a/img924/5884/mLEuVX.png

191.234.72.183 fe2.update.microsoft.com.nsatc.net
134.170.58.125 fe2.update.microsoft.com.nsatc.net

What would you suggest now?

(27 Oct '16, 19:56) Trolleule
showing 5 of 10 show 5 more comments