How could I redirect following Domains to a domain I host on a Website www.example.com?
www.msftconnecttest.com
www.msftncsi.com
ipv6.msftncsi.com
www.msftconnecttest.com
ipv6.msftconnecttest.com
and dns.msftncsi.com to my router
Goal is that Windows Desktops do not ask Microsoft if a device has internet but my website
Overriding names to some addresses is relatively easy. Multiple ways are described on: Knot resolver (i.e. kresd) - DNS advanced settings for Omnia and MOX [Turris wiki]
Overriding to another name: I’m not aware of a usable way currently.
You might want to look at adblock. By default it will use various adblock sources, but you can do none and use the blacklist to add your own.
Normally, it will create CNAMEs for all the entities you want to block and point them at “nobody.invalid.”, but you might be able to set that to a different domain if you want. I think it’s just scripts that generate the entries.
If you’re just interested in blocking the DNS lookup, you wouldn’t need to do anything different. Just be prepared the device might try to bypass your DNS and use it’s own method to get contact, but I’m not sure what can be done about that in this day of DOH and DOT.
@vcunat + @jklaas
Currently, I already run adblock. But I do not know enough about Network to modify things on my own. The Link to Knot resolver was not helpful for me.
Since you already run adblock, and it doesn’t seem like you need the DNS to redirect to a specific domain, then you should be able to add those domains to the Blacklist for Adblock in LuCI.
If you’re not familiar how to do that, log in to LuCI or (Advanced Administration) from the reForis interface.
Adblock is under Services and you should see “Overview”, “Edit Blacklist”, “Edit Whitelist” and some others depending on options you’ve checked.
All those domain names can be added to the “Edit Blacklist” page.
They may also be included in one of the many “Blocklist Sources” which can be found in “Overview”, but for items like this, I’ll just add them to the Blacklist.
Blacklist is not a good Idea. If you blacklist this Microsoft domains. Several Microsoft and other Apps and services do not work and W-Lan sometimes get auto-disconnected.
I have to redirect it. For that case I will use my Website.
So I need to redirect these domains to a domain under my control.
In that case, you will need to create your own redirect file and reference it in kresd custom.conf. I’m not sure exactly how to do that, but you could probably add your own rpz (reponse policy zone).
You can read up on that here. Since adblock already uses an rpz entry, I’m not sure if you can add more.
If I was testing this, I’d copy from the way adblock does things. Looking at /var/kresd.config (which is everything for kresd), I found
policy.add(policy.rpz(policy.DENY, '/etc/kresd/adb_list.overall'))
You could change the file to your redirection file, and make the file look something like:
$TTL 2h
@ IN SOA localhost. root.localhost. (1 6h 1h 1w 2h)
www.msftconnecttest.com CNAME www.example.com.
I have no idea if this would work, but that’s where I would start.
You can also set kresd to be more verbose and watch the logs to get clues if something isn’t working as you expect.
Like that?
policy.add(policy.rpz(policy.DENY, '/etc/kresd/ms.block')) I’m not sure about the DENY
The goal is that MS Devices get a Page with some Text back.
If I do not find a permanent solution without modifying registry keys, I have to solve that on the devices.
Some background info:
https://www.trishtech.com/2015/07/disable-active-internet-probing-ncsi-in-windows/
I found a discousion about that on the pihole forum.
They use dnsmask there:
The problem is that kresd won’t follow CNAMEs from RPZ.
EDIT: which is why I suggested “redirecting” to address(es) instead of name.
If you mean IP Address, that seems not possible. My Website has not a specific IP that belongs to my Website only.
Well then you’re doomed. CNAME or anything DNS won’t change the http origin – that will remain Microsoft’s. EDIT: and if the devices are doing https, it’s even worse.
I think easiest way to do it with iptables.
As far I know iptables only handle IP. Any suggestion how you would solve this issue?
Man. I need to step in. There is no such a thing as no specific IP. This is not how internet works. You have a DNS name that points to IP or another cannonical name with CNAME that still points to IP. Always. It might change then you use DynDNS service. And point to that IP. Geez
I mean if you know the ip addresses of those servers, do outgoing forwarding to your server’s ip.
AFAIK the original poster would need to change the SNI in the http(s) stream. I can’t see how to do that without an http proxy (which is possible to run on Turris, but perhaps reeval the aims instead…)