How to edit DNSAPI.dll in Windows 10 to remove hard-coded telemetry domains?

E

EnthusiastXYZ

Limp Gawd
Joined
Jun 26, 2020
Messages
221
Microsoft hard-coded several domains (such as windowsupdate.com) into DNSAPI.dll file to make sure blocking those domains via hosts file is impossible. IP's for those domains change all the time, preventing IP-blocking firewalls from acting as a solution to block such telemetry. Stopping and/or disabling Windows DNS Cache Service (and/or Windows Update Service) does not prevent DNSAPI.dll from bypassing hosts file.

There are functional ways to block those domains, such as using Pi-Hole for local DNS server, but Pi-Hole does not work for VPN tunnels. VPN tunnels encrypt traffic and spoof IP's, but they don't prevent Microsoft from identifying your PC via mentioned domains. Blocking those telemetry domains is the only solution. There are 3rd party programs, such as YogaDNS, which function within VPN tunnels by acting as DNS drivers and blocking domains in hosts file, including domains hard-coded into DNSAPI.dll. The problem with YogaDNS is that it cannot be started up until after VPN tunnel is established, allowing Windows to send telemetry between the time VPN tunnel is established and time YogaDNS is started.

That leaves editing DNSAPI.dll as the only true solution to block domains hard-coded into it, but any attempt to HEX-edit DNSAPI.dll results in errors when programs, such as CCleaner, are launched. Disabling driver signature and integrity checks via BCDedit commands does not make a difference. How can I properly edit DNSAPI.dll to remove hard-coded domains and not get DNSAPI.dll-related errors?
 
I just downloaded a program called DotPeek (https://www.jetbrains.com/decompiler/)

I dont actually know how the .dll was compiled, but it does appear like I can at least open it, not much going on that I can see though, it shows some text strings clearly related to DNS sources and destinations, but I dont think the de-compiler is opening it properly, maybe another one could work better?

EDIT - Visual Studio lets me open it up seemingly fine, is there a pattern to the IP ranges or host names the telemetry servers use? I dont know how your VPN is setup, but assuming the portal is on some firewall that you have control over, would it be possible to use regex block the VPN interface itself from reaching the WAN addresses of the M$ servers? I suppose it would be too easy if telemetry used its own special set of ports, but is it possible to block this "service" at the port level?
 
Last edited:
Smoblikat said:
I just downloaded a program called DotPeek (https://www.jetbrains.com/decompiler/)

I dont actually know how the .dll was compiled, but it does appear like I can at least open it, not much going on that I can see though, it shows some text strings clearly related to DNS sources and destinations, but I dont think the de-compiler is opening it properly, maybe another one could work better?

EDIT - Visual Studio lets me open it up seemingly fine, is there a pattern to the IP ranges or host names the telemetry servers use? I dont know how your VPN is setup, but assuming the portal is on some firewall that you have control over, would it be possible to use regex block the VPN interface itself from reaching the WAN addresses of the M$ servers? I suppose it would be too easy if telemetry used its own special set of ports, but is it possible to block this "service" at the port level?
Click to expand...

IP's change for those domains all the time as witnessed by using "nslookup windowsupdate.com" command in CMD (command prompt). Therefore there is no way to block those domains with IP and/or port firewall rules. You can also notice that one of CNAME domains for "windowsupdate.com" is a "footprint" domain. Perhaps a better firewall can work because Windows-based TinyWall and SimpleWall cannot block .DLL files, only .EXE files. If a .DLL hijacks an .EXE file with internet access, the hijacking .DLL can connect to any domain not blocked by hosts file. For example, ReShade .DLL files access GitHub to check for ReShade updates every time a game with ReShade filter is started. Anti-virus/anti-malware programs can detect hijacks, but none of such programs see DNSAPI.DLL as malicious...
 
Last edited:
If they aren't obfuscated in the binary, you could just edit it with a hex editor. Windows might detect the change, but if not then you're good to go.

Edit: you may have to do this in safe mode with networking disabled, or from another os/livecd. Windows doesn't like you editing system files, or files currently loaded by other programs.
 
Editing that file doesn't create problems with Windows OS itself, but other programs that use DNSAPI.DLL, such as CCleaner, spit out errors regarding DNSAPI.DLL. I don't know if its CRC Checksum or something else, but edited DNSAPI.DLL fails some kind of verification, even in Safe Mode, even with driver signature disabled.
 
Stick the original dll in the CC directory, it should use it instead (then at least you've partially blocked it?)
Edit: Is there a list of these domains somewhere, I don't see a windowsupdate.com in mine?
 
Last edited:
www.msdn.com
msdn.com
www.msn.com
msn.com
go.microsoft.com
msdn.microsoft.com
office.microsoft.com
microsoftupdate.microsoft.com
wustats.microsoft.com
support.microsoft.com
www.microsoft.com
microsoft.com
update.microsoft.com
download.microsoft.com
microsoftupdate.com
windowsupdate.com
windowsupdate.microsoft.com

Taken from https://www.petri.com/windows-10-ignoring-hosts-file-specific-name-resolution . It's an old article from 2016, but my DNSAPI.dll from Windows 10 build 19043 definitely lists mentioned domains in plain-text.
 
I got it working by simply replacing all letters of the white-listed domains in DNSAPI.dll with ".". No problems now, but I wish nslookup honored hosts file. It doesn't do that at all...
 
  • Like
Reactions: Nobu
like this
The far easyest way to get rid of the telemetry is to switch to using linux. Keep your Windows for games (which it's only good for) and live your daily life on linux.
 
B00nie said:
The far easyest way to get rid of the telemetry is to switch to using linux. Keep your Windows for games (which it's only good for) and live your daily life on linux.
Click to expand...

*PUTTY enters the chat*

:p

windows LTSC might be another option. im not sure how much of the telemetry is stripped out, but thats what I use for my normal OS.
 
Smoblikat said:
*PUTTY enters the chat*

:p

windows LTSC might be another option. im not sure how much of the telemetry is stripped out, but thats what I use for my normal OS.
Click to expand...
Heh, you only need PuTTY if you use Windows ;) Macs, linuxes and BSD:s have a proper terminal installed out-of-the-box.
 
BattleEye doesn't like edited DNSAPI.dll, but BattleEye games won't connect if BattleEye discards DNSAPI.dll during game load... Does LTSC DNSAPI.dll version of Windows 10 contain entries for domains I list above?
 
Smoblikat said:
I opened it up in a hex editor, the only domains I see are for microsoft.com/PKI/.....

I uploaded the .dll from my LTSC install, feel free to check it out yourself.

https://file.io/0sK3QQbGlk6g
Click to expand...
1626731769785.png


Hmmm
 
It says file deleted... Can you re-upload (PM me if needed) ?

I love LTSC, but it doesn't support the latest graphics technology, like RTX HW-Accelerated GPU Scheduling...

I'd rather know how BattleEye verifies DLL file authenticity. It's got to be a checksum of some kind...

Edit: BattlEye simply verifies certificate signature and edited DLL files won't pass. Maybe I can self-sign it and see BattlEye eats it.
 
Last edited:
Algrim said:
Pedant: OS X is a fork of mostly BSD. I was working with Jordan Hubbard on a project related to BSD when he was hired by Apple.
Click to expand...

isnt it specifically called Darwin, or is that just the open source implementation?
 
Smoblikat said:
Weird, I reuploaded as a zip this time.

https://www110.zippyshare.com/v/pWrolAYV/file.html
Click to expand...

Nope, all the telemetry domains are whitelisted in LTSC DNSAPI.dll also:
DNSAPI-Telemetry.png


You can replace all symbols after "system32" (top line) with "." using editor and use the new file to prevent Windows from white-listing those domains, but make sure to also block those domains in hosts file and/or local DNS server (Pi-Hole/AdGuard-Home). You are going to need "TrustedInstaller" level of privileges to replace DNSAPI.dll . Don't forget to edit the the other DNSAPI.dll file in SysWOW64 folder.
 
EnthusiastXYZ said:
Nope, all the telemetry domains are whitelisted in LTSC DNSAPI.dll also:
View attachment 376803

You can replace all symbols after "system32" (top line) with "." using editor and use the new file to prevent Windows from white-listing those domains, but make sure to also block those domains in hosts file and/or local DNS server (Pi-Hole/AdGuard-Home). You are going to need "TrustedInstaller" level of privileges to replace DNSAPI.dll . Don't forget to edit the the other DNSAPI.dll file in SysWOW64 folder.
Click to expand...
If whitelisting is so trivial and Windows doesn't check the file integrity, it means that any malware can whitelist themselves using this dll very easily :)
 
I thought there were some programs that block the telemetry without having to have to endlessly edit files?
 
B00nie said:
If whitelisting is so trivial and Windows doesn't check the file integrity, it means that any malware can whitelist themselves using this dll very easily :)
Click to expand...

That is why non-malware software using DNSAPI.dll tends to verify whether DNSAPI.dll is signed. Editing that file breaks the certification of the file. You can't play Rainbow Six: Siege and Tom Clancy's The Division 2 if you edit that file. I finally found a proper workaround with YogaDNS that doesn't require editing that file and and seamlessly blocks telemetry before and after VPN tunnel is established.
techie81 said:
I thought there were some programs that block the telemetry without having to have to endlessly edit files?
Click to expand...

Not completely. Hard-coded telemetry domains is just one workaround MS uses to fingerprint your machine. Third-party programs, like Ubisoft Connect (Uplay) can force you to allow connections to ctldl.windowsupdate.com to make sure your Windows Root Certificate Store is updated. Its a war and war... war never ends.
 
You must log in or register to reply here.
Back
Top