Does dnsapi.dll bypass DNSCrypt's blacklist?

[WilliamShawnCollins]

Hello,

in Windows' dnsapi.dll some addresses (e.g. for Windows updates and telemetry) are coded, which bypass corresponding redirections entered in the hosts file. For example, if you were to enter "0.0.0.0 very-evil-microsoft-telemetry.com" in the hosts file and this address was coded in dnsapi.dll, then the redirection to 0.0.0.0 would not take place.

My question: Does the dnsapi.dll also bypass entries in DNSCrypts blacklist or is only the hosts file affected?

Thanks!

[lifenjoiner]

very-evil-microsoft-telemetry.com

You should list an existing example. But this one does not exist. A list I got:

00005788   5FD86388      0   windowsupdate.microsoft.com
000057C0   5FD863C0      0   windowsupdate.com
000057E4   5FD863E4      0   microsoftupdate.com
0000580C   5FD8640C      0   download.microsoft.com
0000583C   5FD8643C      0   update.microsoft.com
00005868   5FD86468      0   microsoft.com
00005884   5FD86484      0   www.microsoft.com
000058A8   5FD864A8      0   support.microsoft.com
000058D4   5FD864D4      0   wustats.microsoft.com
00005900   5FD86500      0   microsoftupdate.microsoft.com
0000593C   5FD8653C      0   office.microsoft.com
00005968   5FD86568      0   msdn.microsoft.com
00005990   5FD86590      0   go.microsoft.com
000059B4   5FD865B4      0   msn.com
000059C4   5FD865C4      0   www.msn.com
000059DC   5FD865DC      0   msdn.com
000059F0   5FD865F0      0   www.msdn.com
00005A0C   5FD8660C      0   technet.microsoft.com
00005A38   5FD86638      0   technet.com
00005A50   5FD86650      0   www.technet.com
00005A70   5FD86670      0   activation-v2.sls.microsoft.com
00005AB0   5FD866B0      0   validation-v2.sls.microsoft.com

My question: Does the dnsapi.dll also bypass entries in DNSCrypts blacklist or is only the hosts file affected?

AFAIK, only the hosts file affected.

dnscrypt-proxy does NOT use the system host file, but uses its own rule files instead. You'd better read the whole Configuration chapter.

Further more:
Microsoft TCP/IP Host Name Resolution Order

[WilliamShawnCollins]

I opened my dnsapi.dll with a hex editor and indeed only the addresses you listed are entered. So the information I had read that it would make sense for privacy reasons to edit the dnsapi.dll because of telemetry was not correct, at least for my personal requirements.

Out of a technical interest, I was still interested if the dnsapi.dll can bypass the blacklist of DNSCrypt. Yes it can (made a test with msn.com).

dnscrypt-proxy does NOT use the system host file, but uses its own rule files instead.

Yes, I know that, but the information on the page you linked (thanks) is relevant to my question: At what point does the dnsapi.dll intervene in the execution sequence and in what way? The linked page states that the execution order is

own name? > hosts file > DNS server > NetBIOS

and that the execution of these steps ends as soon as a match between host name and IP is found.

As a DNS proxy, DNSCrypt should be in the third place (DNS Server), so a redirect in the hosts file would not reach the DNSCrypt proxy and its blacklist at all, because Windows sends the request out before and the execution sequence stops, or do I have a fundamentally wrong understanding of the technical process (I am not an expert)? What I am wondering now is where the dnsapi.dll intervenes in the sequence and in what way. Does it bypass the hosts file simply by being upstream?

own name? > dnsapi.dll > hosts file > DNS server > NetBIOS

I have not found any information on this in my research.

The question has nothing directly to do with DNSCrypt, so this is not really the right place to ask about it and the thread can be closed for all I care. But if anyone can/wants to answer the question, that would be interesting.

[lifenjoiner]

I think the workflow is:

Apps	OS API	Protocol
telemetry -->	DnsQuery -->	dnscrypt-proxy -->
	dnsapi.dll	blocked_names_file
	hosts (config file)	other-rule-files

If you have any domain name that is bypassed, list it, and then it can be tested by others ...
If you have more interests in the internal mechanism of dnsapi.dll, maybe you can ask Microsoft, in their forum or issue list.

[WilliamShawnCollins]

If you have any domain name that is bypassed, list it, and then it can be tested by others ...

Like I said, I have tested it with msn.com and it was not blocked.

Now I made a second test and it is blocked. My first thought was "I made a mistake the first or the second time", but now I have added three entries of dnsapi.dll (msn.com, technet.com, microsoft.com) to the blacklist at the same time to open them in the browser (Firefox). The strange result: msn.com and technet.com are blocked by the blacklist, but microsoft.com is not blocked. I'm confused ...

[scubasunny]

Hi
By default in the Domain allowed file Microsoft.com is listed.
This overwrites then your blacklist entry.
So you need even to remove this entry in the Domain allowed file

[lifenjoiner]

Now I made a second test and it is blocked. My first thought was "I made a mistake the first or the second time", but now I have added three entries of dnsapi.dll (msn.com, technet.com, microsoft.com) to the blacklist at the same time to open them in the browser (Firefox). The strange result: msn.com and technet.com are blocked by the blacklist, but microsoft.com is not blocked. I'm confused ...

I think you can make it clear by spliting the mixed test conditions into tests:

1. Use a direct query to dnscrypt-proxy to confirm whether the blocked names are bypassed.
   Tools: dig, dnscrypt-proxy -resolve or nslookup (does not use DnsQuery nor DnsQueryEx).
2. If step 1 shows dnscrypt-proxy doesn't work well, it is a bug of dnscrypt-proxy.
3. If step 1 works well, make sure whether your previous tests reached dnscrypt-proxy. And list all the factors during a system domain name resolving process before reaching dnscrypt-proxy, then dig out what really happens ... Things I can list:
   • OS DNS resolver cache (ipconfig /displaydns)
   • NCSI or maybe something like it