Some services connects to Akamai and Phicdn

Discussion in 'privacy problems' started by bopbop, Oct 5, 2016.

  1. bopbop

    bopbop Registered Member

    Joined:
    Sep 27, 2016
    Posts:
    22
    Location:
    italy
    1-) I'm wondering what these two connections in the screenshot(other than broadcasthost) do and which windows services start them:
    https://s14.postimg.org/ar99kex35/host_process.jpg

    Edit: 2-) Spotify and Steam(and probably some other programs) make a http connection to clients.I.google.com. Low amount of daha goes thru : 5-10 kb

    I tried blocking clients.I.google.com, it still popped up as a connection.
    Maybe I need other domain names to block those, any ideas?
     
    Last edited: Oct 5, 2016
  2. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    bopbop, interesting you mentioning clients.I.google.com - it was just yesterday I was wondering about this and why it appeared on a particular website I go to and on which I don't want anything to do with google showing itself. In fact I'm on a mission to stomp on anything google everywhere except when I go to youtube and even then only allow minimal stuff to see what I want to see. Compartmentalization helps in this cause. Anyway I saw the same google thing in smartsniff. I blocked the ip address (range) in my FW and the site no longer showed the google entry BUT some time later when I went back it does what google loves to do - come at you from another ip address range. I decided to block google.com in uMatrix and it hasn't shown up since.
     
  3. bopbop

    bopbop Registered Member

    Joined:
    Sep 27, 2016
    Posts:
    22
    Location:
    italy
    Let's be friends.

    As for umatrix its only gonna help you when browsing
    Need a way to block google for desktop applications
    We probably need right domain names for hosts file
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    Yes for hosts file you need a domain that will resolve to IP you want to block. Sometimes you can use IPlookup to check if there is any domain on specific IP address.
     
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,086
    Code:
    1) clients.I.google.com
    2) clients.l.google.com
    
    First does not appear to exist.  Second one is well known.  Example:
    
    POST http://clients1.google.com/ocsp
    
    clients1.google.com CNAME clients.l.google.com
    
    while visiting https://www.google.com.  Look at its certificate.
    
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes, I noticed that svchost.exe often wants to connect to Akamai which is a service related to internet speed optimization. I try to block this as much as possible, and my Internet connection keeps working at the same speed. So I wonder what's up with this.
     
  7. bopbop

    bopbop Registered Member

    Joined:
    Sep 27, 2016
    Posts:
    22
    Location:
    italy
    What should be put in hosts file to get rid of clients.l.google.com?
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    0.0.0.0 clients.l.google.com
     
  9. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,086
    Again, I think you can run into issues if you hosts file block the CNAME (canonical name) of a server rather than the server itself. By way of an analogy:

    You want to telephone Bob Jones. You grab your personal address book and lookup Bob Jones. No number listed. So you call directory assistance. The agent tells you that Bob Jones proper name is Robert Jones and his phone number is X. What do you do now? Do you call X? Do you go to your personal address book again, look up Robert Jones this time, to see if you have him in there under a different number Y?

    Here is an example that appears to be easier/safer for testing purposes. Although IP Address appears to vary by region the CNAMEs appear consistent. Feel free to double check, but here goes: www.msnbc.com
    1. www.msnbc.com has a CNAME of msnbc.com.edgekey.net
    2. msnbc.com.edgekey.net has a CNAME of e8169.dscb.akamaiedge.net
    3. e8169.dscb.akamaiedge.net has an A of 104.107.109.65
    So www.msnbc.com = 104.107.109.65 in this case. If you block e8169.dscb.akamaiedge.net and/or msnbc.com.edgekey.net in your hosts file (rather than www.msnbc.com) does that prevent you from reaching www.msnbc.com? It doesn't for me on Windows 7, and I took steps to avoid caching issues.
     
  10. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Correct. Putting only msnbc.com.edgekey.net & e8169.dscb.akamaiedge.net in hosts file allows connection
    to msnbc.com. Putting only msnbc.com (2 entry lines) in hosts file blocks that server.

    NOTE: Putting IP Address 104.107.109.65 in my firewall IP blocking rules doesn't stop me from
    connecting to msnbc.com.
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,086
    BTW, if you want to block hosts/domains at the system level you could look into DNS proxies. Which can support wildcards/pattern-matching and some other useful features. One example is Acrylic: http://mayakron.altervista.org/wikibase/show.php?id=AcrylicFAQ.

    If you decide to use a local proxy I would suggest some testing to determine if it interferes with your software firewall's ability to recognize/block DNS on an originating process basis (all DNS requests might appear to come from the proxy itself). I don't know if any software firewalls have similar functionality built-in but that might be something to look for and/or request.

    Edit: Given that certificate related checks (CRL, OCSP) are of special importance (most would choose to allow them) here are a few lists I found:

    http://uptime.netcraft.com/perf/reports/performance/OCSP
    https://www.pkicloud.com/ocsp-stats.html
    https://github.com/pyllyukko/user.js/issues/73
     
    Last edited: Oct 13, 2016
Loading...