How to block Windows 10 telemetry with your local resolver

CCTV camerasThere’s been a lot of talk about the data sent by a Windows 10 machine back to Microsoft. Some researchers have even found evidence of data being sent even when all available privacy settings are enabled. There is an emerging market for tools that will nobble Windows 10’s data collection, but who knows whether they work, or even if they’re malicious. Thankfully there is another way: if you run a local resolver, you can configure it such that DNS queries for domains linked to telemetry will always fail. Here’s how it’s done.

This technique takes advantage of the relatively new Response Policy Zones (RPZ) feature, so you’ll need suitably recent software. BIND 9.8 or later will do just fine, and that’s what I’ve used to prepare this post.

First, you’ll need to prepare a zone file which will contain your RPZ. This follows the same format as a normal zone file, except that it will contain a list of domains you want to block. Here’s an RPZ I just knocked up:

$TTL    3600
@       IN      SOA     localhost. root.localhost. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

@       IN      NS      localhost.

*               CNAME .
*     CNAME .
*                    CNAME .
*          CNAME .                CNAME .                            CNAME .

Note that every domain you want to block should end CNAME .. This tells the RPZ code to return NXDOMAIN for that domain. Remember that DNS wildcards (unlike SSL certificate wildcards) cover any number of subdomains, so in this example a query for will return NXDOMAIN.

Don’t just copy this example!—you’ll certainly need to change the SOA and NS records to match your local setup. The list of domains here is almost certainly wrong too: I just grabbed it from the first list I could find, but you’ll want to watch your logs carefully in case there’s something missing.

Next, you’ll need to tell BIND to load your new zone file (just like any other zone):

zone "rpz.your.domain" {
        type master;
        file "/etc/bind/db.rpz.your.domain";
        ... replication options etc ...

Finally, add the magic directive that tells BIND to treat your new zone as an RPZ:

options {
        response-policy {
                zone "rpz.your.domain";
                ...add other RPZs here (commercial ones are available)...

Reload BIND, check the logs for errors, and then test your new config by trying to resolve a domain blocked by the RPZ:

$ sudo service bind9 reload
Reloading domain name service...: bind9.
$ dig +noall +comments +answer @
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48788
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0


$ dig +noall +comments +answer @localhost
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30579
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

Hurrah! Google’s resolver shows us that should resolve, but our local resolver returns NXDOMAIN which is what we want. In BIND’s logs we can see what happened:

31-Aug-2015 11:24:36.820 rpz: client rpz QNAME NXDOMAIN rewrite via

rpz indicates that the response-policy directive is doing its job, and we can see that the domain has been rewritten and NXDOMAIN was returned as we’d hoped.

If you want to try using your DNS resolver to subdue Windows 10’s chatty nature, give this a try. Do add a comment if you find a mistake (more than likely!) or have a suggestion for improvement.


Filed under security

2 Responses to How to block Windows 10 telemetry with your local resolver

  1. Mark

    Can’t you just add the domain to hosts file with the localhost ip?

    • Ian Chard

      You could, but then you’re trusting (a) that Windows won’t bypass the hosts file for telemetry purposes and (b) that future updates won’t wipe out your changes. Although the resolver is clearly more work if you don’t already have one, it has the advantages that Windows can’t revert the change and that all Windows machines on the network are protected.

      Of course Windows could use hard-coded IP addresses or its own resolvers… but scope has to end somewhere 🙂

Leave a Reply