Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Host file not being applied #2388

Open
steel101 opened this issue Oct 9, 2024 · 52 comments
Open

Host file not being applied #2388

steel101 opened this issue Oct 9, 2024 · 52 comments

Comments

@steel101
Copy link

steel101 commented Oct 9, 2024

Bug Report

What's the issue you encountered?

I installed atmosphere in two different switches with all the newest stuff and when I apply the host file to block Nintendo servers Nintendo's eShop is blocked but it's still able to download from nintendo.net for the system update files so it's not true blocking it but if I add the same host file to my private next DNS and hotspot from my phone to the switch it can't get a data connection to Nintendo servers at all so I know the host file is not being applied correctly

How can the issue be reproduced?

Install atmosphere like normal and apply the host file to block Nintendo servers

Crash Report

N/a

System Firmware Version

18.0.1

Environment?

  • What bootloader (fusèe, hekate, etc) was Atmosphère launched by: moded OLED
  • Official release or unofficial build:
    • latest release
      This github
  • Do you have additional kips or sysmodules you're loading:no
  • Homebrew software installed: [ * ]
    SysNAND:

Additional context?

  • Additional info about your environment:
  • n/a
@masagrator
Copy link

Maybe upload this host file? :)

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

90DNS-equivalent

127.0.0.1 *nintendo.com
127.0.0.1 *nintendo.net
127.0.0.1 *nintendo.jp
127.0.0.1 *nintendo.co.jp
127.0.0.1 *nintendo.co.uk
127.0.0.1 *nintendo-europe.com
127.0.0.1 *nintendowifi.net
127.0.0.1 *nintendo.es
127.0.0.1 *nintendo.co.kr
127.0.0.1 *nintendo.tw
127.0.0.1 *nintendo.com.hk
127.0.0.1 *nintendo.com.au
127.0.0.1 *nintendo.co.nz
127.0.0.1 *nintendo.at
127.0.0.1 *nintendo.be
127.0.0.1 *nintendods.cz
127.0.0.1 *nintendo.dk
127.0.0.1 *nintendo.de
127.0.0.1 *nintendo.fi
127.0.0.1 *nintendo.fr
127.0.0.1 *nintendo.gr
127.0.0.1 *nintendo.hu
127.0.0.1 *nintendo.it
127.0.0.1 *nintendo.nl
127.0.0.1 *nintendo.no
127.0.0.1 *nintendo.pt
127.0.0.1 *nintendo.ru
127.0.0.1 *nintendo.co.za
127.0.0.1 *nintendo.se
127.0.0.1 *nintendo.ch
127.0.0.1 *nintendo.pl
127.0.0.1 *nintendoswitch.com
127.0.0.1 *nintendoswitch.com.cn
127.0.0.1 *nintendoswitch.cn
95.216.149.205 *conntest.nintendowifi.net
95.216.149.205 *ctest.cdn.nintendo.net

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

Direct copy of the host file

@masagrator
Copy link

I explicitly said "file", not its contents.

@masagrator
Copy link

masagrator commented Oct 9, 2024

The file you have on your sdcard right now, so no copying the contents you posted into new file.

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

emummc.txt

@ghost
Copy link

ghost commented Oct 9, 2024

By any chance are you booted into syscfw and not emummc?.. If for some reason you want to block Nintendo on syscfw too you have to rename the file to default.txt

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

I have the same file named default.txt, emummc.txt, and sysmmc.txt in the host folder and it does not block it on syscfw. Hoping for a fix soon

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

If you try to use the web browser Nintendo is blocked and using 9dnstester shows it is blocked but using tcp monitoring shows it is downing data from nintendo.net for firmware update would like that to be blocked so added the direct link for the update server and it is still not blocked in the host file

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

Screenshot_20241009-102836_PCAPdroid

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

Using netcat to watch network traffic and Nintendo's serves still a connected vs going to local host

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

V1 switch is emummc and OLED switch is sysmmc so I have all the same files on both switch and they both are able to connect to Nintendo servers so it not matter if it is sysmmc or emummc

@Atmosphere-NX Atmosphere-NX deleted a comment from steel101 Oct 9, 2024
@SciresM
Copy link
Collaborator

SciresM commented Oct 9, 2024

set atmosphere!enable_dns_mitm_debug_log = u8!0x1 in settings, then run ams and post the atmosphere/logs/dns_mitm_debug.log that's created.

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

How do I set that where is it located at in a file im guessing

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

What is ams

@SciresM
Copy link
Collaborator

SciresM commented Oct 9, 2024

Copy system_settings.ini from /atmosphere/config_templates to /atmosphere/config, uncomment the relevant line by removing the semicolon at start of line here: https://github.com/Atmosphere-NX/Atmosphere/blob/master/config_templates/system_settings.ini#L62 and change the value at the end of the line to u8!0x1

@SciresM
Copy link
Collaborator

SciresM commented Oct 9, 2024

ams is atmosphere, the software you're commenting on the issue tracker for.

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

Ok give me a 30 mins or so and I will.be home to charge settings and try again

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

The debug file is 0b every time but the other log is there

@SciresM
Copy link
Collaborator

SciresM commented Oct 9, 2024

Post the logs?

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

dns_mitm_startup.log

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

The debug one I can't copy because it is 0b

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

Screenshot_20241009-123501_PCAPdroid

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

This was after I enabled debug that you asked for it is still connected to Nintendo

@SciresM
Copy link
Collaborator

SciresM commented Oct 9, 2024

"atumn.hac.lp1.d4c.nintendo.ne" <-- typo, missing t.

but your dns redirection does say it's redirecting *nintendo.net.

Maybe dns for this stuff is using the new "dns:priv" service from 18.0.0, but I would have expected...anyone else...to report that in the last six months.

I can't prioritize this because 19.0.0 needs to be supported much more urgently than this, but I will investigate.

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

I fully understand 19 is more important. Like I said it blocks all eShop and game updates but allows firmware updates to go thru

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

I blank my serial number out then Nintendo servers can't connect

@steel101
Copy link
Author

steel101 commented Oct 9, 2024

The reason I guess most people don't notice is unless there was a firmware update then you would be blocking Nintendo for them but as you see in the screenshot there is lots of connections to Nintendo servers

@cucholix
Copy link

cucholix commented Oct 12, 2024

I’m on 18.1.0 too, default.txt file is effectively blocking Nintendo updates on my end, note that I only blocked system updates.

My default.txt:

# Nintendo telemetry servers
127.0.0.1 receive-%.dg.srv.nintendo.net receive-%.er.srv.nintendo.net
sun.hac.%.d4c.nintendo.net
atumn.hac.%.d4c.nintendo.net
127.0.0.1 sun.hac.lp1.d4c.nintendo.net 
127.0.0.1 atumn.hac.lp1.d4c.nintendo.net

My dns_mitm_startup.log report:

DNS Mitm:
Adding defaults to redirection list.
Selecting hosts file...
Skipping /hosts/sysmmc.txt because it does not exist...
Selected /hosts/default.txt
Redirections:
    atumn.hac.lp1.d4c.nintendo.net -> 127.0.0.1
    sun.hac.lp1.d4c.nintendo.net -> 127.0.0.1
    receive-lp1.er.srv.nintendo.net -> 127.0.0.1
    receive-lp1.dg.srv.nintendo.net -> 127.0.0.1

It successfully blocked Nintendo system updates (no longer receive the system update notification upon open a game/app), I can enter eShop, play online, and even dowload games, don't have game updates pending but I guess they should work too.

These settings in system_settings.ini

enable_dns_mitm = u8!0x1
enable_dns_mitm_debug_log = u8!0x1

@harvestry-of-ghosts
Copy link

harvestry-of-ghosts commented Oct 21, 2024

127.0.0.1 *nintendo.com
127.0.0.1 *nintendo.net
127.0.0.1 *nintendo.jp
127.0.0.1 *nintendo.co.jp
127.0.0.1 *nintendo.co.uk
127.0.0.1 *nintendo-europe.com
127.0.0.1 *nintendowifi.net
127.0.0.1 *nintendo.es
127.0.0.1 *nintendo.co.kr
127.0.0.1 *nintendo.tw
127.0.0.1 *nintendo.com.hk
127.0.0.1 *nintendo.com.au
127.0.0.1 *nintendo.co.nz
127.0.0.1 *nintendo.at
127.0.0.1 *nintendo.be
127.0.0.1 *nintendods.cz
127.0.0.1 *nintendo.dk
127.0.0.1 *nintendo.de
127.0.0.1 *nintendo.fi
127.0.0.1 *nintendo.fr
127.0.0.1 *nintendo.gr
127.0.0.1 *nintendo.hu
127.0.0.1 *nintendo.it
127.0.0.1 *nintendo.nl
127.0.0.1 *nintendo.no
127.0.0.1 *nintendo.pt
127.0.0.1 *nintendo.ru
127.0.0.1 *nintendo.co.za
127.0.0.1 *nintendo.se
127.0.0.1 *nintendo.ch
127.0.0.1 *nintendo.pl
127.0.0.1 *nintendoswitch.com
127.0.0.1 *nintendoswitch.com.cn
127.0.0.1 *nintendoswitch.cn
95.216.149.205 *conntest.nintendowifi.net
95.216.149.205 *ctest.cdn.nintendo.net

This list is so long. Can replace most of it with a wild card like this?

127.0.0.1 *nintendo.*
127.0.0.1 *nintendods.*
127.0.0.1 *nintendoswitch.*
95.216.149.205 *nintendowifi.*
95.216.149.205 *ctest.cdn.nintendo.*

Except the last one:
95.216.149.205 *ctest.cdn.nintendo.*

Would that not already be covered by:
127.0.0.1 *nintendo.* ???

If so, does it then redirect to 127.0.0.1 or 95.216.149.205?

@Nephiel
Copy link

Nephiel commented Oct 21, 2024

This list is so long. Can replace most of it with a wild card like this?

You can, but then those wildcards might also match part of a subdomain.
E.g. somethingaboutnintendo.in-some-site-you-actually-want-to-visit.whatever

If so, does it then redirect to 127.0.0.1 or 95.216.149.205?

If multiple entries in a host file match a domain, the last-defined match is used.

@steel101
Copy link
Author

The problem is it effectively looks like it's blocking all the connections on the device but if you use a netcat monitor or a TCP IP packet inspector on a different device for over your Wi-Fi you'll still see a ton of the connections that are connecting and successful to the Nintendo servers using the DNS private part not the DNS we can only block DNS right now AMS needs to update to include the dns priv

@steel101
Copy link
Author

I have to block them on my DNs server for the device to not connect

@SciresM
Copy link
Collaborator

SciresM commented Oct 21, 2024

That isn't actually the problem, fyi. dns:priv is completely unused; nothing has access to it @steel101

I strongly suspect at this point that this is some issue with how you're testing, not with the software.

@SciresM
Copy link
Collaborator

SciresM commented Oct 21, 2024

@steel101 When you use something like PCAPdroid to test, are you setting it as a proxy on your console?

because this will make your phone do dns resolution, not the console, which would bypass dns mitm.

@steel101
Copy link
Author

I use a TCP IP monitor so I can see all connections that are active and there is lots that gets by the DNS rules in the host file.

@SciresM
Copy link
Collaborator

SciresM commented Oct 21, 2024

"use a TCP IP monitor" what monitor and how? You posted screenshots of pcapdroid and didn't respond to my question just now.

@steel101
Copy link
Author

I have pi hole set up too and all the same connections are there and no I am not doing a proxy on the console I'm just sniffing the Wi-Fi packets at that point with that app no proxy needed

@steel101
Copy link
Author

"use a TCP IP monitor" what monitor and how? You posted screenshots of pcapdroid and didn't respond to my question just now.

I use pie hole I've used netcat and the app unused all show the same thing

@SciresM
Copy link
Collaborator

SciresM commented Oct 21, 2024

This is kind of a big shrug for me. I can't replicate this locally, and I don't understand networking well enough to do anything more. It certainly seems to me like blocking works on my device...

@steel101
Copy link
Author

You can use netcat or just your router dchp list and look through there and see all the active Nintendo connections once you connect a Nintendo switch to your Wi-Fi so I'm just being honest and truthful that I work in the IT industry and I can tell you the host file is not blocking everything that it should

@steel101
Copy link
Author

This is kind of a big shrug for me. I can't replicate this locally, and I don't understand networking well enough to do anything more. It certainly seems to me like blocking works on my device...

Yes you would be correct it seems like it's being blocked on the device and all the actual main servers like the eShop and updates are but there's a ton of telementary data about what game is being played how long and all the other things that happen on the console are sent back to Nintendo every 3 minutes so that's not being blocked but it's no big deal really I mean if they have sort of banning thousands of consoles by now I don't think they will

@steel101
Copy link
Author

And the way that you can replicate it is use your Android or iPhone to create a hotspot install the app that you saw or netcat and monitor it and connect the switch to your Wi-Fi hotspot through your phone and watch all the active connections very easy to replicate

@harvestry-of-ghosts
Copy link

harvestry-of-ghosts commented Oct 21, 2024

This list is so long. Can replace most of it with a wild card like this?

You can, but then those wildcards might also match part of a subdomain. E.g. somethingaboutnintendo.in-some-site-you-actually-want-to-visit.whatever

If so, does it then redirect to 127.0.0.1 or 95.216.149.205?

If multiple entries in a host file match a domain, the last-defined match is used.

I'll keep my short list then, as I don't want or need my emuMMC to connect to anything "Nintendo" whatsoever and it is set up only on my Switch. Thanks for the explanation/link on the domains. That brings up another question:

127.0.0.1 *nintendo.*
vs
95.216.149.205 *nintendo.*

What would be the advantages/disadvantages of one over the other? Why not use localhost for all entries in the hosts file?

Edit: Correct me if wrong, but I believe localhost can be used for the 95.216.149.205 entries as long as ctest is patched either via sigpatches or sys-patch.

@steel101
Copy link
Author

Nintendo has not don't nothing about at this point they will not I have checked this on over 8 times on different switches and everything is the same on the console it is blocked but behind the apps the user sees it is connected to Nintendo but like I said they have not done anything at this point for this long they can't tell it apart from.a real switch is my guess

@steel101
Copy link
Author

Been messing with all day trying different things what I found to block it with no connection to Nintendo's servers is take out
95.216.149.205 *conntest.nintendowifi.net
95.216.149.205 *ctest.cdn.nintendo.net
And if it is not host file is not named default.txt or you deleted you default.txt file it will not block all connections. So what I did is replace default.txt with the updated one

@harvestry-of-ghosts
Copy link

harvestry-of-ghosts commented Oct 21, 2024

@steel101

My default.txt is unchanged. My emummc.txt is as follows and should cover all entries in the long list. Maybe can even remove the "." at the end of each line before the wildcard.

127.0.0.1 *nintendo.*
127.0.0.1 *nintendo-europe.*
127.0.0.1 *nintendowifi.*
127.0.0.1 *nintendods.*
127.0.0.1 *nintendoswitch.*

I believe the 95.216.149.205 entries are not necessary if a person has ctest patched to skip the connection tests. It is also recommended to keep the default.txt as is and also have emummc.txt and/or sysmmc.txt. https://github.com/Atmosphere-NX/Atmosphere/blob/master/docs/features/dns_mitm.md#atmosph%C3%A8re-defaults

Edit: Wouldn't this also work for a person using the hosts file strictly on their Switch? Just a single line in emummc.txt?

127.0.0.1 *nintendo*

Wouldn't that include everything on the long list with a single line?

@impeeza
Copy link

impeeza commented Oct 21, 2024

@SciresM There is a rummor on forums about nintendo using telemetry to IPs instead of names rendering DNS blocking mute. Have you seen something like that on the new firmware code?

Regards.

@steel101
Copy link
Author

@steel101

My default.txt is unchanged. My emummc.txt is as follows and should cover all entries in the long list. Maybe can even remove the "." at the end of each line before the wildcard.

127.0.0.1 *nintendo.*
127.0.0.1 *nintendo-europe.*
127.0.0.1 *nintendowifi.*
127.0.0.1 *nintendods.*
127.0.0.1 *nintendoswitch.*

I believe the 95.216.149.205 entries are not necessary if a person has ctest patched to skip the connection tests. It is also recommended to keep the default.txt as is and also have emummc.txt and/or sysmmc.txt. https://github.com/Atmosphere-NX/Atmosphere/blob/master/docs/features/dns_mitm.md#atmosph%C3%A8re-defaults

Edit: Wouldn't this also work for a person using the hosts file strictly on their Switch? Just a single line in emummc.txt?

127.0.0.1 *nintendo*

Wouldn't that include everything on the long list with a single line?

You are correct about the last 2 lines in the file no need for them and about the 1 line method I think that might work I will try it latter

@steel101
Copy link
Author

@SciresM There is a rummor on forums about nintendo using telemetry to IPs instead of names rendering DNS blocking mute. Have you seen something like that on the new firmware code?

Regards.

As long as the DNS is blocking Nintendo you are fine it is a rumor for a reason can you telementary data with out sending it to Nintendo so we can always block that data flow

@Jacksoft
Copy link

Jacksoft commented Jan 4, 2025

Have you configured and copied in sdcard root exosphere.ini?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants