-
Notifications
You must be signed in to change notification settings - Fork 1k
Windows NCSI
This topic offers you an immediate connection to the Internet after system boot, in contrast to the usual Windows behavior with interruptions and horrible delays. The settings described here will increase privacy and avoid tracking of your Login into OS connected to the Global Network. By default every connection event is registered on M$ servers side on the regular basis.
Once the items have been set up, the Network Icon in the tray and going online will become lightning fast.
«Network Connectivity Status Indicator» (NCSI) can be completely reconfigured in two steps: by modifying the GPO and the Registry parameters. In this case these are two different locations to contol:
Only GPO settings will be used to set Internet connectivity probes and NCSI indicator operations.
GPO Editor: Run → gpedit.msc
Registry path: [HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator]
«Network Location Awareness» (NlaSvc) service will be disabled, all stock Microsoft presets for this service will be reconfigured in the registry and then ignored. They will be modified to avoid user tracking (sanitized).
Registry editor: Run → regedit
Registry path: [HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet]
Always follow the basic rule: never edit the Group policies directly over Registry, use GP Editor instead. This is very common mistake. Otherwise, your GP database could be damaged and you will never know where the Windows bugs come from. This kind of error events doesn't represented anywhere in the system. You've been warned. The registry entries in the GPO part are shown here just for your iNFO.
Disables active checks performed by the Network Connection Performance Indicator (NCSI) to determine if your computer is connected to the Internet or a limited network. NCSI will not perform either of the two stages of the active checks: neither loading the page from the specified web server nor creating a DNS query for the specified address.
1.1) Group Policies (GPO):
Computer configuration → Administrative Templates → System → Internet Communication Management →
→ Internet Communication settings
Turn off Windows Network Connectivity Status Indicator active tests [Enabled]
iNFO : GPO in the Registry
[HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator]
NoActiveProbe = 1 (REG_DWORD)
1.2) Disable NCSI check for Internet completely
The network indicator will continue to work normally. The Internet connection will not be checked.
[HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet]
EnableActiveProbing = 0 (REG_DWORD)
Optional settings:
MinimumInternetHopCount = 1 (REG_DWORD) - The minimum number of transitions between routers
The value "1" is the minimum for this parameter
PassivePollPeriod = 30 (REG_DWORD) - The passive polling period
1.3) DO NOT DISABLE THE PASSIVE POLLING!
The policy checkmark must be removed. Otherwise the Network Connection Indicator will show a yellow triangle!
Allows you to specify the behavior of a passive probe. The NCSI polls various measurements in the Network Stack at a frequently used interval to determine if the network is connected.
Group Policies (GPO):
Computer configuration -> Administrative Templates -> Network -> Network Connectivity Status Indicator
Specify passive polling [Not configured] [ ] DisablePassivePolling
where [ ] DisablePassivePolling - Disabling passive polling mechanism in NCSI.
This can optimize CPU load on servers and other computers with static network connection.
iNFO : GPO in the Registry
[HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator]
DisablePassivePolling (REG_DWORD) - NOT EXISTING
You can change the web server address, the name and content of the file requested by NCSI, and the name and IP address of the host used for DNS validation. This is done by using the appropriate parameters in the same registry section.
Typically, this registry section used to check Internet access for your own DNS server. But we will enter local loopback values just to get rid of M$ values without removing the keys.
• loopback for DNS - If the reliability is OK
• loopback for ActiveWebProbeHost - Let's get rid of spying
2.1) Check the hosts file and ensure that the following standard records are present:
127.0.0.1 localhost
127.0.0.1 localhost.localdomain
127.0.0.1 local
If IPv6 is not used (disabled at system level), the following lines should be also commented :
# ::1 localhost
# ::1 localhost.localdomain
2.2) Edit the registry settings:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet]
ActiveDnsProbeContent = 127.0.0.1 - Host IP address for validation
ActiveDnsProbeContentV6 = ::1 - Host IP address for validation (IPv6)
ActiveDnsProbeHost = localhost - Hostname for DNS validation
ActiveDnsProbeHostV6 = localhost - Hostname for DNS validation (IPv6)
ActiveWebProbeContent = - String in the test file "ncsi.txt"
ActiveWebProbeContentV6 = - String in the test file "ncsi.txt" (IPv6)
ActiveWebProbeHost = localhost.localdomain - Website address where the "ncsi.txt" file is located
ActiveWebProbeHostV6 = localhost.localdomain - Website address where the "ncsi.txt" file is located (IPv6)
ActiveWebProbePath = - The path to the probe file
ActiveWebProbePathV6 = - The path to the probe file (IPv6)
(The rest of the parameters control the server polling intervals).
Technically, the address of any server with a stable connection to the Internet (and responding to requests) is suitable for the following policies. It may be either your own server or high-speed and secure Internet resource with a permanent address and hostname.
Computer configuration → Administrative Templates → Network → Network Connectivity Status Indicator
The most simple and reasonable choice is a free, safe, fast and reliable external DNS provider that doesn't collect user logs. It can also be set as a Fallback resolver in the dnscrypt-proxy config and/or NCSI.
For example, DNS.WATCH (Germany): "No Censorship. No Bullshit. Just DNS." (С)
Secure server that offers regular (unencrypted) DNS for any device and OS. Also can be used in dnscrypt-proxy as a Fallback resolver or/and NCSI.
- IPv4 [1]: 84.200.69.80:53 (resolver1.dns.watch)
- IPv4 [2]: 84.200.70.40:53 (resolver2.dns.watch)
- website: https://dns.watch/
Group Policies (GPO)
Specify corporate DNS probe host address [Enabled] : 84.200.69.80
Specify corporate DNS probe host name [Enabled] : resolver1.dns.watch
iNFO : GPO in the Registry
[HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity]
DnsProbeContent = 84.200.69.80 (REG_SZ)
DnsProbeHost = resolver1.dns.watch (REG_SZ)
When DNSCrypt is used, it is better to enter the address and name (FQDN) data of the server where the resolver being used is located.
NOTE:
You should use the address and IP of the SERVER (find out for yourself), but NOT directly specific dnscrypt-proxy RESOLVER for DNS encryption. Do not use FDQN host for certfificates, but the NameServer (PTR) that use server(s) of you choice. Typically, this information can be found on the home pages of DNSCrypt providers.
Use ping (cmd-command) to find IP by domain: ping dc1.soltysiak.com
For example, dc1.soltysiak.com
host address: 178.216.201.222
host name: dc1.soltysiak.com
Group Policies (GPO)
Specify corporate DNS probe host address [Enabled] : 178.216.201.222
Specify corporate DNS probe host name [Enabled] : dc1.soltysiak.com
iNFO : GPO in the Registry
[HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity]
DnsProbeContent = 178.216.201.222 (REG_SZ)
DnsProbeHost = dc1.soltysiak.com (REG_SZ)
- WARNING: DISABLING IS ONLY ACCEPTABLE FOR LOCAL USER ACCOUNTS!
www.msftconnecttest.com
www.msftncsi.com
This configuration can be recommended if the following conditions are met:
- dnscrypt-proxy is used as a replacement for system DNS
- No remote access and access to remote machines over corporate VPNs is required *
- No access to the LAN is required over Modem
(*) - However, the browser authentication method using the "pac.js" config file should not be affected
NOTE:
- dnscrypt-proxy has its own caching mechanism
- the stock service is vulnerable, so disabling it will improve overall system security (same as remote access disabling)
The next services depend on this one:
6.1) «Remote Access Connection Manager» (RasMan) service = [Disabled]
------ The next service depends on this one:
------ 6.1.1) «Routing and Remote Access» (RemoteAccess) service = [Disabled]
6.2) «Network Connectivity Assistant» (NcaSvc) service = [Disabled]
The NCSI feature allows to set triggers on each connection to another network or authorized Wi-Fi HotSpots. The connection to M$ servers is unencrypted. Each access to the Global Network is registered (www.msftncsi.com
), recorded and stored in the file ncsi.txt
on the M$ side.
Network Connectivity Status Indicator (NCSI) calls and uses «Network Location Awareness» (NlaSvc) service when connecting to a network. After establishing a connection, the OS tries to open a file http://www.msftncsi.com/ncsi.txt
- a plain text file containing a Microsoft NCSI string. The expected response from the server is the header 200 OK
and this line. The second step is checking DNS operability. To do this, NCSI is trying to resolve the IP address of the host dns.msftncsi.com
. Expected value is 131.107.255.255
The next options are as follows: if both steps are successfully completed, the system will report the existence of an Internet connection; if ncsi.txt
file is unavailable and dns.msftncsi.com
can be resolved by other address, or its IP cannot be identified, the system reports that the Internet connection is unavailable. If ncsi.txt
is not available, but dns.msftncsi.com
was correctly resolved, the system notifies the user that browser authentication may be required. NCSI uses HTTP
and port 80
.
NOTE:
www.msftconnecttest.com
replaces the obsolete value www.msftncsi.com
starting from Windows 10 (1607).
If the «DNS Client» service (dnscache) is disabled, some services - the slowing down «Microsoft Account Sign-in Assistant» (wlidsvc) service and «Windows Update» (wuauserv) service - may try to resolve the IP themselves for the desired domain on port 53 (UDP)
. If port 53
is not globally allowed in the firewall, but only for svchost
processes, they will not succeed (same as other restricted thigs, unless they have separate permission rules).
Exactly the «Network Location Awareness» (NlaSvc) service connects to svchost
via DNS to get the IP address for the domain dns.msftncsi.com
. That is, this service does not require global Port 53
resolution, the standard svchost
rule (port 53 (UDP)
allowed for DNS access) is completely sufficient.
1) Commandlet + HELP in one bundle (have a look at the code inside)
2) Setting GPO (manually) and Registry tweaks (auto)
3) Disabling unnecessary services. WARNING: ONLY FOR LOCAL USER ACCOUNTS!
- Feel free to comment the correspondent part of the cmd-scenario, if you need this.
- Disabling additional services is not included (see instruction above).
Download: Network - Status Indicator (NCSI).cmd
In somecases if you want to run dnscrypt-proxy as a non-root user you'll get the error "[FATAL] listen udp 0.0.0.0:53: bind: permission denied"
to solve this problem you can run the following command and allow dnscrypt to have access to a low level port :
sudo setcap cap_net_bind_service=+ep $(which dnscrypt-proxy)
- Home
- Installation
- Configuration
- Checking that your DNS traffic is encrypted
- Automatic Updates
- Server sources
- Combining blocklists
- Public Blocklist and other configuration files
- Building from source
- Run your own DNSCrypt server in under 10 minutes
- DNS stamps specifications
- Windows Tips
- dnscrypt-proxy in the media
- Planned Features