DNS to block the updates of the switch!

Discussion in 'Switch - Hacking & Homebrew' started by fokouethan, Mar 28, 2017.

  1. Mr. Wizard

    Mr. Wizard Ending the spread of bullshit one thread at a time

    Member
    1,112
    425
    Mar 20, 2015
    Canada
    10th Dimension
    This is not guaranteed, especially if someone reports it to Nintendo for the reward and then Nintendo silently patches it.

    I imagine we can't stay on 2.0 forever though, but I'm going to wait until it's absolutely necessary to update.

    If you are really paranoid the best thing to do is get a second console and keep it on 2.0.

    If an exploit is found on 2.0 in a year or so watch the mad rush of people going to buy another console in the hopes they are still sold with the 1.0 firmware haha! Then selling their updated one.

    But then 1.0 doesn't have a browser lolz.

    I'm guessing the first exploit will be a hard mod.
     


  2. Miller

    Miller Newbie

    Newcomer
    2
    0
    Mar 30, 2017
    United States
    this is from the ReSwitched Discord

    [​IMG]

    anyone willing to make a DNS that only blocks the update and not the eshop/game updates?
     
    Last edited by Miller, Mar 31, 2017
  3. Mr. Wizard

    Mr. Wizard Ending the spread of bullshit one thread at a time

    Member
    1,112
    425
    Mar 20, 2015
    Canada
    10th Dimension
    Just block it yourself. Also I have never seen that server. I have seen atum.hac.lp1.d4c.nintendo.net though. Did that person misspell it? The one you posted is spelled different. Maybe it's a different region than NA?

    I can confirm in NA that the sun.hac.lp1.d4c.nintendo.net server is the one you want to block for system updates. Which makes sense since everything revolves around the sun. :D Although the meaning of Atum is equally powerful. I wonder what it's for.

    UPDATE: I can confirm atum.hac.lp1.d4c.nintendo.net is the game download server. I deleted snake pass and tried to redownload it with atum blocked and got an error.
     
    Last edited by Mr. Wizard, Apr 1, 2017
  4. Switchssb

    Switchssb Newbie

    Newcomer
    8
    1
    Apr 1, 2017

    So i have an Asus DSL55U C1 and have access to url filtering, keyword, and network services

    url filtering has a max of 27 characters, so i can't block it there

    so instead i got my own ip for it which for australia is http://23.7.30.191/
    and have blocked that using the network services filter. only problem is, that blocks everything including the eshop, which is not what i wanted. i just want the system update nag to go away, but still be able to access the eshop/friends, online if possible (which i think you mentioned is) Halp pls


    http://puu.sh/v5cZA/3b0a207079.png
     
  5. Mr. Wizard

    Mr. Wizard Ending the spread of bullshit one thread at a time

    Member
    1,112
    425
    Mar 20, 2015
    Canada
    10th Dimension
    So for all you that don't know how to use ping and want an equally easy non destructive way of testing to see if your router is blocking the update server you can just enter this url into any browser behind your router:

    https://sun.hac.lp1.d4c.nintendo.net/

    If it is being blocked you will get this:

    [​IMG]


    If it is NOT being blocked you will get this:

    [​IMG]


    If you get this it means you are accessing the http page, the Switch uses https. Some routers do not block https.

    [​IMG]

    — Posts automatically merged - Please don't double post! —

    Have you tried updating your router's firmware?
    Unfortunately it seems your router does not support blocking https sites. New firmware might change this.

    [​IMG]

    You can try entering sun.hac.lp1.d4c.nintendo.net into the KEYWORD filter, but it may not work.


    You can use:

    Fiddler proxy - http://www.telerik.com/fiddler
    SimpleDNS - http://simpledns.com/
    MaraDNS - http://maradns.samiam.org/

    These need to be run on a computer anytime you want internet access for the switch. (This is the method I use, way more advanced control than my routers.)


    Also, your router is the one with the cable modem built in. It doesn't support custom firmware such as Tomato or DD-WRT which have more advanced options than the consumer version of Asus-WRT.

    You can also bridge your router to basically turn it into just a modem, then buy a more advanced router.

    The problem with just blocking an IP address is that it can change at any time.
     
    Last edited by Mr. Wizard, Apr 1, 2017
    DocAmes1980 likes this.
  6. Cava

    Cava GBAtemp Advanced Fan

    Member
    601
    200
    Jan 26, 2016
    Hungary
    Can you write please a how to guide to set up the fiddler or simpledns or maradns on windows?
     
  7. Mr. Wizard

    Mr. Wizard Ending the spread of bullshit one thread at a time

    Member
    1,112
    425
    Mar 20, 2015
    Canada
    10th Dimension
    Cava likes this.
  8. Cava

    Cava GBAtemp Advanced Fan

    Member
    601
    200
    Jan 26, 2016
    Hungary
  9. Switchssb

    Switchssb Newbie

    Newcomer
    8
    1
    Apr 1, 2017

    So when entering that address i get http://puu.sh/v6dWl/f59304673f.png
    and yeah i'll check and see if the modem has any firmware, also yeah it was a previous adsl2+ modem router. unfortunately not compatible with tomato :'C
     
  10. Mr. Wizard

    Mr. Wizard Ending the spread of bullshit one thread at a time

    Member
    1,112
    425
    Mar 20, 2015
    Canada
    10th Dimension
    Looks like it's being blocked.
     
    Last edited by Mr. Wizard, Apr 2, 2017
  11. rooshoes

    rooshoes Newbie

    Newcomer
    7
    0
    Oct 14, 2013
    United States
    My Asus RT-AC68U says this too but it still blocks connections to the server when added to the URL filter list.

    I honestly think this is a typo in the router's help text, because it doesn't make any sense: regardless of whether delivered compressed or HTTPS, a website's domain name is still communicated in plaintext. You wouldn't be able to filter a specific request to that domain if HTTPS is present, but in this case we want to block ALL requests to the server so that's not a concern. I'm glad it seems to work regardless of this warning.
     
    Last edited by rooshoes, Apr 2, 2017
  12. Mr. Wizard

    Mr. Wizard Ending the spread of bullshit one thread at a time

    Member
    1,112
    425
    Mar 20, 2015
    Canada
    10th Dimension
    I have that one too, awesome router. Ever thought of putting AdvancedTomato on it?

    https://advancedtomato.com/

    Tomato Firmware 1.28.0000 -3.4-138 K26ARM USB AIO-64K
    USB support integration and GUI, IPv6 support, Linux kernel 2.6.36.4brcmarm and Broadcom Wireless Driver 6.37.14.86 (r456083)
    Copyright (C) 2013-2014 Tomato-ARM Team

    Tomato-ARM Team:
    - Michał Rupental (Shibby)
    - Ofer Chen (roadkill)
    - Vicente Soriano (Victek)

    AdvancedTomato
    - Complete interface re-design
    - GUI related improvements, optimizations and changes
    - Various themes and color schemes
    - AdvancedTomato logo by Jacky, re-vectored by WaLLy3K
    - Based on Tomato by Shibby

    Copyright (C) 2014 Jacky Prahec
    OpenVPN integration and GUI
    Copyright (C) 2010 Keith Moyer,
    tomatovpn@keithmoyer.com
    "Shibby" features
    - Transmission 2.92 integration
    - GUI for Transmission
    - NFS utils integration and GUI
    - Custom log file path
    - SD-idle tool integration for kernel 2.6
    - 3G Modem support (big thanks for @LDevil)
    - MutliWAN feature (written by @Arctic, modified by @Shibby)
    - SNMP integration and GUI
    - APCUPSD integration and GUI (implemented by @arrmo)
    - DNScrypt-proxy 1.4.0 integration and GUI
    - TOR Project integration and GUI
    - OpenVPN: Routing Policy
    - TomatoAnon project integration and GUI
    - TomatoThemeBase project integration and GUI
    - Ethernet Ports State
    - Extended MOTD (written by @Monter, modified by @Shibby)
    - Webmon Backup Script

    Copyright (C) 2011-2013 Michał Rupental
    http://openlinksys.info
    "JYAvenard" features
    - OpenVPN enhancements & username/password only authentication
    - PPTP VPN Client integration and GUI

    Copyright (C) 2010-2012 Jean-Yves Avenard
    jean-yves@avenard.org
    "Victek" features
    - Extended Sysinfo
    - Captive Portal. (Based in NocatSplash)
    - Web Server. (NGinX)

    Copyright (C) 2007-2011 Ofer Chen & Vicente Soriano
    http://victek.is-a-geek.com
    "Teaman" features
    - QOS-detailed & ctrate filters
    - Realtime bandwidth monitoring of LAN clients
    - Static ARP binding
    - VLAN administration GUI
    - Multiple LAN support integration and GUI
    - Multiple/virtual SSID support (experimental)
    - UDPxy integration and GUI
    - PPTP Server integration and GUI

    Copyright (C) 2011 Augusto Bott
    Tomato-sdhc-vlan Homepage
    "Lancethepants" features
    - DNSSEC integration and GUI
    - DNSCrypt-Proxy selectable/manual resolver
    - Comcast DSCP Fix GUI - Tinc Daemon integration and GUI

    Copyright (C) 2014 Lance Fredrickson
    lancethepants@gmail.com
    "Toastman" features
    - Configurable QOS class names
    - Comprehensive QOS rule examples set by default
    - TC-ATM overhead calculation - patch by tvlz
    - GPT support for HDD by Yaniv Hamo
    - Tools-System refresh timer

    Copyright (C) 2011 Toastman
    Using QoS - Tutorial and discussion
    "Tiomo" features
    - IMQ based QOS Ingress
    - Incoming Class Bandwidth pie chart

    Copyright (C) 2012 Tiomo
    "Victek/PrinceAMD/Phykris/Shibby" feature
    - Revised IP/MAC Bandwidth Limiter
    Tomato-hyzoom feature
    - MySQL Server integration and GUI
    Copyright (C) 2014 Bao Weiquan, Hyzoom, bwq518@gmail.com
     
    Last edited by Mr. Wizard, Apr 2, 2017
  13. RemixDeluxe

    RemixDeluxe GBAtemp Psycho!

    Member
    4,584
    1,357
    Nov 23, 2010
    United States
    @Mr. Wizard

    I blocked out sun.hac.lp1.d4c.nintendo.net on my Switch and my PC. I tested it on my PC and the URL is definitely blocked but on the Switch the console says up to date but sometimes when I check I get error code: 2137-8007 rather than all the time. I'll use wireshark later but I believe just maybe there is another URL thats being pulled for updates. I'll post back if I come across anything new.
     
  14. Mr. Wizard

    Mr. Wizard Ending the spread of bullshit one thread at a time

    Member
    1,112
    425
    Mar 20, 2015
    Canada
    10th Dimension
    Interestingly enough I get a completely different error when going to "System Update". And I consistently get it every single time. Are you sure your blocking is functioning properly? How else have you tested it?

    [​IMG]
     
  15. RemixDeluxe

    RemixDeluxe GBAtemp Psycho!

    Member
    4,584
    1,357
    Nov 23, 2010
    United States
    I've been blocking the same way I did it for my Wii U.

    I am also blocking these URLs for the Switch

    receive-lp1.dg.srv.nintendo.net
    receive-lp1.er.srv.nintendo.net
    google-analytics.com
    googletagmanager.com
     
  16. Mr. Wizard

    Mr. Wizard Ending the spread of bullshit one thread at a time

    Member
    1,112
    425
    Mar 20, 2015
    Canada
    10th Dimension
    Yup, I am blocking the exact same URLs, I don't know what else to say. My friend's switch gets the same error as me when going to system update. And neither of us has gotten another nag screen yet since the update came out. Your experience seems different for some reason, I can only suspect it has something to do with the way you are trying to block them. How are you blocking them?

    Also I had a weird eshop error one time I had to unblock google for a minute in order to get the eshop to display, after turning google blocking back on I have not received that error again for some reason.
     
  17. yahoo

    yahoo G͝B͢A͜t͞em҉p̡ R̨e͢g̷ul̨aŗ

    Member
    341
    236
    Aug 4, 2014
    United States
  18. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    18,093
    8,590
    Oct 27, 2002
    France
    Engine room, learning
    Mr. Wizard, thanks for keeping your first post updated with the purpose of each urls.
    I added a note in the first post of the thread to look at your post for url lists.

    edit:
    3DS has that URL cbvc.cdn.nintendo.net used to check the latest browser version, and prevent using it if a new version was available.
    I guess there's no real browser on switch, so they don't have similar check?
     
    Last edited by Cyan, Apr 2, 2017
  19. Mr. Wizard

    Mr. Wizard Ending the spread of bullshit one thread at a time

    Member
    1,112
    425
    Mar 20, 2015
    Canada
    10th Dimension
    Cool.

    I haven't noticed the switch call to any nintendo servers when breaking into the captive portal browser. Maybe once they patch in a full browser? Then again they seem to be doing things different such as the nag screen and update are not persistent on the Switch, auto-updates can be turned off, you can block the firmware server without breaking the eshop.

    Hopefully they are being a little too confident in their security.
     
  20. RemixDeluxe

    RemixDeluxe GBAtemp Psycho!

    Member
    4,584
    1,357
    Nov 23, 2010
    United States
    @Mr. Wizard My router is unable to block encrypted URLs. I called Linksys technical support and they told me my specific router model is unable to do it. I put in a ticket and they said to call back in a couple of months while they look into it.

    For everyone else, if you arent getting Error Code: 2137-8056 then you arent blocking the updates.
     
    Last edited by RemixDeluxe, Apr 2, 2017
    Mr. Wizard likes this.