On the topic of blocking host names using the hosts file:
> The nslookup command returned valid IP addresses for both sub-domains, rather than the dummy IP addresses I put into the hosts file. Beats me why. DNS logging showed that nslookup queried my router for the IP addresses.
The reason for this, as I understand it, is that nslookup queries the configured nameserver directly instead of using the getaddrinfo (or similar) function. (This is why the tool is named as it is - "nslookup" stands for "name server lookup". It was never a general purpose resolver tool.)
Yes, this means that programs can simply bypass the hosts file if they want. However, it's worth noting that, even if you do use a pihole as the article suggests, programs can also bypass that by simply querying against a public DNS server like Google's 8.8.8.8. And if you block DNS to those, programs can use DNS-over-HTTPS.
Of course, a large company like Microsoft probably has a lot of static IP addresses at their disposal, so they could just hardcode those instead and just bypass DNS altogether, at which point, basically your only recourse is to add a firewall rule to block that IP address.
It's very difficult to ensure no connectivity short of denying Internet access entirely.
> The nslookup command returned valid IP addresses for both sub-domains, rather than the dummy IP addresses I put into the hosts file. Beats me why. DNS logging showed that nslookup queried my router for the IP addresses.
The reason for this, as I understand it, is that nslookup queries the configured nameserver directly instead of using the getaddrinfo (or similar) function. (This is why the tool is named as it is - "nslookup" stands for "name server lookup". It was never a general purpose resolver tool.)
Yes, this means that programs can simply bypass the hosts file if they want. However, it's worth noting that, even if you do use a pihole as the article suggests, programs can also bypass that by simply querying against a public DNS server like Google's 8.8.8.8. And if you block DNS to those, programs can use DNS-over-HTTPS.
Of course, a large company like Microsoft probably has a lot of static IP addresses at their disposal, so they could just hardcode those instead and just bypass DNS altogether, at which point, basically your only recourse is to add a firewall rule to block that IP address.
It's very difficult to ensure no connectivity short of denying Internet access entirely.