Windows 10 shows Limited internet access but it's connected

Displema · August 9, 2020, 3:52pm

Expected Behaviour:

Windows NCSI correctly working, showing "Internet access"

Actual Behaviour:

While having PiHole as DNS resolver Windows thinks that doesn't have internet access, but it works just fine. I've tried to see if the PiHole has in the blacklist some Microsoft server related to the connectivity check, but that's not the case as I can correctly reach all the sites that do the checks.
Opening regedit at
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
shows all the different settings related to NCSI.
The problem is that all the Metro apps (and also Spotify) won't work as they think that they're not connected to the Internet. As I run my PiHole on EC2 I solved moving the test on my server, so that Windows can correctly pass the test. What I did was modifying different keys:
ActiveWebProbeHost to my actual domain
ActiveDnsProbeHost to my actual domain
ActiveDnsProbeContent to my EC2 IP
On your machine you have to create a file named "connecttest.txt" which contains the following: Microsoft Connect Test inside /var/www/html
Et voilà Windows no longer thinks to be disconnected

jfb · August 9, 2020, 3:57pm

This is a known issue with Windows 10, and is not a Pi-hole issue.

Displema · August 9, 2020, 4:02pm

Oops, I'm sorry to have created a duplicate topic. Thanks for your answer, I just wanted to help someone giving some advices on how to solve the problem

miul84 · August 14, 2020, 8:05pm

Hi Guys,

I also had this issue after updating Windows (2004)
I use default blocklist, so nothing crazy...

First I disabled PIHole and did this recommended steps from Microsoft:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
NETSH winsock reset catalog
NETSH int ipv4 reset reset.log
NETSH int ipv6 reset reset.log

But after a while the issue returned.

I also use a tool called ShutUp10 from O&O to control data privacy on W10 a bit more and I remembered that there is one setting according to NCSI. So I went in that tool and at the very bottom there is a setting for NCSI and it was disabled.
Make sure that the button is not (green). It has to be red for NCSI to work properly

After that this issue was solved.

Displema · August 15, 2020, 6:09am

After a couple of days my solution stopped working, so I had to reset all the previous settings, and now it works. Thanks for your help, when I'll have some time I'll try ShutUp10 and see if it works

jpgpi250 · August 15, 2020, 8:35am

How I am solving this (works on both win7 and win10) :

All I change on the windows machine are the settings:

ActiveDnsProbeContent -> IPv4 address of pihole
ActiveDnsProbeContentV6 -> IPv6 address of pihole

Than, on pihole, create a dnsmasq file (I use /etc/dnsmasq.d/09-msftncsi.conf), content:

host-record=ncsi.localdomain,192.168.2.57,2a02:1810:xxxx:6902:4bec:yyyy:a97b:zzzz
cname=www.msftncsi.com,ncsi.localdomain
cname=dns.msftncsi.com,ncsi.localdomain
cname=ipv6.msftncsi.com,ncsi.localdomain
cname=www.msftconnecttest.com,ncsi.localdomain
cname=ipv6.msftconnecttest.com,ncsi.localdomain

edit
modified the dnsmasq file to overcome an earlier mentioned problem (unknown status in the query log)
/edit

Create the web server files:
file /var/www/html/connecttest.txt, content:

Microsoft Connect Test

file /var/www/html/ncsi.txt, content:

Microsoft NCSI

now restart pihole-FTL to activate the new dnsmasq config file.

verify everything checks out, by entering

http://ipv6.msftncsi.com/ncsi.txt in the browser (windows 7)
http://ipv6.msftconnecttest.com/connecttest.txt (windows 10)

the content of the web server file should be displayed.

The connection test icon in windows is now OK

edit
don't do this if the machine leaves your (home) environment, the IP address changes on the windows machine will cause a problem.
I had to do this on my old windows 7 desktop, since I disconnected it from the internet, but allow access to the (home) environment)
/edit

eejeel · August 15, 2020, 12:53pm

In my opinion it is not neccessary to hack the registry for the ActiveDnsProbeContent
With your redirect of f.i. cname=www.msftncsi.com,pi.hole to the PiHole, it's obsolete.

What is forgotten in the discription is to add www.msftncsi.com etc. to the whitelist. In some blocklists these msft-URL's are mentioned.

dns.msftncsi.com doesn't expect the text 'Microsoft NCSI' but the IP address 131.107.255.255.

An informative article: Disable or customize Windows' Internet Connection test to improve privacy - gHacks Tech News

I have done the same as written above but instead of creating a dnsmasq config file, I create in /etc/dnsmasq the file 04-customRedirect.conf with the content:
addn-hosts=/etc/customRedirect.list

And a customRedirect.list file in /etc with the contents:

192.168.2.210 www.msftncsi.com
192.168.2.210 ipv6.msftncsi.com
192.168.2.210 www.msftconnecttest.com
192.168.2.210 ipv6.msftconnecttest.com

A entry in customRedirect.list like
pi.hole www.msftncsi.com
doesn't work in my case. There is no redirection to PiHole.

And create the 2 web server files you have mentioned.

In this situation I don't have the 'Unknown (0)' message in the PiHole webinterface but an 'OK (cached)'.
If I configure my PiHole like you, I also have the unknown message.
Maybe a reason is that PiHole doesn't support dnsmask files with CNAME like you use since V5.

jpgpi250 · August 15, 2020, 10:27pm

What I read in the article you mentioned, it says:

The test tries to connect to a Microsoft website -- http://www.msftncsi.com/ -- to download the ncsi.txt text file from the server the website is hosted on.
and a little bit further:
The text file itself does not contain lots of information, just the text Microsoft NCSI to be precise

It also says:
It will also make a request for the DNS name resolution of dns.msftncsi.com and expects the result to be 131.107.255.255

I assume the expected response for the DNS query is the value in the two keys I changed on windows. So if the value is unchanged, a DNS query will need the answer 131.107.255.255, however, if you change the value, the reply must be equal to that value. Changing the values to the pihole adresses (IPv4 and IPv6) combined with the CNAME entries I proposed will eliminate external lookups.

I was lookin into the unknown query result and found a solution for that, I changed my proposed dnsmasq configuration file, see here, to overcome that problem (you need to change the domain name localdomain into your domain name)

Everything appears to be working with this configuration, the unknown entry in the query log is gone.

Bucking_Horn · August 16, 2020, 6:30pm

That's ok for strictly home based computers.

Be careful with roaming devices,though:
If you want to keep in good spririts with your company's network admins, don't do that on your company laptop (even if you would be able to). Nor any other device with nomadic usage outside of your home network: Other networks do not know the IP address of your Pi-hole.

system · September 6, 2020, 6:30pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.