1. 20
  1.  

  2. 20

    I thought this was going to be about CPU activity but it’s regarding the network activity from each system. Unsurprisingly Windows is more “chatty”, but to be honest, less so than I expected and there aren’t really any surprises. A few notes from skimming the article as to some connections the author seems unsure about:

    home.lan
    This is presumably the default DNS domain for Windows when not connected to a corporate domain. The Windows DNS client appends the primary DNS domain of the system to unqualified queries (see DNS devolution for the grotty details).

    As for the queries, wpad will be Web Proxy Auto-Discovery (which is a security disaster-zone, but that’s another story), the ldap one is presumably some sort of probe for an AD domain controller, and the rest I’m guessing are captive portal or DNS hijacking detection, which could be either Windows or Chrome that’s responsible.

    Intel
    No chance this is Windows itself. Pretty much guaranteed to be the Intel graphics driver, specifically the Intel Graphics Command Center which was probably automatically installed.

    Microsoft
    The 4team.biz domains are definitely not Microsoft but some 3rd-party vendor of software within that ecosystem. So it turns out there’s at least one legitimate company out there that actually uses a .biz domain!

    The rest are largely telemetry, error reporting, Windows updates, PKI updates (CAs, CRLs, etc …), and various miscellaneous gunk probably from the interactive tiles on the Start Menu. Microsoft actually does a half-decent job these days of documenting these endpoints. A few potentially helpful links:

    1. 2

      There was another thing that surprised me, namely that Windows appears to connect to a Spotify-owned domain. I asked the author if he had installed Spotify, which he hadn’t.

      1. 4

        Isn’t there a tile for Spotify in W10 by default?

      2. 2

        I thought that a bunch of these are moving to dns-over-https with some built-in resolution servers which would then completely bypass his private dns server?