Related
Hi guys,
since my Hermes is gone, I couldn't but stay in touch with technology and so...in the meantime...I couldn't resist and I'm trying to set my Windows Server 2k8 domain with DNS, IIS7, Exchange etc, the latter is in trial right now, can you give a little advice to set everything up?
The actual problem is I don't think I understood how to set DNS properly.
I mean, I saw some of you offer Exchange services using DDNS (mine is @ath.cx), so I guess you have a dynamic ip and if I'm not wrong, you don't have problems sending email to gmail, as I was having instead.
How have you solved this?
I found some pages saying I have to set the TXT spf field in DNS and to set a Reverse DNS zone and I've done the first with Microsoft site builder(don't know if in the right manner) but I can't do the latter...some sites say only my ISP can do it...but have to say I'm quite confused AT ALL...
how have you done?advices of any kind (noob simple guides instead of my entire book with 430+)?
Currently, I did -again- a good format and installed Win Server 2k8 std with only DNS Server Role, IIS7 and Exchange prerequisites (found on MS WebSite).
Let's see if there's something wrong in my conf, before going to Exchange again and find it not working:
Code:
*let's call my pc first name "pc"
*dyndns to my IP (under a NAT, router, then a bridge-switch, with DMZ on and working) @ mydns.ath.cx, switched on wildcards for *.mydns.ath.cx;
*domain mydomain.co.cc with a nameserver pc.mydns.ath.cx;
*dns for primary zone mydomain.co.cc with:
MX mail.mydomain.co.cc. ;
NS pc.mydns.ath.cx. ;
TXT (v=spf1 mx ptr ptr:vser.ilmeglio.co.cc mx:mail.ilmeglio.co.cc a:vser.ilmeglio.co.cc include:vser.ilmeglio.co.cc mx:vser.ilmeglio.co.cc -all) [Microsoft did this, I'm quite unsure of what I inserted there though] ;
mail CNAME pc.mydns.ath.cx. ;
www CNAME pc.mydns.ath.cx. ;
[just added] pc PTR pc.mydns.ath.cx. .
Is all this allright?
[more questions coming...]
When I install AD (dcpromo), do I have to use my mydomain.co.cc OR can I use AD only in my home network (let's say myname.mylocalnetwork) and so separate the two things: Exchange & AD?
If I can, are there -hard- additional modifications to make Exchange accept mails from my real web domain and not my local one?
And what about the "pc" name, does it need the network domain or can I leave it the local one? Will Exchange need changes for this too?
P.S. I'm messing with windows server, domains, dns, dcpromo, AD, exchange, ALL this stuff, from 3 days on only, I've learned just a miiinimal part of it all I think, so treat me as a noob
Infinite thanks.
Way off topic to be sure, but DNS is a confusing beast to set up at times.
Check this page out:
http://rscott.org/dns/
You can set up a rdns table yourself, but unless the lookups are set to go your DNS machines, it won't do any good.
Reverse lookups are usually delegated to whoever the IP is assigned to, normally your ISP. Some ISP's will forward the reverse lookups to your name server of choice, some will change their records to what you request, and others will either give you a blank look or refuse to do anything.
Also keep in mind that any kind of server is against the acceptable use policy of many ISP's, check with yours before opening anything up to the world.
As for the records you listed, I don't know how microsoft does theirs (I run bind on UNIX machines and always found the microsoft way of dealing with domains and 'NT domains' to be severely fscked up and confusing), but the basics are the same, and I already see some problems:
You only have a single NS
Your MX points to a CNAME, not an A
PTR records are used only for reverse lookup tables, not forward tables
(Mods, I would imagine that this should go in the general -> Off-Topic forum)
jdc said:
[...] but the basics are the same, and I already see some problems:
You only have a single NS
Your MX points to a CNAME, not an A
PTR records are used only for reverse lookup tables, not forward tables
(Mods, I would imagine that this should go in the general -> Off-Topic forum)
Click to expand...
Click to collapse
Thanks for your answer!
Actually I'm again starting from 0 after having understood it's better to maintain my home domain off the internet
Don't think my ISP policy is good for me, but perhaps I can obtain something about rDNS...not sure though
About NS, how can I have two if this is the unique pc doing the dns server?Is this a problem of RFC rules?
If I set both mydns.ath.cx and pc.mydns.ath.cx (which both point here) at the registrar would it do the trick?
About MX, mmh how can it point to an A if I have a dynamic IP? I mean ok, when it's all working perhaps my ip will stay one, but what if my router disconnects, or simply power goes down...my ip would change and I can't change it manually everytime, that's because I was pointing to an address hopped again from the other CNAME to my DDNS servers...is this, again, a problem of RFC roules or is simply wrong?Don't know how to solve though
Still have to learn much about forwarding, do you mean I should add it into a primary reverse zone?
Thanks again,
sorry, that's OT of course
These apps allow you to remotely access your phone from a web browser. However, they all run a web server on the phone, and I cannot connect to any of the over 3g (Verizon).
LazyDroid Web Desktop
Remote Desktop
Remote Web Desktop
I want to move the web server off phone, and (hopefully) onto private sites.google.com site. App Engine might be necessary, but I'm hoping this could be done solely in JS.
The hosting site would provide the UI, and interact with the phone using C2DM (the magic that powers Chrome2Phone, GMail, and installing apps from the web Market).
The UI is pretty obvious. It just needs a whiz to create HTML, Javascript, etc.
The C2DM backend is a still a bit mystifying to me... and searching for c2dm and javascript does not yield any obvious working implementations. But it seems plausible. Push a command to the phone, phone returns/uploads data to website, and UI updates.
Then there is the Android end. Well, there are the 3 projects above, Tasker for a quasi-hackish approach, and RPC (promising, but it seems like a WIP).
Thoughts? Volunteers? Geniuses?
Ooo... 2 birds with one stone!
This would also kill 2 birds with one stone.
No more typing in dynamic IP addresses! You get to use DNS to handle the connections. Bookmark your site in your desktop browser (it is always the same!). And set a preference in the Android app.
On lazydroid i've in planning some kind of trick that will let you connect behind firewall ... similar to a vpn...
CloudsITA said:
On lazydroid i've in planning some kind of trick that will let you connect behind firewall ... similar to a vpn...
Click to expand...
Click to collapse
I tried it again last week, and it is still unsuccessful. Webkey is currently the only application that I can successfully use to reach my phone.
Now, I could be wrong, but I believe all of these apps run a web server on the phone. I get a lovely, private 10.x.x.x IP address, which I can't reverse the route to. I have tried and failed to get DynDNS to work.
I have been looking into a solution since my original post. I have not had any time to do code squat, but I have loosely figured out all of the parts.
The big architectural difference I have been seeking is removing the server from the phone. I am not an Android expert, but I don't believe it even requires a running service. (Thank you, C2DM.)
With the app-webservice separation, you can work a "protocol" that reduces the overall bandwidth used... and thus improve battery life. Put all the "hard work" on a webserver, and (things get fuzzy here) possibly push it off onto the client browser (JS).
C2DM Browser Links
I could probably make something like WebKey but with C2DM and some more features. If you want you can give suggestions and I'll start making on saturday (after my exams). It would probably be possible in javascript for the actual sending from server and php just for logging in to your google account. The phone would just be registered on the server and no services (just as you wanted )
nebkat said:
I could probably make something like WebKey but with C2DM and some more features. If you want you can give suggestions and I'll start making on saturday (after my exams). It would probably be possible in javascript for the actual sending from server and php just for logging in to your google account. The phone would just be registered on the server and no services (just as you wanted )
Click to expand...
Click to collapse
I am not sure "more features" is necessarily the direction I'm headed. I am focused on making a "seamless" experience (i.e. less separation of phone and computer).
I was headed to App Engine (Python bias + easy Google integration). I have a project created. I haven't pulled together the various examples to make the core, but it seems <naive>simple</naive>. Stir in some templates, CSS, a sprinkling of JS, and voila!
The big "tricky" part that I can't convert from f***ing magic to a clear approach is the data link in the server. I want to avoid any storage to a Google disk, or otherwise, even temporarily. No stored data = easy privacy policy.
nebkat, if you're really chomping at the bit to code, here's my Android client concept.
- C2DM is a wake-up call. (cheat an borrow ChromeToPhone's ID to begin with)
- Connect to web server, send "I'm here," and wait for further instructions (Channels API/Comet/AJAX/.........)
- make the command set extensible
- each command is blockable in the client. (Permission control is set on the phone, not remotely.)
- After N minutes of no activity, send a "good bye," disconnect from the server, and fade into the background.
Don't worry, I'm very experienced with the server side stuff and I know exactly what you want. The only information stored on the sever side would be google account, the device c2dm registration id and some logging features just for statistics. A password could be set on the phone that would be sha512 hashed on the ajax request and would be sent to the phone. Even if a hacker found the hash, it would be useless without being logged in to the persons google account or knowing the server side auth token.
For now i'll just make the reciever, processor and command output and later on the extra security and ui stuff. It will work exactly the same way as Chrome2Phone except it will have server side php and the different commands. The connection from pc to phone will be something like this.
user command -> ajax request -> php c2dm request -> phone
phone -> php server http request -> controller page status
BTW I'm saving up for a Nexus S, how much would people pay for this type of app? There would definitely be a free version, but I just need to get the Nexus S because I have a Galaxy Spica now and it isn't the best for app development. I'm new to how stuff at xda works, would a donate version get me enoguh for the Nexus?
nebkat said:
Don't worry, ... <snip> ... auth token.
Click to expand...
Click to collapse
Alrighty then. I'm feeling like I can stop contemplating implementing this.
BTW I'm saving up for a Nexus S, how much would people pay for this type of app? There would definitely be a free version, but I just need to get the Nexus S because I have a Galaxy Spica now and it isn't the best for app development. I'm new to how stuff at xda works, would a donate version get me enoguh for the Nexus?
Click to expand...
Click to collapse
Since I was learning the ins and outs of App Engine, I read their quota rules and realized if this were popular it would require funding. I don't know where you are going to your web server, but I assume you'll have to pay someone to keep it running. But I had thought about $$$ already.
"Give away the razor, and sell them the blades."
Make the app free, no feature restrictions.
You get your money through various "membership" levels on the server. (See the account levels at fastmail.fm for an example.) So, you can use the app for free, but you only get, say, 2-3 MB of traffic per day, and only X sessions per day. Need more? See the pricing chart.
user command -> ajax request -> php c2dm request -> phone
phone -> php server http request -> controller page status
Click to expand...
Click to collapse
user command -> php server http request -> phone
phone -> php server http request -> controller page status
user command -> php server http request -> phone
lather, rinse, repeat.
C2DM is not deterministic, and acts up in low signal conditions. So, I made a decision to only use C2DM to initiate a session. Once both ends are connected to the server, everything goes over HTTP.
Oh.... and not that we need another Lookout/Phone Finder, but a shared-secret SMS code for the case where "they" have shut down the data connection.
I have my own server nebkat.com and there is nothing on it anyway.
The only other way to make "push" requests to the phone is with WebSockets. It would probably be better than c2dm because we have full control over what gets sent (google limits some requests). The advantage of WebSockets is that they send no header information which means that we could send our messages in 20 to 30 bytes.
I'll look into more detail on friday.
With web sockets won't you need to ensure the phone has a routable, external IP address? I know, for one, t-mobile does not expose an external IP address for their phones. Unless, of course, if the phone is connected over WiFi. C2DM works great for me (I have used a couple of apps with it and it is really useful).
MrGibbage said:
With web sockets won't you need to ensure the phone has a routable, external IP address? I know, for one, t-mobile does not expose an external IP address for their phones. Unless, of course, if the phone is connected over WiFi. C2DM works great for me (I have used a couple of apps with it and it is really useful).
Click to expand...
Click to collapse
No, WS is server initiated and the ip address' shouldn't make a difference.
MrGibbage said:
With web sockets won't you need to ensure the phone has a routable, external IP address? I know, for one, t-mobile does not expose an external IP address for their phones. Unless, of course, if the phone is connected over WiFi. C2DM works great for me (I have used a couple of apps with it and it is really useful).
Click to expand...
Click to collapse
You need an valid external IP address if you are attempting to initiate contact with your phone, which is why the 4-5 apps I've mentioned do not work on carriers like t-mo and verizon.
But the phone can establish a connection, and the carrier NATs (or whatever) will handle the routing for outgoing and incoming data.
I think the right questions are: Will Verizon/T-Mo allow the ports and protocol for WebSockets? Do Android and desktop browsers implement the draft API correctly and consistently?
I like C2DM. I works well when you have a good connection. But there are 3 issues with it.
1) The message size limit is 1024 bytes. Not ideal for file transfers.
2) In a poor signal areas, since the service retries sending messages, you will get delayed and/or duplicate messages. I work in a large "concrete" building, so I get this behavior often enough that I don't want to rely on it.
3) I believe there is a limit on the number of messages you can send. So, hunting around the filesystem could hit this limit (but unlikely in reality... I hope.)
It would be interesting to see exactly how those apps handle all of the data. Do they only use C2DM, or do they hand over to another protocol?
Ok my exams are over and I am starting with it. I'll give updates on this thread
The training center I work for is piloting a bunch of mobile devices to distribute to users . The devices need to be able to access only a select number of websites and a few in house apps (a sad use for these wonderful devices). I have rooted one of our Nexus 7s and disabled most of the default apps. I then just password protected all of the apps that I must keep like Titanium backup, settings, etc. What I can't figure out is how to lock chrome so that it can only go to certain websites. Does anyone know how i could do this?
marcymtz said:
The training center I work for is piloting a bunch of mobile devices to distribute to users . The devices need to be able to access only a select number of websites and a few in house apps (a sad use for these wonderful devices). I have rooted one of our Nexus 7s and disabled most of the default apps. I then just password protected all of the apps that I must keep like Titanium backup, settings, etc. What I can't figure out is how to lock chrome so that it can only go to certain websites. Does anyone know how i could do this?
Click to expand...
Click to collapse
Android doesn't have parental settings like a computer with security software like kaspersky or McAfee. It also doesn't have such a software that prevents you from accessing sites you don't want it to be accessed. You can tell the IT department to set the privacy settings so when the sites are typed, it'll be blocked.
Sent from my Nexus 4 using Tapatalk 2
I'd address this by having them contact a specific access point that accessed a specific proxy (that they were configured to use) with the list of sites.
Squid isn't bad to configure.
drop the default route (ip route del default), add the desired DNS hostname translations to /etc/hosts -> /system/etc/hosts, and then add back in individual routes (ip route add) to the ip blocks named in /etc/hosts.
This would need to be repeated every time the DHCP lease renewed, as the renewal process will certainly re-insert the default gateway route, and the current IP might change.
A better solution would also compromise or replace DNS lookups with the same domain name whitelist, and every DNS lookup not in the whitelist would blackhole to the loopback (127.0.0.1) device.
You didn't say whether or not these devices are "in the wild" (either 3G or random WiFi hotspots). If the devices are captive (getting DHCP leases from a corporate/business access point) there are plenty of other tricks that can be played at the default gateway.
Note also that it is pretty typical for "web sites" to pull content from all over creation, or use load-balancing services (e.g. akamai) where the name-to-IP translation can't be readily predicted in advance,
Both of those factors might condemn you to be perpetually editing your hostname whitelist and routing table instructions.
good luck
I've been doing some short investigating around the X2 Pro.
It seems like the device connects to some Chinese servers throughout the day. During my tests, these happened at random times: 18:53, 19:37, 18:47.
The IP it connected to was 223.202.200.150 and the connection was encrypted with TLS so I couldn't see the contents of the packets but I know it was connecting via HTTP.
That IP seems to be an Alibaba Cloud Computing server run by Oppo (ColorOS).
It's around 430 bytes sent each time over different ports. Initially it's 443 (as expected for TLS) but then changes to ports 40634, 40712, 41798, or 42036. It seems to be random.
The server it was connecting to was https://classify.apps.coloros.com/. It seems to fire whenever you install a new app. It's likely fetching an app category and storing it somewhere. This would be how it makes those auto-named app folders in the launcher, I assume.
------------------------------------------------------------------------------------------------------------------------
Following on from this, I adjusted my Wireshark filter to include any server with "oppo", "realme", "coloros", or any IPs in China and found some more servers:
Server Name: guif-eu.coloros.com
Server Name: languagef-eu.coloros.com
Server Name: ifota-eu.coloros.com (OTAs i assume)
Server Name: ifota-eu.realmemobile.com (more OTAs...?)
Server Name: ifsau-eu.coloros.com
Server Name: i6-eu.weather.oppomobile.com (I think we can guess this one...)
Server Name: state.dc.oppomobile.com
Server Name: confe.dc.oppomobile.com
There's even more than this which I've included in my full list in the 2nd post.
Some of these refuse to connect in the browser, and others return 401 unauthorised headers. It would be interesting at least to know exactly what data is being sent to each of these servers. Each of the servers are AWS Cloud Compute servers based in France. I'm not sure if the location is whichever is closest to the user, but I'd assume so.
The issue is that the Chinese gvmt can request the data on any server that is hosted in China. For all we know, the AWS servers could just be a non-suspicious front end which forwards all the data to their actual servers in China, trying to hide that from us. We just don't know.
(Thanks to Gamr13 on the Realme Discord for giving me the idea )
classify.apps.coloros.com
Request sent when an app is installed. Likely to check what 'category' it is for auto-naming folders on the stock launcher.
********
guif-eu.coloros.com
Unknown.
********
languagef-eu.coloros.com
Unknown.
********
ifota-eu.coloros.com
Request sent when checking for new system updates. Unknown why there's two servers -- maybe a remnant from ColorOS?
********
ifota-eu.realmemobile.com
Request sent when checking for new system updates. Unknown why there's two servers -- maybe a remnant from ColorOS?
********
ifsau-eu.coloros.com
Unknown.
********
i6-eu.weather.oppomobile.com
Weather service.
********
i6.weather.oppomobile.com
Weather service.
********
file-eu.weather.oppomobile.com
Weather-related. I hope this isn't what it sounds like it could be... (file?)
********
state.dc.oppomobile.com
Unknown.
********
confe.dc.oppomobile.com
Unknown.
********
smartcardf-eu.apps.coloros.com
Unknown.
********
proxyeu.apps.coloros.com
Unknown. Sounds like it could be an EU-based proxy for forwarding connections to China.
********
clonephonefs.coloros.com
Unknown. Seems to correspond with the Clone Phone notification when you first set up your phone.
********
guifsf-coloros-com.oss-ap-southeast-1.aliyuncs.com
Unknown. Alibaba Cloud Computing service.
********
wow ! that is nice to discover .. i noticed my phone keep uploading something specially at night !
Yes, they 100% collect, forward (between jurisdictions) and store information located on their servers in the People's Republic of China.
Information includes, and is not limited to, usage behaviour, face/fingerprint ID, voice, financial info (when you buy products), location, sleep patterns etc. Pretty much everything you can think of.
All of this is explained in their Privacy Policy and they state everything they are allowed to take.
Go to About Phone>Legal information.
When you use this Colour or Realme UI Operating System, you agree to these terms.
And according to the User Agreement, one is technically not even allowed to analyze the software (i.e. O.P.'s post information) or have pornography on the phone.
You can (probably?) negate this by switching to another OS, but unless you do it straight out of the box, it might already be too late: For entering your information even once, like during 1st day startup, will have your information stored in the PRC servers for an undisclosed amount of time (probably forever).
Anyody know how to stop this from happening?
onnoêzeler said:
Anyody know how to stop this from happening?
Click to expand...
Click to collapse
no, you can't prevent it, privacy no longer exists, profiling is the market of the new century, big brother Google knows it well
Somebody pointed out on telegram their image thumbnails are getting stored in logs Folder and getting uploaded as well.
Might be for their face matching and sorting algorithm in stock gallery, because this is the first phone or app which i see does on device machine learning by sorting pics According to their faces (in the case if it doesn't upload images for)
Be it google photos, Xiaomi gallery ,etc, all identify faces after you upload the pics on their cloud.
I wish I had seen this thread before I ordered the phone…
If the phone is rooted, you could probably use AdAway to block those domains and IP address, but will fingerprint and face unlock still work? Or even without root you could use DNS66 or DNSfilter, both available on F-Droid, to block those domains and IP address. When my phone arrives, I will test this solution.
Can I use adb to remove certain offending apps without unlocking the bootloader? (Thinking about Widevine L1 vs L3)
nuserame said:
I wish I had seen this thread before I ordered the phone…
If the phone is rooted, you could probably use AdAway to block those domains and IP address, but will fingerprint and face unlock still work? Or even without root you could use DNS66 or DNSfilter, both available on F-Droid, to block those domains and IP address. When my phone arrives, I will test this solution.
Can I use adb to remove certain offending apps without unlocking the bootloader? (Thinking about Widevine L1 vs L3)
Click to expand...
Click to collapse
If you care this much about privacy, you could unlock and use N no of custom roms available for this device.
Everything will work, except L3.
As for files which are uploaded, all from the ColorOS folder(don't know how it is in rui as I was using it for few hours while it was in beta stage) that's in internal storage are being uploaded. Some of files there are encrypted which leads my thoughts to be very sensitive data.
FireTV OTA firmware updates previously came from:
https://d1s31zyz7dcc2d.cloudfront.net
This has now changed to:
https://prod.ota-cloudfront.net
Another variation:
https://d1s31zyz7dcc2d.cloudfront.prod.ota-cloudfront.net/
For anyone that is blocking updates through their router or via DNS, add the new address to your block list
EDIT: After a day of getting OTA updates from prod.ota-cloudfront.net, OTAs are now coming from d1s31zyz7dcc2d.cloudfront.net again.
prod.ota-cloudfront.net may be a backup address or Amazon is testing out the transition to the new address. Either way, better to keep both blocked
BLOCK THESE:
FireTV contacts this address to request updates:
https://softwareupdates.amazon.com
Then OTA updates are sent to the FireTV from these addresses:
https://d1s31zyz7dcc2d.cloudfront.net
https://prod.ota-cloudfront.net
https://d1s31zyz7dcc2d.cloudfront.prod.ota-cloudfront.net/
Another OTA url variation to add to your blocklist
https://d1s31zyz7dcc2d.cloudfront.prod.ota-cloudfront.net/
Finnzz said:
Another OTA url variation to add to your blocklist
https://d1s31zyz7dcc2d.cloudfront.prod.ota-cloudfront.net/
Click to expand...
Click to collapse
Can you please post your full blacklist of urls? I want to block them.
ForbEx said:
Can you please post your full blacklist of urls? I want to block them.
Click to expand...
Click to collapse
Updated the op, you want to block those 4 addresses.
There are a lot of old block lists that copy each other. They include OTA URL's for FireHD tablets, Kindle and maybe even Echo updates.
It's important that you block the https:// form of the URL. Most routers can only block http:// URLs. DNS blocking can be used for https://
After you block the addresses, go to FireOS settings and check for updates. You should get an error. If not, the block isn't working.
Finnzz said:
Updated the op, you want to block those 4 addresses.
There are a lot of old block lists that copy each other. They include OTA URL's for FireHD tablets, Kindle and maybe even Echo updates.
It's important that you block the https:// form of the URL. Most routers can only block http:// URLs. DNS blocking can be used for https://
After you block the addresses, go to FireOS settings and check for updates. You should get an error. If not, the block isn't working.
Click to expand...
Click to collapse
Ok friend, I Successfully blocked it.
Think this is true on my router. The https is not being blocked.
ktjensen said:
Think this is true on my router. The https is not being blocked.
Click to expand...
Click to collapse
It's pretty rare for a consumer grade routers to be able to block specific https addresses directly. I think it's much more likely you find consumer routers that support DNS based https blocking.
If that's not an option you can use Ighor's DNS to block updates or an app like DNS Rethink that will let you block any app from the internet on your FireTV. You would block the OTA app.
Works like a charm in Pi-hole:
Code:
firetvcaptiveportal.com
d1s31zyz7dcc2d.cloudfront.net
amzdigital-a.akamaihd.net
amzdigitaldownloads.edgesuite.net
softwareupdates.amazon.com
updates.amazon.com
prod.ota-cloudfront.net
d1s31zyz7dcc2d.cloudfront.prod.ota-cloudfront.net
I would like to add, after installing all these URL's into my router, my FS max started the crappy launcher, but only gave three options, and said something like "Home service unavailable". In the Network config, it reported no internet access. The (play/pause) button was inactive, but might be due to some NoBloat setting I had been playing with. At first I was unable to get past it, but I pressed 'home' and the Wolf launcher appeared. All the apps worked too. After I restarted it, the manager launched Wolf after a few seconds. So I guess this blocks a lot more than just the updates, but I'm good with that.
Life is good.
(My first post, please be kind)
@Finnzz Was doing some network checks while clicking the "Check-For-Updates" in settings and got the direct IP addresses for some of the domains that are queried when you do a check for updates using my 2nd gen. Cube.
18.164.160.156 = d1s31zyz7dcc2d.cloudfront.ota-cloudfront.net
18.160.2.68 = server-18-160-2-68.iad12.r.cloudfront.net
52.46.155.120 = softwareupdates.amazon.com
176.32.101.122 ~ my best guess is proxy to softwareupdates.amazon.com
176.32.99.246 ~ my best guess is proxy to softwareupdates.amazon.com
If looking at logs the system app <com.amazon.device.software.ota> will query an AWS domain (arcus-uswest.amazon.com) 4x then error out with domains blocked, or query AWS 4x then query one of the softwareupdates.amazon.com IP's 3x in succession then an additional 4x back to AWS when it can't connect to download updates.
In none of my tests did my device ever try connecting to
https://prod.ota-cloudfront.net
-- but maybe that is only due to there being no full firmware update available at that time of my tests.