Block unwanted servers and websites using hosts files on any system

I strongly discourage you guys from solely using the host file to block websites, especially when you are doing this on your computer.

This has several reasons:

  1. It’s not mandatory for browsers to use the system’s host file. Incase you have a misconfiguration, a file with a false extension or the program simply bypasses the OS resolver, the host file will be ignored. If you do not notice that, you will be fully exposed to tracking.

  2. Following scenario: You visit the site ‘test.com’ by typing the address in your browser’s search bar. The webserver internally redirects you to ‘www.test.com’ as this is the common hostname used by the website. If you now block the site ‘test.com’ by adding an entry to your host file, you can’t be sure that it is actually blocked as your browser eventually has already cached the redirect to ‘www.test.com’ and will now connect you directly. Therefore connections are still possible although you allegedly blocked the hostname (but not the www. one).

  3. Things may change with future updates. Who knows, maybe browser manufacturers will start to ignore the host file by default, especially when DoH is introduced more and more?

  4. The host file has no use if you are using DoT/DoH in your browser as the local OS resolving is bypassed (which is the whole point of DoH). This is especially dangerous for Firefox users as Mozilla started to enabled DoH by default this year (not yet for all users as far as I know). If you are not aware of this, then suddenly also all your ad-blocking will be gone and all counter measures taken (Pi hole, etc.) are worthless as all DNS queries are encrypted (which generally is a good thing for privacy outside your network but not security). Android 9 also introduced DoT, so apps who connect to tracking services over DoT won’t be stopped by your host file.

As you should notice at this point, there are many things that can possibly go wrong and it’s so easy to have your data leaked here. I would always recommend you to block tracking websites as soon as possible which is in the browser directly (for example with uBlock,etc.). This is probably the safest variant with the least potential for data leaks.

A good solution for Android is the app NetGuard. It also relies on the system’s host file but acts like a local VPN. Therefore, all requests made have to be routed through the VPN interface which allows the app to gain full device-wide controll over all connections and decide on its own again wether the request should be allowed or forbidden.
Edit: I’m not sure though how NetGuard handles DoT connections on Android 9 and upwards. I don’t think that it can block those requests. So I would assume that you actually have to locally resolve those queries again. I haven’t made any research here as I’m still on Android 8, would be nice to know if somebody knows :slight_smile:

If you are still looking for an OS-wide solution while maintaining privacy through DoH, I’d recommend you to use a local proxy like Stubby (https://github.com/getdnsapi/stubby) or dnscrypt-proxy (https://github.com/DNSCrypt/dnscrypt-proxy). Stubby is simply a local DNS resolver which accepts unencrypted DNS requests, encrypts them and then connects to a DoH server to read the IP address. So you have to do some adblocking before, either with firewall rules or another proxy.
Dnscrypt-proxy already features ad blocking so that’s maybe easier to set up. You could just feed the proxy your hostfile which will then block all malicious/ad-related domains before encrypting to DoH.
So with dnscrypt-proxy your data flow would look something like this:

Another tip for hostfiles: I’d recommend you to create your hostfiles depending on ASNs. If you visit this site here, you will get all IPs for the ASN 15169 which is Google LLC. That’s a good way to quickly block whole providers.

7 Likes

Hello @exyna !

Yes, I understand your point of view, actually my first idea was to use the hosts file to block native trackers on stock Android roms.
It was more an example of the usage of hosts file. :blush:
The best idea is of course to rely on an external router or a proxy with DOH/DOT.
I have never heard about stubby, it looks interesting for a linux computer.

Can you tell more about this idea of ASN ?
How can we implement IP with netmasks in host files ?
I checked but I was thinking that it was only for DNS requests…
Are you using a firewall instead to block lists of IPs ?

Check this wikipedia article for an in-depth explanation about autonomous systems: https://en.wikipedia.org/wiki/Autonomous_system_(Internet)
To summarize this a bit, an AS basically includes a range of IP nets that can be tied to the network of a specific organization (like Google, Facebook, etc.).
Each of these autonomous systems has a unique number which clearly identifies each AS. Therefore we can use the ASN to fetch all registered IP addresses allocated to an organization to block specific companies at once. A company can have multiple ASNs, have a look at https://www.ultratools.com/tools/asnInfo

You should keep in mind that AS blocking is a very harsh way to protect against tracking and it may lead to a lot of websites not working anymore. That’s why you should carefully decide which companies you block and which not.

Blocking IP addresses in the host file will not work as the hostfile is only there for associating IP addresses to hostnames. As we already have the IP addresses, you need to block them directly in your firewall. If you are running Linux, then you can do that by adding specific iptables rules:
iptables -A INPUT -s XX.XX.XX.XX/XX -j DROP
It’s probably a good idea to also look into ipset when you are blocking large amounts of IPs to prevent performance issues.

Of course it doesn’t make any sense to add these rules by hand as you then would be busy over the next years. You definitely have to automate that, also to keep your blocking lists updated as IP addresses may be added/removed from an AS. A quick search showed up the following script: https://github.com/CHEF-KOCH/ASN-blocking
I haven’t tried this script yet, so I can’t assure you that it will work. But you should get the idea with that - you can build iptable rules for specific ASNs. If you further automate that with a cron job, then you will always have up-to-date lists whilst having to spend no time on building lists.

4 Likes

Thank you @exyna for your explanation !

Maybe that will make more sense in a corporation router, I will not block any ASN, but if I am under DDOS attack or something else :smile:

Also, the best way is still to choose our software in a smart way, so we do not have to block everything :slight_smile:

I will definitely set up a dnscrypt server at home, this looks mandatory anyway.

The annoying part is that we have to set up a server running constantly at home.

1 Like

Could the /e/ Foundation help, providing a DNSCrypt server ?
There is a Docker image available : https://www.dnscrypt.org/#dnscrypt-server

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.