Discussion on:

Quick Tip: Block unwanted sites using the Windows hosts file

Have you used the Windows hosts file in this manner? How effective is it?

I first started playing with this years ago when I was teaching A+/Net+ to demonstrate how the loopback address works. Simply blocking some ads was the goal then. Fast forward a few years to supporting users at a large law firm. We were having serious problems with malware/spyware. Part of our solution was to modify Hosts to block all known malware sites and add it to our login script to push it to all users. This has several advantages over adding the entries to DNS. Hosts is read before DNS is queried, and mobile users are protected even when they are using outside DNS servers. It does need updated periodically since the badware sites are always adding new sites, but we have found it to be a very effective piece of our total defense.

If you have a network where all the desktops are resolving stuff against your ISP's DNS server, I guess this is OK. Not terribly scalable. But as soon as you have a DNS server locally, DON'T DO THIS. Just override the entries on your DNS server.

Honestly though, this is really a jury rigged way of doing things. Do you REALLY want to manually maintain a list of malware/banned lists? Any firewall worth its salt can subscribe to such a list automatically, or buy the software for the clients, or buy a dedicated device or software like WebSense.

In fact, for the home users or small business user, I wouldn't do this anyways! maintaining the list is a hassle. Is your time SO WORTHLESS that maintaining the list is "cheaper" than spending a few bucks on software that does this? Especially since many browsers automatically do this kind of thing automatically anyways...

This is a solution looking for a problem.

J.Ja

I view the hosts file as a thing, you use it to add/augment a service. For one thing it'll speed up finding a remote host, faster and less overhead than finding it over netBIOS.

Only on rare occasions, though, as folks have mentioned you'd do this when using the ISPs DNS, or a third party like OpenDNS that you haven't gotten around to configuring yet.

If there were some way to sync a current, fluid listing of the bad boys the last thing you'd want to do is have it writing to everyone's hosts file. That's a job for your AV or firewall.

So being an incomplete and ever changing target I'd save myself the labor and look elsewhere.

As Jack says this is a quick and dirty method and it does work, as well as you keep up with the listings anyway. I've seen a lot of home user-types do this. They stumble across the concept on the internet, or hear about it from their geek nephew or similar.

I just prefer to keep system files on client machines out of the mix, to the greatest degree possible.

This is a perfectly servicable way of blocking some unnecessary/inappropriate traffic. However, there are few problems.

For this to work, all but the sysadmins have to be locked out of the hosts file. This is of course feasible, but there are legitimate uses of the hosts file that it might not be good to take away from users.

It doesn't seem scalable. For a couple of machines, sure, no problem, but when you're having to update this file on dozens or even hundred of boxes, and still preserve the permissions lock-down, and make sure all the boxes have the same file ... well this starts to sound like the kind of complexity you *want* a third-party app to manage.

One drawback that probably doesn't matter in a whole lot of cases is that this won't stop any request that uses an explicit IP address. So it would have less effect against, say, a chat application.

I use http://www.mvps.org/winhelp2002/hosts.htm on all my system builds to block known malicious sites and most unwanted ads. Works very well for those annoying side-bar advertisements, which saves time and bandwidth .

You need two parts to scale this, a GPO and a batch file on a network share.
GPO: Computer Configuration - Polices - Windows Settings - Scripts - Startup - Enter file path \\ServerName\ShareName\HostCopy.cmd for example.
Batch File: (HostCopy.cmd) xcopy /D /y "\\ServerName\ShareName\HostCopy.cmd" "%SystemRoot%\system32\drivers\etc\"

Upon bootup (or reboot) the Hosts files will get updated. You have to do this at boot so that the batch file has the permissions to write to the system folder.

If I have GPO, I have a DNS server... and I can just do it at the DNS server and be done with it.

J.Ja

Actually we use this configuration for another reason alltogether however it is an easy way to update the hosts file on computers in the enterprise.

Why not just create a www record in the DNS and point it to the loopback address? Quick and easy way to block sites without having to go to each machine and edit a buried file.

My Hosts file is just like the example - empty.
What is the best way to populate this with relevant sites? I was thinking maybe copying the DNS to a notepad, weeding through it and then adding sites to Hosts.

Is there an easier way?
How do I access the DNS to copy data from there?
Does this only work for internet or email too (using Outlook)

thanks.

A couple of tips: go to http://www.mvps.org/winhelp2002/hosts.htm and download their hosts.zip; that will contain most unwanted sites. You can then add your own.

As well, it is useful to add allowed addresses for named PCs on your LAN, e.g..
192.168.1.10 Sarah
That will redirect any call to the PC named Sarah to that IP. This gets around thorny name issues like WINS, DNS, DHCP, Netbios, Neteui, etc. that supposedly provide name-to-IP mappings but often do not work properly.

Where's the pre-set hosts file you mention in the article?

This has dangers if it is done without a good understanding by all concerned parties - I worked with a company where someone had set up their computers with a host file directory many years ago. Problem was, no one there was aware of this, and as computers were added, moved, and changed, the files became outdated and broke communications between certain machines. I found the culprit fairly quickly, but it cost the company a great deal of downtime, frustration, and eventually, of course, my own fees - to resolve this.

I think he is talking about the zip file mentioned at the end of the article but there is no link to it. I downloaded the one mentioned by Basil http://www.mvps.org/winhelp2002/hosts.htm and it looks like it has most of them.

One more question, can we get rid of a whole domain or must we specify dubdomains? for instance:
adsmax.com instead of allchix.adsmax.com and www2.adsmax.com

Don't Spybot S&D ("Immunize") and SpywareBlaster do this? Or does this article add something? Thanks.

Spybot S&D does put these entries into this file

this mornings immunizations brought the total of "Bad Sites" up to 14,877

that's a heavy load on the hosts file

a heavy hosts file always seemed to crash the DNSClient Service on any system that I've ever immunized (especially win2K / XP)

immunization is handy for home user / SOHO / setup in a work group config.
but there should really be no need in a properly configured Domain environment

I have used the pre-set file from the link mentioned for years, first while deployed to speed up my personal laptop and then later to help guard against malware on Army machines. I have no proof but I don't remember getting any malware on the machines that had that hosts file on it and most users seemed to think the 'net was faster. As mentioned earlier, it is also great for using at the house to speed up connections between systems on your network.

I agree with the DNS server issue but is still another layer of defense against not only malware but crapware and all those annoying ads out there.

Good old school tip that most people don't remember anymore.

S&D automatically adds websites to the hosts file.

Hostman is listed on the MVPS site, I've been using it for over a year now. It has my host file at just under 3 meg and can be turned off easily to get to a site that is banned or needs one of the banned sites as a jumping point. You can find it at abelhadigital.com

I've been using http://www.mvps.org/winhelp2002/hosts.htm for many years now. It saves a lot of bandwith too(less commercial spam). I even use it on my linux machines. They use a hostfile too. Thumps up for mvps.org!

to block many of the bad addresses - using Immunize function - it adds them to hosts file. Then install and use Microsoft Fiddler to find all addresses with annoying adds - to add them also to hosts file. Fiddler shows all the Internet communication and you can easely get known which of them is the bad address (you can also try it and delete from hosts file).

When users (don't) see all the blocked ads on otherwise reputable sites, they'll be calling for support.

It has most of the features a user may ask for, abel to download from own prefered sources beyond these that already is defined within the software like MVPS, hpHosts etc. Perhaps the editors could be even more improved & developed in support more sources and fix som bugs. Otherwise the koncept are really easy to use and has the features a user will need. Automatic download, merge the hostsnames, searching for duplicates, optimization and a resonable simple to use texteditor...

Only one problem that might happen after a while for some users like for many of these tools that people "Set & forget"

Four months later...Why does Google block me out from this site?
Aha, a new censorship with blocked content once again.
Google IS Bad

Check out http://hostsfile.org/pac.html will give you all the info you need. Also has a massive hosts file so you don't Need to make your own.

-----------------
Posted from my Notion Ink Adam

This is a trick I used 20 years ago to block ad sites, and I still do. I get irratated when using my wifes PC as she do not want me to modify the host file. Viewing ads is a complete waste of time.
Stan

But not on a domain with DNS... never. Too hard to maintain on 500+ PC's across 8 sites in our forest as well.

I use clearcloud to filter all websites I browse to. It will prevent you from opening any harmful sites. http://clearclouddns.com/

The hosts file is probably as old as TCP/IP. Yes it is built into Windows 7, it is also built into Windows XP, and earlier versions as well as every OS I have ever worked with that uses TCP/IP.

Whether using it to block sites you don't want people visiting is a good idea or not, this might work as long as you don't have a moderately savvy user.

maj

OK. first, I'm not sure if mentioned but it is still good to back up the host file.

Host files can only go so far.

Other ways is to add sites to the restricted zone in your browser.
Use the route command to block some sites. I have blockred the "Russian Business Network" but nothing else with this method.
Some premium home routers have the option to block sites as well.

A business should be blocking from their firewall. Rediculous to update host files manually.

Some free DNS services automatically block known bad sites and you can add to it. It comparison, your typical ISP will do didly squat with their DNS.