Tips & Tricks Built-In Security: How to Leverage the Hosts File to Block Ads and More

[Spycrawler Nightfire]

The hosts file in servers and workstations will readily and dutifully block a, well, host of potentially dangerous content.
Here's some info and advice on how to use the hosts file to block ads, malware, trackers and other unwanted content.

It takes a village of technology to identify and block malware, adware and the like, but organizations have one tool right at their fingertips: the hosts file in servers and workstations.
Organizations can use the hosts file to block ads based on its map of known malware, analytics, cryptocoiners, trackers and/or adware sites.
The file can also prevent mistyped website addresses from being logged by browser default engines, and is easily edited prior to distribution to then-protected hosts, so as not to destabilize platforms.
Better still, the same data can also be readily adapted to fuel .htaccess files, which are the initial visitor access file used by web server engines like Apache and NGINX.

All major operating systems (but not their smartphone versions) support the use of the hosts file to block ads and, in general, access to unwanted content and sites.
The hosts file is an ancient (by today's standards) Unix mechanism that was used before DNS came to be an accepted standard, and was sometimes aided by a tool called YP, or Yellow Pages.

Even though the hosts file has been around for a long time, it is still respected across a surprising number of platforms.
Where it doesn’t work very well is on smartphones, where users are usually blocked from placing system files (for reasons only an ad revenue-loving telco/carrier could love).
Only rooted phones allow a hosts file to be placed where it will block errant keystrokes, embedded malware or virus outbound requests.
The blocking provided by this file can also be added to routers, firewalls, and other devices and appliances that accept the file format.

The best amalgamated, updated source file I’ve found comes from GitHub. The file is updated frequently, usually once a week, and a table of sources provides information on how the file was built.
Placed in the proper directory or folder, almost any computer system will dutifully look in the hosts file first, prior to ever looking onto its network interfaces.
This allows the file to trap errant excursions to the sites listed in the file.

Should there be an entry in the hosts file matching a user request (desired or not), the request--say, from a browser--will follow the actions listed in the hosts file.
If there’s a match in the hosts file, the operating system will do the bidding of the hosts file's directive, routing the request to a "null route" address pointer.
Then, nothing happens, meaning no undesired excursion to the site listed in the file.
There are methods of getting around the hosts file, but it takes quite a bit of skill to do so.

Understanding Hosts File Contents

The hosts file contents are simple to understand. There are two columns.
On the left side are IP addresses that direct where packets should be routed, with most modern operating systems supporting IPv4 or IPv6. To block the packets, use the null route addresses IPv4 0.0.0.0 or 127.0.0.1.

Therefore:

0.0.0.0 google.com

will simply forbid your system from getting to Google. However, goog.gl, gmail.com and other variations will each require a unique entry.
It’s for this reason (among others) that the hosts file we use contains nearly 1.5MB of "bad guys."

The IPv4 address 0.0.0.0 is a blackhole address, while IPv4 127.0.0.1 is the localhost address or “loopback” address (meaning the machine’s internal networking address).

The IPv6 blackhole address is just as easy: 0.0.0.0.0.0.0.0 or simply ::1. Entered as the left tuple, this will blackhole an errant address request.
Use IPv4 syntax or IPv6 syntax where appropriate when you add your own listings.

Of course, the hosts file is not without its limitations.

Should you use the downloaded hosts file as is, several problems can easily crop up.
For one thing, some sites will misbehave: Videos might not load or pages will look strange because they were built to accommodate ads and certain script behavior.
Sites that are financed by ads may also face issues if they can't communicate with systems that monitor page views, and the cited hosts file contains many ad-serving websites that users probably didn't realize were embedded in their web pages.
Indeed, organizations with diverse support bases may not benefit from using a hosts file.

Organizations will also have to consider the impact the size of the hosts file will have on performance.
The hosts file we use is now more than a megabyte and a half; in practice, this means that the lookup table for bad sites has to be scanned 60 times in a single complex web page load, slowing things down.

With that said, a hosts-file-protected machine blocks an incredible number of malware sources, adware, and tracking tools, which is why some admins use the hosts file as a block at the firewall or router level.

And, although IP addresses with zero-day difficulties may or may not be covered by such blacklistings, many sites that are potential troublemakers are covered.
We do recommend that admins who want to deploy the file and/or its subsequent weekly updates take a moment to scan through the file listings to ensure that certain resources won’t clobber certain websites (for example,
MSN’s ad trackers) in a way that would cause application misbehavior. For most users and admins, a little editing of the hosts file is necessary, but the system security benefits are worth it.

Text guide:
1. Go to Start, Run, then type this location C:\windows\system32\drivers\etc
2. Double click on the file 'hosts' and open it with Notepad
3. Leaving Notepad up, go to Start, Run, and type in CMD
4. In Command Prompt, type in "ping #######.com". Replace ####### with the website you want to redirect to.
5. It should now bring up the IP address. Go back into notepad and then type in the IP address, add a space, then type in the website you want to redirect from.
6. Next make a new line and and copy the exact same thing but add a "www." before the website.
This is what it should look like for you so far: 0.0.0.0 example.com 0.0.0.0

You must be registered for see links

If you want to block websites, change the IP address to 127.0.0.1 Now save and your done.

What is your experience with hosts files as a security tool? Do you have any advice or context to add? Let us know in the comments section.


​

 

[WhiteLocks]

I would like to share my host file, this host blocks alot of bad unwanted sites, advertising, malware and ransomware websites.

You must be registered for see links

(Just rename the file from .txt to nothing and then it will change to a file extension. Now put the file in C:\Windows\System32\drivers\etc and remember to back up your original host file just to be safe.

 

[Spycrawler Nightfire]

I would like to share my host file, this host blocks alot of bad unwanted sites, advertising, malware and ransomware websites.

You must be registered for see links

(Just rename the file from .txt to nothing and then it will change to a file extension. Now put the file in C:\Windows\System32\drivers\etc and remember to back up your original host file just to be safe.

thnx for the host file and here is my other thread as this thread was meant to have people get a understanding of how the host files work rather than whats in it. this fits better on my other thread there for

You must be registered for see links

 

[SiteWizard]

@Spycrawler Nightfire thank you A nice tip / trick

 

[Cyler]

Host files can be both a blessing and a curse so before you start editing/adding websites in the host file there are some things you should know, especially for less powerful PCs and/or older windows.

• Having a long etc file, due to the nature of how windows process DNS cache, might slow down (or even crash in some cases) your browser every time you connect/reconnect to a network (including wifi) because that's when the host file is being parsed. The same can happen to some apps that do frequent DNS lookups. Just keep in mind that you are cashing a 1mb (or more) "database" of names that your computer compares on every DNS resolve. Please keep in mind its different for each PC/CPU type. Some might have issues some might not.
  
  
• There are cases of high CPU usage (mostly the localhost process) when parsing very long host files. In most cases disabling the DNS Client service might speed things up.
  
  
• Use 0.0.0.0 and not 127.0.0.1 It might be a small difference but windows know that 0.0.0.0 is an "invalid" IP (also called blackhole) and they don't try to resolve, while if you use 127.0.0.1 they will always try to resolve to your local hostname and that leads to a small waste of CPU cycles but waste never the less, especially on low power PC/Laptops. Use 127.0.0.1 ONLY for such cases/apps like private web servers and/or testing.
  
  
• You will often see 2 different names for a host file. Long and Huge. At first look, it might seem like there is no difference but its not true.
  a. The long version looks like this
  0.0.0.0 site1
  0.0.0.0 site2
  0.0.0.0 site3
  ...
  0.0.0.0 site(n)
  The huge looks like this
  0.0.0.0 site1 site2 site3 site(n)
  
  The difference is that the huge type gets parsed up to 15x faster than the long type, so a bit of organizing might make things faster. It's easy to make a small program that can do the conversion (I've done one a few years ago) or do it manually but keep in mind each line should be about 256 chars long (about 9 names per line).
  
  
• For people that think you can blacklist MS websites (like windows update) using host file entries.... think again. The following Domain names are hardcoded in windows and specifically in the file %WINDIR%\system32\dnsapi.dll and ignore changes in host files.
  
  You must be registered for see links
  - msdn.com -
  You must be registered for see links
  - msn.com - go.microsoft.com - msdn.microsoft.com - office.microsoft.com
  microsoftupdate.microsoft.com - wustats.microsoft.com - support.microsoft.com -
  You must be registered for see links
  - microsoft.com - update.microsoft.com
  download.microsoft.com - microsoftupdate.com - windowsupdate.com - windowsupdate.microsoft.com

Now I assume that most will want to edit the host file so they can block malicious sites from ever accessing your PC. You can, of course, go through that or... simply use 9.9.9.9 as DNS. For more info google Quad9. Here is the short version:
"The Global Cyber Alliance (GCA) has partnered with IBM to launch a free public Domain Name Service system. That system is intended to block domains associated with botnets, phishing attacks, and other malicious Internet hosts. Called Quad9 (after the 9.9.9.9 Internet Protocol address the service has obtained), the service works like any other public DNS server (such as Google's), except that it won't return name resolutions for sites that are identified via threat feeds the service aggregates daily. "

I hope the above information was helpful.

 

[Uncle Mac]

more than useful ...thanks @Cyler

 

[Wichestery2k]

@Spycrawler Nightfire @Cyler and @WhiteLocks great tricks and useful info...

 

[babulal39]

GReat idea

 

[MajorEncore]

Thanks @Spycrawler Nightfire!

links dead, any chance of a re-up ?

 

[Chuck]

@WhiteLocks

Your link in this post is dead.

You must be registered for see links

You have been requested to upload it again. If you have trouble editing the post then ask the staff for help.