Is it unsafe to use /etc/hosts file as a website blocker in the following manner?
Short Answer
Is it safe to use the /etc/hosts
file as a website blocking "null" address?
I would argue the answer should be: No.
If for no other reason than the requests are not actually "nulled". They are still active requests. And as the OP indicates, since the requests are for legitimate Internet hosts, this sort of short cut method of redirecting requests to localhost
may interfere with testing networking code in a development environment.
Perhaps a better method of blocking traffic to and from certain Internet hosts, is to utilize iptables
which is the interface to the Linux kernel's firewall. iptables
is the default networking rule table for most GNU/Linux systems. Some distros use ufw
as a front-end to iptables
.
If you want to use iptables
, here's a simple script which will DROP
all incoming and outgoing packets for a list of IP addresses or hostnames with one address or hostname per line contained in a plain text file called ~/blocking.txt
## Block every IP address in ~/blocking.txt
## DROP incoming packets to avoid information leak about your hosts firewall
## (HT to Conor Mancone) REJECT outgoing packets to avoid browser wait
for i in $(cat ~/blocking.txt); do
echo "Blocking all traffic to and from $i"
/sbin/iptables -I INPUT -s $i -j DROP
/sbin/iptables -I OUTPUT -d $i -j REJECT
done
Sample ~/blocking.txt
websiteiwanttoblock.com
anotherone.com
ip.add.of.net/mask
Do not place your localhost
IP addresses in this file.
Longer Answer
While reassigning Internet hosts to localhost
in the /etc/hosts
file is a common short cut technique to block unwanted Internet hosts, this method has some serious security drawbacks.
Incoming requests
Incoming requests which were not purposefully initiated via a specific user request. The most common example is ads on webpages. Let's follow the incoming packets...
First, I start up wireshark
. Then I place the biggest Internet ad company in my /etc/hosts
file with this line:
127.0.0.1 google.com
And then disable all ad blockers in my browser, navigate to youtube
and play any random video.
If I filter my packets, broadly including Google's IP address space:
ip.addr==172.217.0.0/16
I am still receiving packets from Google.
What does this mean?
It means that there is a possibility of a malicious server inserting malware which may be able to attack my computing platform via packets that are still arriving and sent to localhost. The use of /etc/hosts
rather than dropping or rejecting the packets via the firewall rules, is a poor security measure. It does not block incoming packets from possible malicious hosts, nor does it provide effective feedback for trouble shooting purposes.
Outgoing requests
Outgoing requests which are sent to localhost
rather than being rejected or dropped by the firwall rules are still being processed by the kernel. There are a few undesirable actions that occur when /etc/hosts
is used rather than the firewall:
Extra processing is occurring when the outgoing packet hits localhost. For example, if a webserver is running on the host, the packet sent to localhost may be processed by the webserver.
The feedback from outgoing requests may become confusing if the
/etc/hosts
is populated with certain domains.
iptables can handle lots of rules
According to some:
ServerFault: How many rules can iptables support
A possible theoretical limit on a 32-bit machine is 38 million rules. However, as noted in the referenced post, as the iptables
rule list expands so does the needed kernel memory.
[...] while looking for a simple OS-level website blocking technique, I came upon the solution of using the linux hosts file [...]
To clarify, /etc/hosts
just maps hostnames to IP addresses. An entry with 127.0.0.1
doesn't block your access to the server, it just makes your computer locally resolve that particular name to 127.0.0.1
. You and the server could still be exchanging packets without restrictions.
If I often use
127.0.0.1
for web development purposes, is this dangerous? It seems that, at the very least it could mess up the web dev project I'm currently working on?
No, resolving to 127.0.0.1
doesn't put you in additional danger. That's because a website can have their name be resolved to any IP anyway, including 127.0.0.1
(unless the DNS server blocks that). So if evilpage.example
wanted to resolve to 127.0.0.1
, they could just specify a respective DNS A
record and wouldn't have to rely on your /etc/hosts
. (Also see: Is it safe to have a DNS record pointing to 127.0.0.1?)
Note that running something on 127.0.0.1
may make you vulnerable to DNS rebinding attacks.
Unless your webserver is running on port 80 or 443 on your local machine (127.0.0.1
), then that shouldn't affect your web project. If it is though, then it could be an annoyance. If you sent a request to http://example.com/api/
, then it would end up sending a request to http://127.0.0.1/api/
. If you have a resource called /api/
, then it would end up receiving the request and thus interfering with your app.
But the biggest point that I would like to stress that @Arminus mentioned was that the /etc/hosts/
file is for mapping IP addresses to hostnames.
If you want to block a particular host, I would suggest installing a firewall such as UFW or using the default Linux firewall, iptables.
Here are some links to help you get started:
UFW: https://www.linux.com/learn/introduction-uncomplicated-firewall-ufw
iptables: https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/