3

I'm trying to figure out why my hosts file isn't being honored correctly. And by correctly I mean, when I visit the website I'm trying to block it takes about 12 hours for it to take effect.

And yes, I know this question is similar to [this one] (https://serverfault.com/questions/50934/hosts-file-being-ignored) and no nothing proposed there solved the problem.

Background: I'm trying to block youtube from my son's computer during school hours. My router allows for blocking and on a schedule but it affects my whole network. Now, I know, I can just get a good, configurable firewall appliance (e.g. Firewalla, pfSense, Untangle, etc.) or add a second wireless access point, have his laptop connect to that, and create a block rule on that second AP. But, I'm an idiot, and I choose the hard route.

So what I was thinking was to create two alternate hosts file, one with this line to block YouTube:

127.0.0.1 youtube.com

and another without. I then created two batch scripts to replace the hosts file according to a schedule using the Windows scheduler. Here's the batch script:

ECHO OFF
SET COPYCMD=/Y
xcopy /V /Y C:\Windows\System32\drivers\etc\hosts_YT_OFF.txt C:\Windows\System32\drivers\etc\hosts
IPCONFIG /flushdns

So, when I execute the script (haven't even got to the scheduler step yet) it works as it's supposed to, sorta (and by "sorta" I mean that yes, technically, it has worked but it took over 12 hours to take affect).

Check the hosts file: yes, it's been replaced correctly.

Ping "youtube.com":

C:\WINDOWS\system32>ping youtube.com

Pinging youtube.com [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

As you can see, the hosts file is being honored. Check the dns cache:

C:\WINDOWS\system32>ipconfig /displaydns

Windows IP Configuration

youtube.com
    ----------------------------------------
    No records of type AAAA


    youtube.com
    ----------------------------------------
    Record Name . . . . . : youtube.com
    Record Type . . . . . : 1
    Time To Live  . . . . : 0
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1

Tried this:

C:\WINDOWS\system32>nbtstat -R

No change.

Did this:

C:\WINDOWS\system32>ipconfig /release
C:\WINDOWS\system32>ipconfig /renew

Again, no change. I mean, it does disable the adapter and renew it, but I can still access YouTube on Chrome, Firefox, Edge. And yes, I've restarted the browser, and cleared the caches. Nothing.

I have not restarted the computer though, and I don't intend to. For one, it will eventually disable YouTube. And two, when I ping youtube.com it comes back localhost, so, why should I? Something is mucking this up and I'm too damned stubborn to let it go and take the aforementioned, easy solutions. :P

The hosts file is being replaced correctly, as is with the second script which just replaces the blocked youtube hosts file with the default one when I want to re-enable youtube access. And I've confirmed that with pinging and being able to access YouTube after it was successfully disabled (which only happened like 12 hours later).

I hope all of this makes sense. There has to be some very simple Windows network explanation for this that I'm missing. Any help would be greatly appreciated.

Update 9/11/2020. I got it to work. The problem was I needed to add this additional address to the hosts file:

127.0.0.1 www.youtube.com

That's it. Nothing complicated at all, just a "www". I'm not sure why, as I thought the domain name would cover it. Nope. Sigh. So now it reads:

127.0.0.1 youtube.com
127.0.0.1 www.youtube.com
Improve this question
6
  • I remember facing the same issue and thinking to myself it must be chrome ignoring the hosts file. I didn’t expect that FF ignores that too. Will test again on my pc.
    – SparedWhisle
    Commented Sep 7, 2020 at 0:30
  • 2
    I found that if DNS over HTTPS is enabled in Firefox, the hosts file would not have any effect. If DNS over HTTPS is turned off, the hosts file would work perfectly. According to bugzilla.mozilla.org/show_bug.cgi?id=1453207 it is intended behavior.
    – SparedWhisle
    Commented Sep 7, 2020 at 0:35
  • Thanks for the suggestion SparedWhisle, but I had already disabled that in FF (options->General->Network Settings-> uncheck box "Enable DNS over HTTPS" Still can access YouTube. I disable the proxy access too in case that made a difference. (it didn't).
    – captainentropy
    Commented Sep 7, 2020 at 1:33
  • I'm afraid there are too many ways of bypassing your setup. You've blocked just two hostnames but your son could try an alternate domain name like youtube.fr (the name must be registered in dozens of extensions). I'm confident your son will easily find out.
    – Kate
    Commented Sep 12, 2020 at 11:28
  • He's only 7 y.o., so I'm pretty confident I have several years before he's that savvy ;) Hopefully by then he'll understand getting homework done first, removing the need for the block in the first place :P
    – captainentropy
    Commented Sep 13, 2020 at 20:46

3 Answers 3

Reset to default
1

Since MS Windows ignores some specific hosts rules, and even considers some such attempts a security risk, you might try making a Firewall Rule to block specific sites. One rule can block multiple URL's. You can make a batch script to activate the rule:

netsh advfirewall firewall set rule name="TestRule" new enable=yes

Or use ... enable=no to inactivate it.

  • Press Windows, type firew, and select Windows Defender Firewall with Advanced Security.
  • Select Inbound Rules.
  • Select New Rule... under Actions.
  • Select Custom rule.
  • Under Scope, Add the many Remote IP address for YouTube.com, e.g., 172.217.6.238 (see below)
  • Under Action, Block the connection.
  • Repeat, if needed, for Outbound Rules.

N.B. Blocking a single IP address is useless, because YouTube owns many IP addresses, e.g.,

  • Individual addresses:
    • 208.65.153.238
    • 208.65.153.251
    • ad nauseam
  • Ranges of IP addresses:
    • 199.223.232.0 - 199.223.239.255
    • 207.223.160.0 - 207.223.175.255
    • and many others that haven't been discovered, as T. Lehrer put it.

Caveat: These Firewall rules can be bypassed, and also will need to be updated as YouTube adds more IP addresses.

Improve this answer
6
  • While this is a very helpful answer, it doesn't explain why OP's web browser seems to bypass a correctly configured hosts file.
    – Jaap Joris Vens
    Commented Sep 7, 2020 at 14:29
  • Because there are many IP's and because MS ignores the hosts file, on occasion?
    – DrMoishe Pippik
    Commented Sep 7, 2020 at 19:52
  • Thanks for the suggestion DrMoishe Pippik, I appreciate the input. I'm not presuming you're an MS engineer and know all the answers but, any idea why MS ignores the hosts file? Is this a superfluous component of Windows that is destined to be scrapped? Also, any reason why you can't just block a domain as you can an IP or range of IPs?
    – captainentropy
    Commented Sep 8, 2020 at 6:37
  • 1
    More information here: serverfault.com/questions/452268/…
    – Jaap Joris Vens
    Commented Sep 8, 2020 at 7:31
  • Funny thing is, hedgie, I saw that thread too. I musta looked at the headings of the first answer and just "yeah yeah'ed" them away. But after having tried basically everything else went back to see if I missed anything and it turned out the one thing - the only thing I missed - worked: "Did you take care of all variants (www.example.com and example.com - safest to just add both)?" No, I hadn't done that. I only had "youtube.com" in the hosts file. I added "www.youtube.com" and viola, it works as it's supposed to. 100%. Set up a schedule and it works perfectly. Ugh.
    – captainentropy
    Commented Sep 12, 2020 at 6:27
0

Some programs maintain their own cache of DNS lookups.

Therefore, for such programs, you'll also need to tell the program to clear its cache, if it offers a way to do this.

Improve this answer
0

The problem here is that the hosts file (as the name implies) contains host name entries, not domain name entries.

youtube.com happens to be a host name, which is the reason why you can navigate to it with a browser, and why that entry in the hosts file effects something at all.

As you already have figured out, www.youtube.com is another host name where the same contents can be reached. Thinking this further, you will run into problems with this method, because you can't know how many other host names YouTube uses.

For example, m. instead of www. is still often used (especially by big sites) for the mobile version of a site. Therefore, I just tried m.youtube.com, and it worked. I haven't investigated thoroughly, but this seemed to just cause a redirect. However, depending on how old (i.e. how smart) your son is, it will be sufficient to find out the needed IP address (e.g. open cmd and issue ping m.youtube.com). I assume that there is a bunch of other host names which lead to the YouTube contents.

To summarize, it is not domains, but host names which you enter in your browser's navigation bar and which you put into the hosts file, and unfortunately, in the first place, you don't know how many and which host names resolve to the same host, which is one of the reasons why protection systems like that you described cannot be bullet-proof.

[There are methods to investigate what host names are used in a domain, but I believe that those details would be off-topic here, and there are other caveats with your protection system. Plus, YouTube could add and remove additional host names at any time, so you would have to check that regularly.]

Improve this answer
4
  • Thanks for the information. So, will this also make it difficult to block access at a firewall level? I'm looking into changing my home network security. Something like a Protectli box running pfsense or Untangle for router and firewall? My kid is 7 y.o., so no real chance of him outsmarting me just yet ;) For the time being I'll just add other hosts to the file (e.g. m.youtube.com).
    – captainentropy
    Commented Sep 13, 2020 at 0:49
  • @captainentropy At the firewall level of "normal" firewalls, you are facing a problem of the same structure: Here, you usually block IP addresses, but you cannot know what IP addresses e.g. YouTube uses (probably several dozens). But there are also enterprise-grade firewall which operate at another level: They inspect the payload of all traffic (not just the metadata like protocol, addresses and ports) and filter it according to user-defined rules. [...]
    – Binarus
    Commented Sep 13, 2020 at 6:10
  • [...] Some SOHO routers can do some parts of this as well. If your router provides DNS service for your network, you might be able to let it block traffic to certain hosts or domains according to custom filter lists whose entries can be expressed in regular expression syntax (or other wildcard syntax). That way. you could even block traffic to e.g. *porn*, but your users could still use IP addresses to reach these sites. As a final general remark, if you want to improve security, most problems arise from others intruding your network, not from your users reaching "forbidden" sites.
    – Binarus
    Commented Sep 13, 2020 at 6:19
  • I've seen these firewall limitations in the current router I have (Nighthawk). I'm still looking into pfSense and Untangle. I'm not sure if these are considered "normal" firewalls. Considering how much Untangle charges for non-home users, I'd consider this "commercial grade". By "security" I am definitely referring to outside attacks. I've had a number of events that have me considering an upgrade. I back up all of my servers, devices, etc. to external drives and offsite storage in case of a ransom-type attack.
    – captainentropy
    Commented Sep 13, 2020 at 20:40

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .