16

I was going through this Net Nanny article that mentioned about the various ways its web filter could be bypassed by kids.

Among other methods, I saw this:

One way that teens can get around the filter entirely is to install a program that runs a virtual machine on the computer, essentially a computer within the computer. So, for example, if your computer’s operating system is Windows, the crafty teen can download a program that runs a virtual Windows operating system that won’t have Net Nanny installed, and then surf the web with no filter.

Now I was wondering if this might still be possible if the hosts file on the host OS has blocked access to all unwanted websites (let's assume for the moment, that such a huge, regularly updated hosts file does exist) including sites with adult content, web proxies, P2P file-sharing sites, etc.

Now would it be possible to visit those blocked sites from within a web browser running in the VM? Let's also assume that no VPN is used, and neither is Tor or Google's "cached" view of the webpage.

Improve this question
3
  • I've tried running ubuntu on my Windows 7 installation with K9 installed but the hack didn't get past K9's defences :(
    – shortstheory
    Commented Jul 29, 2014 at 10:26
  • 1
    You must be doing something wrong because I could easily bypass it.
    – Vinayak
    Commented Aug 2, 2014 at 6:47
  • UPDATE: You probably set the VM's network connection mode as NAT. Change that to "Bridged" and K9 won't help anymore.
    – Vinayak
    Commented Aug 2, 2014 at 6:56

2 Answers 2

Reset to default
26

Yes. The hosts file does not block anything, it just tells the computer where it can find named websites. When you try to go to google.com, the system will check it's hosts file for that name, and if it exists, it'll use the IP there instead of looking up the IP from a DNS server.

A virtual machine has its own host file, and performs it's own name resolution (i.e., checking its own hosts file and contacting its own DNS server), independent from the host computer.

Even if you redirected google.com to 127.0.0.1 (A common way of "blocking" a website), you can still get to google simply by typing in 173.227.93.99 in your web browser instead.

Additionally, IP-based filters on the host OS may be useless depending on how the VM network is configured. Usually, the VM is "bridged" with the host networking, meaning that all the incoming traffic is duplicated and sent to the VM so that it can see all of the network traffic that the host does. Even if the host is configured to block or filter certain IPs (such as with a firewall), the VM will still get to see its "copy" of the data, which will allow the VM to browse the internet and ignore a filter installed on the host computer.

Remember the cardinal rule of computers and security: If I can physically touch a computer system, then given time I can have full control over it; Kids have lots of free time, and by no means are they an exception to this rule. It's trivial to reboot a system into safemode and remove NetNanny or any other piece of software installed upon it.

If you wish to filter/restrict/monitor what your kids do on the internet, you need to do so at the network level, not the system level. Look into what features your router supports (such as NetNanny Integration like @Keltari suggests), and if it will support alternate router firmwares such as DD-WRT which can do a scheduled disconnect of the child's computer (Say, from 10pm to 6am each day).

Even then, network filtering is often a game of Whack-A-Mole, and often easily thwarted by proxies like Tor; It is next to impossible to stop someone from accessing the internet that really wants to (just ask China or other countries that have massive firewalls which ultimately don't work perfectly).

With kids, you either have to talk with them and explain to them the perils of the Internet and have enough trust that they won't intentionally go seeking the bad sites (and then use NetNanny merely as a backup to stop accidental navigations), or you have to not let them use a connected computer unsupervised.

Improve this answer
17
  • 2
    +1. Check if your router supports netnanny integration, some do. If not, you can always purchase one that does.
    – Keltari
    Commented Jul 28, 2014 at 14:54
  • Thanks! I was just wondering about the same thing (i.e. if it'd work it the VM's network adapter was "bridged" with the host or if it was configured as NAT)
    – Vinayak
    Commented Jul 28, 2014 at 15:00
  • 1
    @Vinayak See my edits to my post; A "blacklist" proxy (where you add sites to be blocked) can help if you want to stop accidental navigation to bad sites, but ultimately someone can get around it if they want to. A "whitelist" proxy (where you add sites to be allowed, and everything else is blocked) can stop people from going to unwanted sites, but requires much, much more work to maintain because you have to add each domain or IP to the whitelist. A site like SuperUser probably has 5-10 different domains that have to be whitelisted, if not more.
    – Darth Android
    Commented Jul 28, 2014 at 15:16
  • 1
    @DarthAndroid If the question is "Could I access a blocked website via a virtual machine..." shouldn't the first word of your answer be "yes", not "no"?
    – Digital Chris
    Commented Jul 28, 2014 at 15:27
  • 14
    +1 for "talk with your kids"... often the best answer.
    – Brad
    Commented Jul 28, 2014 at 16:56
0

The hosts file DOES block images, ads and websites if you preceed the URL with the address of either 0.0.0.0 or 127.0.0.1. The system checks the hosts file for addresses and if you give it the "home" or "null" address as a place to look for a resource, then that item is effectively blocked.

People use it all the time to block malicious sites, advertising URLs and many other things. OpenDNS does the same thing for you by blocking access to categories of websites, etc. that you don't want to see.

The correct answer is YES you CAN get around the hosts file's blocking of content by using a virtual machine, because the virtual machine uses its own hosts file.

But to say the hosts file doesn't block anything is just a load of manure.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .