Hosts file not workening

Rizak · April 15, 2017, 1:14pm

I’m trying to restrict a computer to one website and nothing is working.
I’ve taken a look at some plugins for Firefox that don’t work with the current version.
Now, I’m down to editing the hosts file to exclude every goddam thing except for the website I want to run.

The problem is that no matter what changes I make to the file, it makes no difference in any browser.

127.0.0.1 www.facebook.com

Save.
Open browser.
Get to facebook, no problem.
Reboot.
Check the hosts file. No file extension. ANSI format.
Open browser.
Get to facebook, no problem.

I don’t know what the issue is.

I’m usening Windows10. Yeah, I know. That’s the problem. Ha ha.
I need a fix for this by next weekend.

Now I’m looking at child-proofing solutions.

Lee_Ars · April 15, 2017, 3:36pm

I’m trying to restrict a computer to one website and nothing is working.

You mean you’re trying to prevent that computer from visiting anything except that one web site, or you’re trying to block that one web site?

Based on the rest of your post I’m gonna proceed as if it’s the latter.

Host file restrictions aren’t reliable because not every application pays attention to the host file. The correct way to do what you’re trying to do is to go off-box, either with a socks proxy configured to deny access to that site, or a dns blackhole.

I use the dns method to keep facebook out, but it might be more work than you want to to because the way I’ve got it implemented is by running my own caching DNS server. Here’s an initial setup howto (you can ignore the DHCP server part).

Once bind9 is set up, modify your /etc/bind/named.conf.local file to include a new zone for facebook.com:

zone "facebook.com" {
	type master;
	file "/var/lib/bind/dummy-block-facebook";
};

…and then create a zone named dummy-block-facebook in the /var/lib/bind/ directory, and build it out like this:

$ORIGIN .
$TTL 24h

facebook.com	IN SOA your.dns.server.name. webmaster.your.dns.server.name. (
	2003052800  86400  300  604800  3600 )

@	IN	NS	your.dns.server.name.
@	IN	A	127.0.0.1
*	IN	A	127.0.0.1

The config file modification tells your DNS server that it should behave as if it’s authoritative for facebook.com (in other words, it should act like it’s the main DNS server for that zone and it should answer forward DNS lookup requests for facebook.com from its own local files, instead of querying another server upstream). The zone file ensures that lookups for facebook.com specifically or any subdomains of facebook.com (in other words, *.facebook.com) get a forward lookup response of 127.0.0.1.

Then restart bind9 and flush both your local PC’s DNS cache (for win10 you can just type ipconfig /flushdns ) and your browser’s DNS cache, and you should be good to go.

Well, okay, I left out the step where you have to configure your PC to actually use the DNS server, so you gotta do that too.

If fucking around with bind9 sounds too complicated—and in this case it’s kinda sorta like killing a fly by building a 50-story skyscraper on top of the fly—you could look at doing the same thing with dnsmasq instead. Or you could look at a Windows-based solution but you’ll be on your own with that.

The other option is to use a socks proxy, which will be another server running squid or some other proxy application. You can configure it such that all your hosts are required to use it (doing so is called running a transparent proxy because the proxy works “transparently”—that is, you don’t have to configure anything on the host side to use it and all traffic goes through it no matter what the hosts do), and then target your facebook blocking to one particular host—or the whole network, if you want.

tl;dr: Doing this on-box is probably unworkable. Doing this off-box with another server—either with a transparent proxy or with DNS trickery—is the right way to go. And it’ll make for a fun project!

Rizak · April 15, 2017, 4:00pm

Actually, what I’m trying to do is set up a kiosk computer that has access to only one website.

It will be a standalone machine on a site that I don’t control, with access to the internet via wifi.
I think that just paying $20/year to OpenDNS so I can set it to run in whitelist-only mode is probably worth it if I’m going to be renting this thing out.

Also, when I said ‘nothing is working’, I meant that everything is working as usual and that the changes I made had no effect.

Lee_Ars · April 15, 2017, 4:20pm

Ohhhhhhhhhhh. Well, in that case—and apologies if you’ve already tried this—it sounds like you want to put Windows into kiosk mode, which should include exactly that kind of functionality.

edit - much better, more comprehensive TechNet link

Rizak · April 15, 2017, 4:36pm

Yes, I thought of that as well, but I need to shell out another couple of hundred dollars for the upgrade to pro version first. It doesn’t work on home.

Lee_Ars · April 15, 2017, 4:38pm

Well…damn. You could maybe try setting up a local proxy server on that same box with a whitelist, then set that local proxy as your web browsing proxy in the browser config, then lock down the user so they can’t change the browser config. You’d still need to figure out a free and easy proxy to install and how to do the whitelisting, but that sounds like a possible way forward…

Topic		Replies	Views
PFSense help useful info	5	996	June 11, 2017
Network/web filtering device/software useful info	8	865	October 7, 2018
Has Facebook gone total-fail for anyone else recently? useful info	8	537	July 14, 2019
More than one IT house on a site? george	9	1876	June 21, 2016
Norton ConnectSafe useful info	1	1392	November 22, 2016

Hosts file not workening

Related topics