4 Replies Latest reply: Aug 25, 2012 5:07 PM by michael_w_2
michael_w_2 Level 1 Level 1 (0 points)

Hi,

 

I am trying to block a handful of different websites that I do not want my daughter to use right now.  I would like to use the hosts file to do this.  Although I have basic familiarity with the hosts file and editing it, I am not completely certain as to how it works and how DNS works.  If I want to, for example, block "yahoo.com" and all of its subdomains, would the following be an acceptable/valid entry?

127.0.0.1 *.yahoo.com

 

By not listing the subdomains of "yahoo.com", would that make it any liklier for those webpages to get through?  If I were to also list out all of the "yahoo.com" subdomains that I have knowledge of along with the previous entry, would that cause any problems?

 

And the second part of my question is: Is the hosts file ever not top priority in lookup (on OS X 10.6.8, if it matters); and if so, is there a good way to make it always first?

 

 

Any help would be appreciated!

 

Thank you,

Michael


iMac, Mac OS X (10.6.8)
  • 1. Re: About the hosts file (syntax/usage question)
    etresoft Level 7 Level 7 (24,270 points)

    Please don't use the hosts file for this. That is not what it is for. Use Parental Controls instead.

  • 2. Re: About the hosts file (syntax/usage question)
    Camelot Level 8 Level 8 (45,790 points)

    You can't use wildcards in /etc/hosts. It only supports fully qualified domain names, but as ertre points out, this isn't the best way of doing this anyway.

  • 3. Re: About the hosts file (syntax/usage question)
    MrHoffman Level 6 Level 6 (12,455 points)

    Use parental controls, maybe Dnsmasq, or a nanny-capable firewall-gateway-router box that's been configured on the edge of your network.

     

    The /etc/hosts file also has specific sequence to get it reloaded; that file is read once and subsequenty cached.  IIRC, you need to either /sudo dscacheutil -flushcache/ or /sudo killall -HUP mDNSResponder/ the DNS resolver.

     

    If your child is technically inclined, or knows how to do basic internet research, or has discussions with the more nerd-ish among her peers, your child can learn how to bypass /etc/hosts and Dnsmasq using her own DNS translations, or with her own DNS services.  That possibility would point toward either parental controls (easy), or the firewall-gateway-router box (added cost, but can block some or all systems on your local network).

     

    Here's how easy it is to bypass the /etc/hosts block; launch Terminal.app and issue the equivalent of:

     

    dig +short @8.8.8.8 host.example.com

     

    for the host.example.com host that you're (she's) interested in.  (There are other commands that can be used; more than just dig can be used here, and there are web sites that can perform this translation for you.)  Then connect to the IP address that this command emits.  Your /etc/hosts block will not prevent this, and will not block this.

     

    If your daughter is somewhat more technically savvy, a VPN will bypass the /etc/hosts blocks.  She'll need access to a VPN server, and those are available from various free and very low-cost sources...

  • 4. Re: About the hosts file (syntax/usage question)
    michael_w_2 Level 1 Level 1 (0 points)

    Thank you for your detailed response MrHoffman.  (And thanks to Camelot and etresoft for adding, too.)

     

    I've decided to forgo the restrictions that I was going to put in place and instead just monitor her computer's log files to see if she is observing the rules we agreed upon.  It involves more trust upfront, but for the time being I think it is best.  She is somewhat technically savvy, although I'm not sure she would've figured out how to bypass the hosts file anyway.