Annyone Here Know About Maintaining a Hosts File?

[Drew Wilson]

I've been digging deep in some research, but hit a few road blocks. Does anyone here know some of the technicalities of maintaining a hosts file? I ask because I have a few questions about it. You'll get credit for the up and coming guide I have been planning on writing for any help you provide. Don't worry, these are probably semi-n00b questions anyway since I haven't done this before really.

[Aaron_Walkhouse]

It's a text file which serves as a local IP address cache for DNS lookups.

Put an IP address, a space or tab and then a domain name on each line. Spaces and
tabs can be used interchangeably but it is best to pick one and stick with it throughout
the file. If you use software to manage this file it may require one or the other but not
be able to use both. After the domain name you can place an optional alias and for
notes or to disable a line without erasing it, a "#" causes the cache parser to disregard
the rest of the line.

For places you go to often it cuts down the usual delay by a fraction of a second or,
when the DNS service is down or censored, maintains access to a listed site. The
time savings only affects the first time you access a certain site within the usual DNS
cache timeout or after a reboot but that can add up quickly if you use the internet a lot
or have applications that access many sites regularly.

For blocking domains, which is a popular defence against known bad sites, use
127.0.0.1 or 0.0.0.0 for the IP address. 127.0.0.1 loops back to your own computer
so if you have servers running on the ports being accessed you can capture and
analyze any traffic which was intended for sites you blocked. 0.0.0.0 also refers to
your own computer but once your computer obtains an IP address from a DHCP
service it effectively becomes a null point and traffic "sent" to that address is dropped
without delay, saving a lot of time when an address is blocked. Though it may seem
more efficient to block IP addresses in a firewall or an IP filter such as PeerBlock or
Peer Guardian 2 some of the most malicious sites change IP addresses both frequently
and rapidly with a technique called fast-flux addressing to evade such protection.
Placing such domains in a HOSTS cache renders such tactics ineffective
because online lookups of domains never occur once found locally.

Later versions of Windows were deliberately crippled in this respect by Microsoft from
Windows XP service pack 2 onwards after it realized many people were blocking it's new
"WGA" remote shutdown spyware. A couple of notorious malfunctions threatened to disable
the computers of thousands of people and permanently lose the data of those who used
NTFS encryption because their original keys would be disabled or erased even after they
restored access by registering Windows again. Part of the cripple was to ignore 127.0.0.1
entries in HOSTS and only use the ones beginning with 0.0.0.0 (instantly disabling most
existing lists at the time) and the other part was having specific, WGA-related sites hard-
coded in the DNS lookup DLL so that it would ignore all lines in a local HOSTS cache with
those names. Both tactics failed, however, because it was easy to search and replace
127.0.0.1 with 0.0.0.0 in a cache and the few sites Microsoft attempted to exempt from
blocking could easily be blocked by their IP addresses instead.

Some experts also rejected the mass update in service pack 2 and avoided the Vista and
later versions of Windows. They opted to support their own operating systems because they
were able to do so and did not accept the risk of being accidentally or deliberately attacked
by remote disabling of operating systems, drivers or hardware by means of automatic updates.
This Windows feature had been proven on several occasions to be untrustworthy and carried
hidden features which bypassed user settings to force unwanted updates on users without
their permission or knowledge. Once this was revealed by errors on Microsoft's part, trust in
the company was broken and from then on patches and updates were inspected and applied
individually, if at all.

If you use a large HOSTS cache in any version of Windows XP or later you must disable the
"DNS Client" service because it causes a long delay on lookups. This service is not needed
on most home computers and is intended for gateways and domain controllers on larger local
area networks such as those in large office environments. It is left turned on by default in new
Windows installations because it usually does no harm when not needed or used.

Precompiled lists of blocked sites are available from many sources such as Bluetack
and some defence software takes advantage of HOSTS to protect you from many sites
known to host malware or exploits designed to infect computers remotely or are merely
advertisers who annoy users with popups and excessive ads.

Software which manages HOSTS files can download and merge blacklist entries and
some also recheck existing unblocked hosts and update them if IP addresses change.

Here is an example of a large HOSTS cache with blocked and cached addresses: HOSTS.zip
Blocked lines use the alias "zzzzzBLOCKEDzzzzz" so that the list can be sorted to place
all unblocked entries at the top. Notes with a date are automatically generated by my own
HOSTS cache manager so I can keep track and for easy diagnosis when a site fails to connect.
Some entries are labelled with instructions to update them manually because DNS lookups
either fail or the sites listed have been illegally censored so that normal lookups would fail.

[Drew Wilson]

Very nice. I suppose I have one last question then. Is it possible to link a domain to multiple possible server IP addresses or is it best to simply link a domain to one IP address and add the other IP addresses in a commented line?

Edit: OK, one other question. Does the HOSTS file affect just general web browsing or all traffic originating from that machine? (i.e. Torrent data)

[Aaron_Walkhouse]

You can put all the addresses in but only the first it parses will apply, so
commenting out some lines is a good way to control which one is active.
You can also put the preferred one above the others to make it take over.
All changes take effect when you write HOSTS and make any connection.

All traffic that references a domain by name triggers a lookup by the OS.
Since the default settings have it search the local cache first, it does that.

In fact, if your PC is the gateway between your LAN and the internet, all
traffic from other computers in your LAN are served by your own cache.
I always bridge nets with PCs instead of routers for highest performance.

Numerical IP addresses need no translation so they bypass all lookups.
This means HOSTS has no performance hit on normal P2P peer traffic.

[Drew Wilson]

I really appreciate your help in this. The guide has finally been published on the front page.

Click

I know it's a little narrower in focus then what was covered here, but it does what it sets out to do. I've learned a fair bit in this thread alone actually.