Let this run while you go about your normal work, then check back after you notice the change. Look through the Operation column for WriteFile or something similar, then see what Process Name did it. This'll let you figure out what's actually making the change and you can appropriately assign blame.
[1] https://technet.microsoft.com/en-us/sysinternals/processmoni...
Older versions worked fine without this service. It was silently added somewhere between win7 and win8 releases.
Also see: http://security.stackexchange.com/questions/6883/something-i...
Though I believe you should have seen something in Filemon.
TO edit the hosts file, you need to have admin privileges. That means closing whatever editor you're using, reopening it with 'run as administrator', and then opening the hosts file. You need to do this even if you are an admin account.
Another way to do it is to open the hosts file under normal editing privileges, editing it, saving it somewhere else, and pasting it into the drivers folder. The system will ask you if you want to run as admin, and you need to say 'yes'.
Nothing could (or should, I guess) be changing the hosts file otherwise (AFAIK, my source being many, many SO posts and random forums) without it being given explicit admin privileges when it attempts to change the file.
``` A change was made to the Windows Firewall exception list. A rule was added.
Profile Changed: All
Added Rule: Rule ID: {59F33BF3-EAFF-424C-BB26-C2DF4A709398} Rule Name: Usermode Font Driver Host ```
Why would a simple Usermode Font Driver Host need internet access??!?!
binisoft.org Windows Firewall Control has an option to safeguard firewall rules and automagically deletes all unauthorized (by the only person that matters - ME) rules.
EDIT: Now I've read the discussion below regarding this matter. No need to answer, I guess. I asked before reading all the comments, sorry.
A situation we can all imagine ourselves in: You need to check the google analytics for your website/company site. You can't because it's blocked at Host level.
What solution would there be for this use case?
Aside Google sponsored links and the odd ad sponsored link on pseudo-news sites not working (due to them being tracking URLs), I can't see it ever gets in my way.
However to answer your question, these days I run dnsmasq on my home server and have my DHCP server assign that as my primary DNS. So every device (phone, laptop, smart TV, etc) gets their ads blocked as well - which is particularly good for my TV as it's bad enough having regular adverts on TV without LG pushing out sponsored content as well. So if there was a rare occasion that I needed to turn off my ad blocking, I'd just change the DNS to 8.8.8.8 (Google DNS) then switch back to my dnsmasq server once i was done (the only complication being that I sometimes need to close and reopen the browser due to that particular application caching the DNS lookup)
The nice thing about using dnsmasq is that you can import those hosts files verbatim. Which means your update script can be simple.
[1] strips domains to the top level that the public can register using https://publicsuffix.org/
It also can quickly "dnsgate disable/enable". (dnsmasq only, quick enable/disable for /etc/hosts is not supported yet, patches appreciated)
I've been using this simple script on OS X for quite some time now. It works like a charm and is using git for that exact reason, to be able to quickly disable/enable and also keep track of exceptions, changes, etc.
Ad-blocking via hosts files can often lead to a noticeable performance hit.
No measurable lag.
I'd used the various blockfiles used by uBlock Origin, as well as some additional entries of my own, de-duplicated. There are some overaggressive entries, I've commented those.
A nice plus: I found the dozen or so hosts/domains associated with autoplay video crap, added them, and have no more bother from that.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/200...
I would assume local IO would usually beat network IO.
Some ideas here, but it's pretty straightforward and functions just like their adult content blockers: http://iradar.blogspot.com/2011/07/useful-free-tool-use-open...
https://www.reddit.com/r/Windows10/comments/401h2o/hosts_fil...
In windows 10, the DNS Client does something that is O(n^2)
On second thought, you shouldn't be using the hosts file for this at all.
I would much rather have a browser plugin for this.
Those servers could be anything from MySQL, redis to any web app.
I get that the hosts-method is meant to affect all apps but that's not a big problem for me running Mac OS and Fedora.
Last time I had to block ads this way was when Opera had them embedded and it was much less memory hungry than Phoenix on my 256M RAM laptop. Back then I blocked them in ipfw instead.
I suppose it would be possible to craft a url that attacks local web services sometimes found on developer machines. If someone can confirm this is indeed the case, I'll submit a pull request to their README.
Anyone exprerienced doing this?
1. http://jacobsalmela.com/block-millions-ads-network-wide-with...
using 127.0.0.1, I have a httpd responding to every request by a 200. this avoid some anti-ad-block check. (such as "watch this ad before your video")
you can also configure your server to reply with a cat gif. but who would like to see a such Internet?
https://support.google.com/contributor/answer/6223848?hl=en&...
I'm not going to argue that localhost is better than 0, but that specific argument they've raised is incorrect. You don't have to wait for a timeout on localhost either. It will either fail instantly due to no listening processes on that IP and port, or it will connect to whatever process you have open on that address (eg a local instance of a http daemon).
Although if you use dnsmasq on OpenWRT with these hosts file beware that it can crash sometimes due to a bug that is now fixed in git: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/201...
Anyways, yeah, some ad companies are starting to do exactly this. They're serving ads up from the domain/website the ads are displayed on. Host files are completely ineffective here unless you've already previously spotted the ads and manually blocked them (and provided they haven't changed the file name of the ad/picture since your last visit).
But the ad companies doing this are tiny. It's quite likely you've never been on a website that has enacted this method. Most ads on the 'net are served up from google's adchoice/adsense program. Once Google themselves start doing it, it's game over for adblockers and for host blocking. I heard through the grape vine that they're actually working on this very issue (the issue of ad blockers).
I'm always looking for ways to improve things so I'm open to all suggestions.
EDIT: A couple of clarifications.
1) This isn't just for adblock. Your hosts file is useful for thwarting all sorts of malware. If a bot or trojan phones home with a domain, a vigilant hosts file will block it. A if a bot or trojan phones home with an IP, then the hosts file can't help you but, then again, an IP can be physically located fairly quickly.
2) The key to a good hosts file is keeping it current. This hosts file amalgamates several well-curated sources. So your hosts file is only as good as your ability to keep it current. This repo helps with this.
Thank you for your contribution. What do you think about this setup?
I use two Digital Ocean servers in different datacenters in which I have ran this script (https://github.com/jlund/streisand).
I modified the script (https://github.com/jlund/streisand/tree/master/playbooks/gro...) before I ran it and pointed the upstream DNS servers to my two personal DNS servers that are hosted on different datacenters.
The DNS servers are running a script (https://github.com/Kolyunya/afdns) that pulls the hosts file daily from (https://github.com/StevenBlack/hosts).
It has been working great for a few weeks, but I'm curious about any improvements I could provide.
Blocking via your hosts file has some great benefits; it works regardless of network and is relatively easy to update. Unfortunately, it doesn't scale easily to many systems or give you any insight into whether or not you are trying to connect to blocked domains.
Blocking via DNS is a good alternative and is suggested multiple times in this thread. You can easily protect a whole network by setting your recursive resolvers and it works across any system.
If you are interested in this and don't want to operate and maintain your own DNS (as well as pulling down various domain lists) check out https://strongarm.io. We manage DNS, aggregating lists of bad domains, and (most uniquely) will alert you if you try and talk to a blocked domain.
It's free for personal use. We are a growing startup and love feedback from HN. Feel free to contact me directly as well! stephen[at]strongarm.io
[0] https://github.com/jodrell/unbound-block-hosts
[1] https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unb...
And of course you shouldn't have to work with GA or Flurry or other analytics services, because they are blocked by pi-hole.net of course. But you can easily whitelist via ssh.
I'm now using it since 2 months and am pretty satisfied. The traffic saving effect is also nice, which make websites load faster as well.
If you use BIND RPZs, you can convert from /etc/hosts format to BIND zonefile format, (or just pump the new entries to nsupdate) which should be pretty trivial. Some information and useful links are in this comment and subsequent commentary. [0]
IMO RPZs are substantially easier to manage than an ever-growing set of master blackhole zones, especially when you have slave DNS servers.
If it really has to be bind, check out this page for a tutorial on blocking using bind: http://www.malwaredomains.com/?page_id=6
Then just use awk to go from hosts file format to this: http://mirror2.malwaredomains.com/files/spywaredomains.zones
Hope that helps.
Although figuring out how to propagate RPZ changes to them isn't exactly straightforward (more on this below), if you're using BIND, you can set up views that match certain clients and provide one mix of RPZs to one set, and another to another set.
On updating RPZs in a view (warning: BIND 9-specific instructions follow) :
So, BIND has this nifty option for a zone called "in-view". This lets you say "The data for this particular zone lives in this other view, so when requests come in for this zone, in this view, use the data in this other view.". It might sound complicated, but it's really just a pointer to a pre-existing zone definition. This lets you define your master zones in one big "zone definition" view, and have client-specific views refer back to those definitions.
However, you can't use in-view with RPZs. Why? Who knows? [2] But, what you can do is this:
* Create one unique RNDC key per view
* Add an allow-notify and match-clients entry in each view with that view's key
* In the appropriate views, add a slave zone definition for each relevant RPZ, with localhost as the master, and whatever is your usual domain xfer key as the key [3]
* Back up in your "zone definition" view, add to your also-notify list for each master RPZ definition an entry for localhost and each view key. [4] Having an ACL just for these RPZ slaves cleans up the RPZ definitions.
Now you have dynamically updatable host blocking that can be deployed on a per-host basis, if you like. It's initially a bit more work than managing a local hosts file, but you can easily apply host blocking lists to any set of machines on your LAN, and you can programmatically update the RPZ lists with tools like nsupdate.
[0] http://jpmens.net/2011/04/26/how-to-configure-your-bind-reso...
[1] http://www.zytrax.com/books/dns/ch7/rpz.html
[2] RPZs are handled just like regular zones in every other way except for this one. It's a bit frustrating.
[3] This is actually less burdensome than it sounds, as you can write these slave zone definitions once and include the files containing the definitions in whatever view needs them.
[4] That is, if you had three views, your also-notify list would have something like the following new entries: 127.0.0.1 key "view1-key"; 127.0.0.1 key "view2-key"; 127.0.0.1 key "view3-key"; You can have entries for just the views that use a given RPZ, but it doesn't hurt to have one ACL that notifies all views when any RPZ data changes.
Edit: https://github.com/paulchakravarti/dnslib looks interesting
Yeah, you can totally do that! Details are here [0][1], but in your RPZ zone file, you use a CNAME with a value of . to return NXDOMAIN, and a CNAME with a value of rpz-passthru. to process the query normally:
;allow www.sinfest.net, but deny all others, including sinfest.net
www.sinfest.net CNAME rpz-passthru.
sinfest.net CNAME .
*.sinfest.net CNAME .
$ dig +short www.sinfest.net ; dig +short sinfest.net; \
dig +short www.sinfest.net @8.8.8.8 ; dig +short sinfest.net @8.8.8.8
64.29.145.9
64.29.145.9
64.29.145.9
$
[0] http://www.zytrax.com/books/dns/ch7/rpz.html
[1] http://www.zytrax.com/books/dns/ch7/rpz.html#rpz-examples
This is for people who cannot edit /etc/hosts, but can change DNS server.
e.g., "mobile" or "tablet" users who choose Apple iPhone, iPad, etc.
The idea of an ARPA-networked devices that have no user-editable HOSTS file seems inferior to ones that do, i.e. the vast majority of ARPA-networked computers for three decades, but that's just my uninformed view.
The experts selling these things must know better.
DNS works very well for blocking ads. It allows for things that cannot be done with HOSTS alone.
But if you trust a third party for your DNS resolution needs (ad-supported search engine company "free" public DNS, ad-supported, corporate-sponsored browser, etc.), then all bets are off.
If and when advertisers complain and start to cut back on spending, then these third parties could remedy the situation, easily. In my opinion.
If the user is running her own DNS services, then it may be too much trouble for advertisers and the companies they prop up. It is a stretch to think that any ad-supported company could stop users from exchanging lists of names and numbers, whether through a HOSTS file, zone files, or some other mechanism.
Has window 10 got better with that?
http://www.abelhadigital.com/hostsman
Lets you chose which lists to use, and automatically update those lists. Also makes it easy to temporarily disable your rules if you need something that's blocked. Has a button for flushing the DNS cache.
The reasons:
* Block adverts in native mobile apps
* Block adverts in mobile web browsing
* Create a single connection for the mobile (reduce exposure to latency of new connections to different servers)
* VPN connection keep-alive means I seldom reconnect
* Side effect of mitigating risk of my telco screwing with my traffic or excessively logging metadata
It works really, really well.
I'm sure someone will say "battery!" but the cost of mobile adverts on batteries far outweighs the cost of connecting to a VPN.
This is effectively adblock for mobile that works for all apps and websites.
Edit: AdAway uses an /etc/hosts file.
https://github.com/jdoss/dockerhole
It was inspired by https://pi-hole.net/ and I am glad to see there are others making similar things to block Ads.
There's a bit of an impedance mismatch since filter lists support some fairly advanced pattern matching while hosts file entries are obviously limited to specific domains, but it gets most domains.
You can also block the BBC Breaking News banner this way by adding polling.bbc.co.uk. Or if you want to play a prank use 192.30.252.153 as the IP. GitHub pages don't check if you own the domain.
https://unop.uk/dev/breaking-the-news-blocking-the-bbc-news-...
A pi-hole clone notrack [2]
[1] https://gaenserich.github.io/hostsblock/ | [2] https://github.com/quidsup/notrack
Ads slow us down.
Would love to see some project like that.