Return to Level1Techs.com

Trusthworthy "hosts" based protection

security
#1

Hey @Heimdallr here with another tip that I use on my personal systems.

So adblock and ublock collect analytics for good purposes and though their behavior has been trustworthy in contrast to ghostery you still do not like something phoning home from your system. Well Look no further. Here is how to disable the DNS client service on windows 10. Its a one time approach that should fix your system when using a Large Host file for local blocking. Host can be far more useful than a even a firewall if using a singular or standalone system especially a laptop. This is the method I use that has been effective for a very long time.

The upside to using hosts as a method of blocking is that it is a totally local solution that you control. You should only use host files lists that you trust. I have provided a very trustworthy unified hosts file below. This solution is also rather lightweight. You do not need addons or anything of the sort to your already bloated browsers. That being said I do recommend Firefox. Chromium is the slightly more trustworthy cousin of this horrible browser that is google chrome. Need some objective reasons vs hear say? We have a good example on our forum. Head over to this users post.

Need more information on why I do not use browser extensions save privacy badger and noscript?

So lets get started choose your preferred FOSS browser or keep using the one you like. This largely wont matter I just like recommending software that puts you in control

Firefox:


Firefox ESR:

Iridium: (the only chromium you can trust)

Now on windows 10/8.1/8/7 (*Nix and BSD Users may skip this step) there is a pesky piece of software called the DNS client. Now before we disable the dns client, it is important you know what it does. Its purpose to DNS cache all the entries you have been using in order to speed up or provide guard against poor quality ISP DNS servers. Well we dont need to worry about this as we are also going to use a reliable DNS service (Ill propose options).

This is the process of name resolutions on Windows:

DNS name cache > Hosts File > DNS system > NetBIOS name cache > WINS service > Broadcast > LmHosts file

These caches are pointless however we will leave NetBIOS alone as it has some function with local windows machine shares etc. What we are concerned with is external threats.

Pop open an administrator command prompt and make the following registry change to disable the client:

REG add "HKLM\SYSTEM\CurrentControlSet\services\Dnscache" /v Start /t REG_DWORD /d 4 /f

Obtaining the hosts file I use on my machines: (SELECT THE APPROPRIATE VERSION FOR YOUR SYSTEM)

This guy maintains a very well curated file set and he is extremely open about how he does so and which sources he pulls from which does make him rather trust worthy. I update this weekly but its your choice if you want to update this in an automated fashion. For the purposes of this guide I will not be covering how to do this.

Cool so youve obtained the file. For the windows version rename the file from hosts.windows to hosts. Linux users do not need to do this. So depending on your OS this file is located in different places. You will need to place this hosts file in place of your hosts file or merge them.

For Linux based Operating systems place this file at:

/etc/hosts

For MAC OS: (use the linux/unix file) same location as linux. If you are running a *Nix based system and you do not know how to edit the hosts file. I am slightly concerned but thats fine. Open the terminal:
sudo cp (downloaded hosts file path) /etc/hosts

For Windows based systems this is placed at:

C:\windows\system32\drivers\etc\hosts or C:\Windows\System32\drivers\etc\hosts

This will require administrator privledges so do make sure you are doing so with such privledges.

Now onto a decent DNS provider. In order to use this effectively with the DNS Client disabled you have to ditch you crappy ISP provided DNS server especially on comcast (shudders).
Reason: They are usually slow and unrealiable.


But first a list before we get to configuration:

Quad 9 DNS: (I use them)
IPv4: 9.9.9.9 ; 149.112.112.112
IPv6: 2620:fe::fe ; 2620:fe::9
Cloudflare DNS: (Extremely good alternative)
IPv4: 1.1.1.1 ; 1.0.0.1
IPv6: 2606:4700:4700::1111 ; 2606:4700:4700::1001
The last alternative ill ever suggest: (varies)
https://www.opennic.org/

I am very anti other DNS servers like OpenDNS and Google DNS as I dont trust my queries in the hands of a cooperation. This is not a DNSSEC or DNSCRYPT tutorial BUT I do recommend you set that up for yourself and use it.


On Windows this is how you do so: (provided by Quad 9) (All credit is theres and I hope they continue with the wonderful service)

Though these guides use various adapters. This will work on any adapter

Step 1

Open Control Panel, select Network and Internet, and then select Network and Sharing Center. Click Change adapter settings on the left pane.

step-microsoft-1-0

Step 2

Right-click the network interface connected to the internet and select Properties. Select Internet Protocol Version 4 (TCP/IPv4) from the list and click Properties.

If you are using IPv6 select Internet Protocol Version 6 (TCP/IPv6)

step-microsoft-2-1

Step 3

Select “Use the following DNS server addresses” and enter 9.9.9.9 into the Preferred DNS server box. For the Alternative DNS server enter 149.112.112.112

If you are using IPv6 enter 2620:fe::fe into the Preferred DNS server box.

Optional: You can add 2620:fe::9 as the alternative in the list.

step-microsoft-3-0

Step 4

Click OK then Close to save your settings.

step-microsoft-4-0


On MAC OS: (provided by Quad 9) (All credit is theres and I hope they continue with the wonderful service)

Step 1

Go to System Preferences and select Network Settings.

step-apple-1-0

Step 2

Click Advanced and select DNS.

step-apple-2-0

Step 3

Click the ‘+’ sign and add 9.9.9.9 to the top of the list. Optional: You can add 149.112.112.112 as the second entry in the list.

If you are using IPv6 Click the ‘+’ sign and add 2620:fe::fe

Optional: You can add 2620:fe::9 as a secondary in the list.

step-apple-3-0

Step 4

Click Ok and then Apply.

step-apple-4-0


Linux: LOL lets do this in a distribution agnostic manner.
If you want to override the name servers suggested by the DHCP server, you can configure this in /etc/dhcp/dhclient.conf , eg for ethernet eth0:

interface "eth0" {
    prepend domain-name-servers x.x.x.x, y.y.y.y, ipv6:ipv6:ipv6::ipv6, ipv6:ipv6:ipv6::ipv6;

}

Replace eth0 with your adapter name.

You can also do this from the “Edit Connections” control in the network indicator in in your preferred desktop environment. Of course replace x and y with your favorite primary and secondary DNS string same for ipv6. Of course you can use ipv4 only if this gives you trouble.


Router level:
Tomato Firmware Guide:

A few tweaks to the firmware are mandatory to get this working.

Opening up to my overview page got to the DNS advanced setting area


image
Now mimic these settings and make sure your intercepting the DNS port for this to work. Make sure you hit save and wait for the yellow messages restarting services to disappear :slight_smile:

Now move onto the Adblock section in advanced settings:
Insert your lists in 0.0.0.0 hosts file format or URLs to such formats. Then enable and save. This should work:

Now that you have gone through all the trouble. Finally reboot and enjoy

A URL I like is blocked?

Open the hosts file and use the find/replace command in your favorite editor to remove it. Then if your feeling charitable go ahead and let the original provider know so that he may remove it from his list and mark it as good

Does this break stuff?

It has the potential to. So be aware of this when you are using it. The breakage is usually minimal and easy to undo. If it does do something serious. Post below and the forum will likely try to help.

Honorable mentions

@sgtawesomesauce (his name implies hes awesome): If you need a local method im sure you may already know about this but here you go :slight_smile: I hope your investigation into the plugins did not meet a dead end
@MisteryAngel : You live in the EU so your privacy is better protected there but you might find this to your liking. Far better than extensions. Though I still recommend Privacy Badger for Firefox and turning off all the extra studies and what not

7 Likes

#2

It’s worth noting that archive.is doesn’t work with 1.1.1.1 for some reason. They are aware of it and apparently it’s an odd out-of-spec DNS configuration that archive.is uses, so it’s an issue.

I frequently use that site, so it’s relevant to me, idk about others.


That said, good shit. Thanks for the thread!

1 Like

#3

The uBlock Origin addon does not phone home or collect analytics of any kind.

Hosts file based content blocking works OK, but can miss some ads. It’s also annoying to whitelist hosts or disable blocking for a couple minutes when you find page damage.

I suggest installing Pihole on your network instead. It’s also hosts-based blocking but whitelisting and temporarily disabling is easy via the web UI.

I use Pihole myself to block ads inside mobile apps and such alongside uBlock Origin in my browser for more advanced blocking, regexes, and sites like YouTube.

1 Like

#4

It’s worth noting that archive.is doesn’t work with 1.1.1.1 for some reason.

Archive.is (and related domains)'s root servers return invalid results when queried from CloudFlare. They expect EDNS subnet information, which CloudFlare doesn’t send for privacy reasons.

The last alternative ill ever suggest: (varies)
https://www.opennic.org/

Be aware that OpenNIC resolves non-standard TLDs. For most users, this won’t be an issue. For developers or hacky-enthusiasts, this might be a problem since non-standard TLDs (like .dev, .lan, et cetera) are often used by developers to get stuff running before it’s ready for production. Those apps might misbehave when non-standard TLDs start resolving.


Great write up, and shows lots of effort. Kudos!

PiHole might be worth mentioning, since it handles related things. For multipe devices, it might be more convenient than configuring setting manually for each device.

Also, PiHole solves the same problems for smart devices, some of which provide horrible network control.

1 Like

#5

I might do a guide on it, if there isn’t one already.

1 Like

#6

If you do… Link the posts. The guy has a pi hole list. I dont use Pi-Hole so I couldnt really apply it

1 Like

#7

Alright, lemme grab one of the Pis that are laying around. I wonder if I’ve got a spare usb charger laying around somewhere…

0 Likes

#8

There are tons of pihole guides on the internet already, it’s very popular.

I run it inside a linux container myself using cloudflared for DNS over HTTPS to quad9.

I do find it annoying that pihole doesn’t natively support DNS over HTTPS. Not annoying enough to switch to Adguard Home though, the only real Pihole competitor.

https://adguard.com/en/adguard-home/overview.html

2 Likes

#9

Yeah, it’s “deploy raspbian then run this curl | bash script”

0 Likes

#10

Yeah, it’s pretty well documented. And install is a Bash one-liner (after you vet the installer, of course!).

The one thing lacking from PiHole’s docs is screenshots though, and they go a long way for making a guide novices feel comfortable following.

0 Likes

#11

Also, for anyone who has a (relatively modern) Asus router running Merlins FW, you can use Diversion.

It does hosts based adblocking, as well as including Pixelserv-tls for HTTPS ads.

It’s basically an alternative to PiHole that can run locally on the router itself. No need for a Pi or other device.

0 Likes

#12

I did a PoC on manipulating bash one-liners in the LL a while back, basically proving how you could use a malicious PHP web server to detect if it’s curl, wget, curl | sh or curl | bash and send a different payload depending.

curl | bash is very dangerous.

1 Like

#13

It sounds cool to do it, but a lot of people get screwed over running stuff on raspberry pis because the MMCs can’t handle continuous writes and die after a couple months. If you do go with a Rpi, use a USB SSD or something.

1 Like

#14

Well, I’ve got another system that uses eMMC.

Could just use that.

0 Likes

#15

PiHole can be installed on any Debian-based system. I perfer running it in a small x86 VM rather than a Pi.

Pis are convenient, but not a requirement for PiHole, despite the name.

1 Like

#16

Yeah, there’s docker for it as well.

0 Likes

#17

Yes like I said, I run in a LXD container myself.

The eMMC will die too. Pihole writes a bunch of logs and they’re just a single NAND chip without wear leveling or anything. You can turn off the logging but then you lose the cool Pihole dashboard.

1 Like

#18

I’ll just pretend you didn’t mention Docker. I’d like to keep my opinion of you solidly in “positive” territory. :slight_smile:

0 Likes

#19

That sounds cool. I didn’t know.I use pfSense so I won’t deviate from it

0 Likes

#20

What’s that?

image

1 Like