using the HOSTS file to block website

[Guest]

I've read where you can edit your HOSTS file to block certain website by
assigning the website a 127.0.0.1 address. I've tried this on a couple of
different computers on our domain and still the computers continue to get
access to these websites. I then edited a computer that is outside our
firewall and is not a part of our domain....it works like a champ! What am I
overlooking? Could there be a setting in AD that is causing the local
computer to not look at it's local host file? I've checked permissions on
the hosts file and the user has full access to this file. If anyone can
help, I would really appreciate it.

Thanks,

Jim

 

[Herb Martin]

I've read where you can edit your HOSTS file to block certain website by
assigning the website a 127.0.0.1 address. I've tried this on a couple of
different computers on our domain and still the computers continue to get
access to these websites.

If the names are "in your domain" there is a fairly
good chance that NetBIOS name resolution is
being use -- or you entered the naives with an error
(see below.)

Well, it doesn't really "block" access but rather
makes links to those sites using Internet/DNS names
resolve to the local address (same machine) where
it isn't likely to be answered.

If you are not seeing a different (when using DNS
names) then you like have not created the Hosts
file correctly, or not in the correct directory, or
you have used the wrong record format for it.

I then edited a computer that is outside our
firewall and is not a part of our domain....it works like a champ! What am I
overlooking?

That much internal access MAY be using NetBIOS
names?

What name did you add? How did you try to access it?

Do this:
Add a local machine's full name, e.g., machine.domain.com

127.0.0.1 machine.domain.com

Now try to ping: ping machine.domain.com

The file must be in %systemroot%\system32\drivers\etc

The file name must be "hosts" (no extension.)
The file format must be plain text (not Word or some such.

Could there be a setting in AD that is causing the local
computer to not look at it's local host file?

Highly unlikely.
(You can alter the registry through a GPO but it is highly
unlikely that you have done this for the settings that are
relevant.)

I've checked permissions on
the hosts file and the user has full access to this file. If anyone can
help, I would really appreciate it.

It is also much easier to ping the name and see if it
resolves to the name you expect.

One other thing: Even with DNS, if the name is ALREADY
in the DNS name cache (which it would be by default if you
had access this name recently -- probably anytime within 24
hours) then it may be resolved from cache.

ipconfig /flushDNS
(will clear the cache for a fair test.)

 

[Guest]

Herb,

Thanks for the reply. I have the Hosts (no extension) file in the
Winnt\system32\drivers\etc directory (we're using W2K). I'm trying to block
chat sites and my host file looks something like this:

127.0.0.1 chat.yahoo.com
127.0.0.1 www.aim.com
127.0.0.1 aimexpress.aim.com
ect......

But still I can get to these sites. What am I missing here?

Jim

 

[Phillip Windell]

Thanks for the reply. I have the Hosts (no extension) file in the
Winnt\system32\drivers\etc directory (we're using W2K). I'm trying to block
chat sites and my host file looks something like this:

127.0.0.1 chat.yahoo.com
127.0.0.1 www.aim.com
127.0.0.1 aimexpress.aim.com
ect......

But still I can get to these sites. What am I missing here?

If you use a proxy server, then your machine isn't doing the resolving to
begin with. The Hosts file is never queried. The Proxy is doing the
resolving.

 

[Herb Martin]

If you use a proxy server, then your machine isn't doing the resolving to
begin with. The Hosts file is never queried. The Proxy is doing the
resolving.

Which Proxy clients do that?
(The server really wouldn't have anything to do with the
clients name resolution behavior.)

And in that case it is much easier to do the blocking at
the Proxy-ISA server (usually.)

I wonder what happens when he type (something simple like):

ping chat.yahoo.com

 

[Phillip Windell]

Which Proxy clients do that?
(The server really wouldn't have anything to do with the
clients name resolution behavior.)

The old MS Proxy2 did that.
ISA does it with the Web Proxy and the Firewall Service,...but if you use
ISA's SecureNAT Service than the Clients must resolve on thier own. All the
NAT-based Firewall don't (but they aren't proxys) and the Clients must
resolve on thier own.

And in that case it is much easier to do the blocking at
the Proxy-ISA server (usually.)

That is what you do,..you just don't need to use Hosts files. Most proxy
have some form of "blacklists" that you enter the sites into. On ours it
redirects to a blank white page that simply say "Restricted Site" in the
upper left corner. It works great because it will often appear "inside"
banner ads because a lot of those banner ads are links to sites we restrict.
I get a kick out of those banner ads appearing in Websites that say
"Restricted Site" in them.

I wonder what happens when he type (something simple like):

ping chat.yahoo.com

Proxys like the old MS Proxy2 and ISA simply don't "proxy" ICMP at all (TCP
& UDP only),..so it fails. ISA will allow "ping" when using the SecureNAT
Service, so the blacklists must come into play to cover that.

 

[Guest]

Phil,

Thanks for the response. We are using ISA server 2000 as our firewall
solution. Where would I find/edit this "blacklist" in ISA?

 

[Phillip Windell]

Phil,

Thanks for the response. We are using ISA server 2000 as our firewall
solution. Where would I find/edit this "blacklist" in ISA?

That was just my "term" for it. They are just simply part of the Rules in
ISA. You want to create a new Rule and make it a Deny rule,...include the
"evil sites" in the Destinations of the Rule. In the Action of the Rule it
is best to have it redirect to another Page. It can be just any HTML or ASP
page anywhere,...if it is HTML it doesn't even have to be on a webserver, it
can just be on the local hardrive anywhere you want it. Make the page nice
and "scary", tell them about all the things that will happen to their
family pet if they keep going to restricted sites,...just for fun.

If you don't have it redirect, the problem is that ISA will present them
with a prompt for credentials,..if they know someone's credentials who isn't
under the same restrictions they can use that to get around the
restrictions. If not that, then at least you would end up putting up with
all the calls about "Why is my machine asking for my login again?". It is
much better to just have a redirect page. Like I said, mine is just a blank
white static html page with "Resticted Site" in the upper left corner.

 

[Phillip Windell]

Be careful of how you mess with Deny rules. ISA2000 process them in this
order and it cannot be changed:

1. Anonymous Deny
2. Anonymous Allow
3. Authenticated Deny
4. Authenticated Allow.


However,... ISA2004 process all Rules in order from top-down like the ACLs
on a router do.

 

[Herb Martin]

He's probably going to need a script -- my list of
such blocked sites (in DNS) is something like
75,000 entries.

Even if his is smaller, it is likely it will exceed his
patience with the GUI.

Can you point him to a script?

You already suggested he try the ISA groups....

 

[Phillip Windell]

I don't know of a script although there may be one. With that many entries
I would never recommend using ISA's Rules,..they just aren't designed for
that heavy of use. I would recommend third party tools like maybe
SurfControl or some product like that.

 

[Herb Martin]

I don't know of a script although there may be one. With that many entries
I would never recommend using ISA's Rules,..they just aren't designed for
that heavy of use. I would recommend third party tools like maybe
SurfControl or some product like that.

I have tried to suggest (not argue) that to some ISA
experts who never seemed to accept that.

I was serious when I suggested the script (even if that
is to many to be practical). Perhaps he can check for
the script in the ISA group -- I know this (add by script)
had been suggested in the past even if for smaller filters.

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

 

[Phillip Windell]

I have tried to suggest (not argue) that to some ISA
experts who never seemed to accept that.

I'm a "realist", and also some things I just do by "gut feeling". I may not
always be right, but I'll accept that.

I was serious when I suggested the script (even if that
is to many to be practical). Perhaps he can check for
the script in the ISA group -- I know this (add by script)
had been suggested in the past even if for smaller filters.

If there is a script it may be hunted down on www.isaserver.org . It is a
pretty good site and is a primary source of ISA material.