Windows Security Checklist - Part 7: HOSTS File: Wholesale Blocking

by Larry Stevenson, aka Prince_Serendip, CastleCops Staff Writer
January 09, 2005

No one application nor technique can protect you at 100%, but you can still get pretty close to that. When these guidelines are followed by Windows users, it can bring their chances of being infected by malwares almost to zero. Now we begin our next installment of the Windows Security Checklist - Part 7: HOSTS File: Wholesale Blocking

It is not as complicated as it may first appear, although there is a lot of information to absorb. The Security Experts, 1st Responders, Special Response Team members and Host Consultants at CastleCops can help you, if you have questions about any of these techniques.

HOSTS Files: Wholesale Blocking

To remove and block website ads, offensive content and malwares, you can purchase specific software or you can use free techniques available for any browser. The HOSTS file built into Windows can be used to block ads, banners, cookies, web bugs, and even most hijackers. By blocking the Servers and sites that provide them, on your own computer. Example - the following entry 127.0.0.1 ads.badsoftware.com blocks all files provided by the badsoftware Server to the web pages you look at while stopping it from tracking your movements.

The HOSTS file is the first place a browser looks for an IP address (unless you are using a proxy server, more on that later) when you type in an URL such as www.happycampers.com. If it does not find the domain name in the HOSTS file, only then does the browser ask the DNS server. It is this fact that makes the HOSTS file an excellent means for blocking website ads.

HOSTS is a text file you can open in Notepad. At the top is an explanation of the simple syntax. Each line is an IP address, a domain name, and an optional comment placed after a # sign. A default entry in every HOSTS file looks like this:

127.0.0.1 localhost # this is the universal IP address of all local computers

127.0.0.1 is an IP address called the "loopback" because it refers to the local computer only. The loopback address gives developers a way to test web software without being physically connected to a network. This prevents errors in network hardware or software from obscuring test results. The loopback address can be used to stop web ads from displaying.

To use the HOSTS file to block web ads, you add a list of hosts serving offensive or malicious content with these domains associated to the loopback address -- your own computer. When you go to a site that contains ads, the browser looks on your own machine for the ads and never visits the ad server. The ads are never displayed and the ad server has no opportunity to put tracking cookies on your computer.

Many ad-blocking HOSTS files, for various purposes, are available for download on the Internet.

Regularly Updated AdServers Lists

http://pgl.yoyo.org/adservers/serverlis...rmat=hosts

http://www.dozleng.com/hpguru/

http://accs-net.com/hosts/get_hosts.html


You do not need to install anything or change any settings. Windows automatically looks for the existence of a HOSTS file and if found, checks the HOSTS file first for entries to the web pages you request. The 127.0.0.1 is the location of your computer, so when the entry "ad.doubleclick.net" is requested your computer thinks 127.0.0.1 is the location of the file. When this file is not located it skips onto the next file and thus the ad server is blocked from loading the banner, cookie, or malicious javascript file. Note that Opera has a tendency to search longer than Internet Explorer does. This can be mitigated by using a little freeware application called eDexter. See below for more information.

This takes nanoseconds, which is much faster than trying to get a file from the other side of the planet. Another nice feature of the HOSTS file is that it is a two-way file, meaning if some malware does get into your system it cannot get out (call home) as long as the proper entries exist. For this reason it is essential to keep your HOSTS file up to date.

In most cases a large HOSTS file tends to slow down the machine. However, this only happens in Windows 2000 and XP. Windows 98/se and ME are not affected.

To resolve this issue open the "Services Editor"
Start > Run (type) "services.msc" (no quotes)
Scroll down to "DNS Client", Right-click and select: Properties
Click the drop-down arrow for "Startup type"
Select: Manual, click Apply/Ok and restart.

HOSTS File Lists need regular updates since new ad servers keep popping up. If you see an ad while using an ad-blocking HOSTS file, it means one of two things, either the ad is hosted on the site's own server, or it is new. To find out where the ad is coming from, right-click on it and select "Copy Shortcut." If the ad is hosted on the site, you cannot block it with a HOSTS file as HOSTS files only block whole sites. For a new ad server, paste the domain portion of this URL into your HOSTS file with a redirect to 127.0.0.1.

Blocking More Than Ads

Traditionally, the HOSTS file was used to block ads and banners, but it was determined by Microsoft MVPs (Most Valuable Professionals) that many of the parasites and malwares that get onto our machines by surfing websites can also be blocked in a similar fashion.

It serves no purpose if you block the ad banner from displaying, as most other HOSTS files do, but get hijacked by a parasite from a script or download contained on the website. The object is to surf faster while preserving your safety, security and privacy.

Direct Download of MVP Host List: Hosts.zip You can also right-click the link and select "Save Target As." Unzip in a "temp" folder and place in the appropriate installed location. The below locations are for the default paths, edit as needed.

Windows 95/98/Me: c:windowshosts
Windows NT/2000/XP Pro: c:winntsystem32driversetchosts
Windows XP Home: c:windowssystem32driversetchosts

Using HOSTS with Proxies

If you connect to the Internet using AOL, a custom dialer, through a Local Area Network (LAN) or a remote proxy server, using a HOSTS file may not work. By using a remote proxy server which does the DNS requesting for you prevents the HOSTS file from being used. Your browser will route its request through your proxy server before your machine looks up an entry in Hosts.

If you are using a proxy server:

In IE, go to the Internet Options > Connections tab and choose your connection.
Make sure the box called "bypass proxy server for local addresses" is checked.
These type of changes should only be made on a "stand-alone" machine. If you are "Networked" you should check your configuration prior to making any changes.

Always check with your current ISP before making any changes, or you could lose your Internet connection.

HOSTS File Problems and Solutions

The HOSTS file technique is useful, but there can be some problems with it. Ad-blocking HOSTS files can include sites that have ad servers you do not want but you may still want to see them. This occurs because some ad servers provide other types of content. For example, the ad server akamai.com also provides streaming media for many web sites, including Microsoft, for whom they handle Windows Updates. If you block akamai.com, you will not be able to access Windows Updates.

You would like to see something else in place of ads, but in actual practice there are "Action Canceled" error messages repeated wherever an ad would have been. This can be fixed, as you will soon see.

Problems with delays occur. HOSTS files redirect ad-server requests to IP addresses that are not servers. Internet Explorer will fail immediately if it cannot find a server, but other browsers can wait much longer before quitting.

Both these problems can be solved by installing a small, single purpose, local-only HTTP server that does nothing but serve images (which you can determine) when requests are received on the loopback address. This replaces unsightly error messages with the images you prefer, and eliminates delays because the browser receives an immediate response. A free utility for this purpose is eDexter. It also cures Opera's endless searchings. For more info and downloads: http://www.accs-net.com/hosts/eDexter.html Works in Windows 95/98/Me and Windows NT/2000. eDexterJavaDog is also available for cross-platform use with Linux, Macintosh, etc.

Back Button Problems

You click the Back button to return to the previous page and it appears that nothing happens. What usually occurs is that the HOSTS file has blocked one or more ad pages that are embedded into the web page you were viewing.

To verify this click the small drop-down arrow on the Back button. Is an ad server listed? In some cases the web page can contain a script to prevent the user from returning to a previous page. Simply skip to a valid link.

Make a HOSTS Editor

To edit your HOSTS file you can create a custom Desktop/Quick Launch shortcut.
The below locations are for the default paths, edit as needed.

Windows XP
Target: C:WINDOWSNOTEPAD.EXE C:WINDOWSSYSTEM32DRIVERSetcHOSTS

Start In: C:WINDOWSSYSTEM32DRIVERSETC

Windows ME/98
Target: "Crogram FilesAccessoriesWORDPAD.EXE" C:WINDOWSHOSTS

Start In: "Crogram FilesAccessories"

Note: the quotes are required in both of the above entries.
Copy and paste the above to avoid typing mistakes.

To Edit the HOSTS File

> You must maintain the proper format or else the entry will be invalid.
> Entries are invalid if they contain "http:" or an ending "" slash.
> IP addresses are invalid as HOSTS file entries.
> Remember that the HOSTS file should be in capital letters.
> If you wish to disable an entry place a "#" in front of the line.

Modifying the HOSTS file on your computer incorrectly can interfere with name resolution. Be sure to make a backup copy of the HOSTS file before modifying it. Please be sure you rename your hosts file from hosts.txt to HOSTS (no extension).

Also, if your Intranet (LAN) uses Dynamic Host Configuration Protocol (DHCP) to dynamically assign IP addresses to computers, keep in mind that the IP addresses can change, and therefore the IP address referred to in your HOSTS file may eventually belong to another computer.

Related Utilities

> WinPatrol will allow you to lock your HOSTS file and will monitor changes.
> SpywareBlaster can encrypt and create backups of your HOSTS file.
> SpyBot - Search & Destroy has an option to "lock" the HOSTS file.

Article Resources


Best regards and always take care of your security.