2

Currently I uses a big /etc/hosts to block unwanted hostnames. But the file is getting bigger and bigger closing in on 700000 entries. The are many similar entries so I would like to use wildcards like *.co.kr because I don't speak any Korean. Also hostnames that start with a digit or are longer than 64 characters are likely candiates I want to block.

AFAIK /etc/hosts does not provide that functionality. I think some kind of DNS deamon is required. Any ideas?

Edit: I chose the Korean tld just as a example. My /etc/hosts is getting bigger and bigger and harder to maintain. Most of the hostnames in there could be reduced to a small set of rules instead.

steve
  • 21,582
  • 5
  • 48
  • 75
aggsol
  • 85
  • 1
  • 9
  • @Archemar I want to block all autgoing traffic system wide the same way `/etc/hosts` works. – aggsol Aug 08 '17 at 09:43
  • You can find details here: https://en.wikipedia.org/wiki/Hosts_(file) – aggsol Aug 08 '17 at 09:47
  • 1
    Look at https://serverfault.com/questions/118378/in-my-etc-hosts-file-on-linux-osx-how-do-i-do-a-wildcard-subdomain – stoney Aug 08 '17 at 09:57

2 Answers2

5

Name resolution is a pretty poor way of blocking undesired web traffic. The list of things to block and not to block keeps changing, and sometimes you need to block per URL and not just per host. Browser extensions such as AdBlock* and uBlock* tend to do a much better job. If you want to write your own list, you can write a PAC file.

If you really want to block requests based on domain names, do it with a DNS proxy, not with /etc/hosts. /etc/hosts can only do individual hosts. Dnsmasq is a popular, lightweight DNS proxy. Some distributions set up dnsmasq by default; most distributions have it as a package. To make a whole domain appear as localhost with dnsmasq, you can use the following line in /etc/dnsmasq.conf:

address=/co.kr/127.0.0.2
Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • Browser only is not an option as other programs mighty try to open malicous domains or advertising or do tracking. – aggsol Aug 09 '17 at 06:39
2

DNS filtering is a wrong idea, see https://www.afnic.fr/medias/documents/conseilscientifique/SC-consequences-of-DNS-based-Internet-filtering.pdf

However you could achieve part of your solution by using bind and its RPZ feature, see https://dnsrpz.info/

Patrick Mevzek
  • 3,130
  • 2
  • 20
  • 30
  • Thank you for the links. The paper howerver does only partly apply to my use case. I use the hosts list for my private desktops, mobiles, tablets and servers where overblocking is welcome and false positives easily fixed. – aggsol Aug 10 '17 at 07:25