Hosts file

From Wikipedia, the free encyclopedia

In computing, a hosts file, stored on the computer's filesystem, is used to look up the Internet Protocol address of a device connected to a computer network, such as your home computer connected to the Internet. The hosts file describes a many-to-one mapping of device names to IP addresses. When accessing a device by name, the networking system will attempt to locate the name within the hosts file if it exists. Typically, this is used as a first means of locating the address of a system, before accessing the Internet domain name system. The reason for this is that the hosts file is stored on the computer itself and does not require any network access to be used, whereas DNS requires access to an external system, which is typically slower.

Contents 1 History 2 Location 3 Syntax 4 Ad filtering 5 Hijacking 6 Windows quirks 7 Restoration of the hosts file (Windows and Linux) 8 External links 9 References

[edit] History

In the earliest days of the Internet's predecessor, ARPANET, there was no Domain Name System for resolving names into IP addresses. In order to simplify having to memorize IP addresses, a mechanism for translating memorable names to a valid IP address was developed. This mechanism was the HOSTS file method. The TCP/IP stack of an operating system would be modified so it would look up names from a file in order to try and translate them into IP addresses.

This method of performing name-to-IP lookups was in use for many years, as ARPANET was quite small and it was relatively easy to maintain a central HOSTS file that would be distributed to different sites. However, as ARPANET grew in size and complexity and more sites started expanding their own local TCP/IP networks (the beginning of Intranets), the HOSTS method on its own became insufficient. Thus the drive to develop a more scalable, dynamic system was started, which eventually resulted in the development of the widely-used DNS system.

However, TCP/IP-enabled operating systems from the ARPANET days (in other words, Unix and its progeny) retained the HOSTS mechanism up until the present day. Other non-Unix operating systems such as Microsoft Windows also adopted the mechanism. In small networks, it still provides a simple and very fast way to do name-to-IP-address translation.

Since the late 1990s, the HOSTS file mechanism has been adopted (primarily by Microsoft Windows) as a way to protect vulnerable computer systems from malware. At odds with the original intent of the HOSTS file, this adopted use actually takes host names that are perceived as malicious or unwanted and overlays them with "safe" IP addresses.

[edit] Location

The hosts file is generally named "hosts" and is located in the following directories for each operating system:

• Linux and other Unix-like operating systems: /etc
• Windows 95/98/Me: %windir%\
• Windows NT/2000/XP/Vista: %SystemRoot%\system32\drivers\etc\ is the default location, which may be changed. The actual directory is determined by the Registry key \HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath .
• Mac OS "Classic": System Folder:Preferences or System folder (format of the file may vary from Windows and Linux counterparts)
• Mac OS X: either /private/etc or /etc (the latter is a symbolic link to the former; uses BSD-style hosts file)
• OS/2 and eComStation: "bootdrive":\mptn\etc\
• Novell NetWare: SYS:\ETC
• OpenVMS, using HP TCP/IP: SYS$SYSTEM:TCPIP$HOST.DAT
• OpenVMS, using MultiNet: MULTINET_COMMON_ROOT:[MULTINET]HOSTS.LOCAL
• OpenVMS, using TCPware: TCPWARE_COMMON:[TCPWARE]HOSTS.

[edit] Syntax

The syntax of the hosts file is fairly straightforward. To assign a hostname to a target IP address, the target IP address is put at the beginning of a blank line, followed by one or more spaces and the hostname that should be resolved to that address. Any number of hostnames can be assigned to an IP address, however; a single hostname can only ever be assigned to one IP address at a time. Additionally, a hash (#) at the beginning of a line denotes a comment. Comment lines are ignored by the hosts file parser.

In the following example, we will assign the hostname, www.example.com and example.com the IP address 192.168.0.6 and add a comment explaining what we are doing...

192.168.0.6   www.example.com example.com
#The above line will cause www.example.com and example.com to resolve to 192.168.0.6

This also works...

192.168.0.6   www.example.com
192.168.0.6   example.com
#The above lines will cause www.example.com and example.com to resolve to 192.168.0.6

[edit] Ad filtering

One use of the hosts file is ad filtering. This is accomplished by adding a line to the file that maps an ad server's hostname to an address that will not satisfy the browser's request for the ad. Since no additional programs are necessary to do this, hosts file based ad-blocking has a near-zero memory and CPU footprint, as well as requiring no loading time. The hostname for an advertiser may be obtained by right-clicking on the banner or advertisement, then clicking properties from the context menu. This will indicate the full URL, of which the part between the double slash and first single slash represent the hostname. For instance, from the URL "http://img.example.com/example.jpg", the host name would be "img.example.com"

The two most common addresses used for this purpose are the 'null' address 0.0.0.0 (which may simply be written as a single '0') and the 'loopback' address 127.0.0.1. The distinction between the two is that 0.0.0.0 is an invalid destination address[1], so no connection can be established. If a name is mapped to the loopback address 127.0.0.1, any connections to the "blocked" domain will be mapped to the originating machine. If it is running a Web server, that Web server may attempt to handle the request. The ad-blocking technique may include a local web server that provides substitute images rather than 404 error messages, see [2] or [3], which would require the use of 127.0.0.1.

For example :

127.0.0.1 example.com 
127.0.0.1 ads.example.com 

[edit] Hijacking

The hosts file can also be used in malicious ways by the authors of spyware and viruses. It is similar to ad blocking with the hosts file, but instead of redirecting advertising servers to dummy ones, popular websites are redirected to an advertiser's server. This technique is known as hijacking. The Qhosts Trojan hijacked many search engines such as Google and AltaVista and redirected them to a site specified by the author.

Other malware such as Mydoom.B may just block the user from visiting sites about security and the removal of viruses. These sites included the makers of popular anti-virus software and Microsoft's Windows Update page to make the removal of the software more difficult for novice users.

Prevention of hosts file hijacking requires either routinely logging in with limited 'user' access (so malicious software has no privileges to change the hosts file, or other important things), or realtime monitoring software such as Windows Defender's "Hosts Monitor", which will warn if anything attempts to edit the hosts file. Changing the properties of the hosts file to read-only is mostly ineffective against modern hijacks as well-programmed malicious software can simply change the file's attribute value. Anti-spyware solutions like Spybot - Search & Destroy and ZoneAlarm's anti-spyware module have a feature to "lock" the hosts file. This does nothing more than set it to read-only. Another way to do this is set the permissions for the file so everyone can only read from it, although the owner and therefore malicious software running in the context of it can change the permissions in Windows and the root user can ignore the permissions in Unix.

[edit] Windows quirks

Windows XP has the "DNS Client" service running by default which caches previous DNS requests in memory. It also reads the entire hosts file into that cache as well, which can cause a slowdown at boot time if the file is large (most likely because it is being used for ad filtering). One solution is to disable this service. However, Microsoft claims that "The overall performance of the client computer decreases and the network traffic for DNS queries increases if the DNS resolver cache is deactivated."^[1]

To force changes made to the hosts file into the DNS cache run the following in a cmd prompt:

ipconfig /flushdns

[edit] Restoration of the hosts file (Windows and Linux)

When a program hijacks the hosts file, it may be necessary to restore it.

1. Identify the location of the hosts file for your operating system
2. Create a backup copy
3. Open it with a basic text editor such as Notepad or Nano
4. Remove all entries for the sites which are hijacked. Some may have been added for legitimate programs. Always be sure to back up your hosts file. MAKE SURE THESE LINES ARE IN THE HOSTS FILE:

127.0.0.1        localhost
::1              localhost

1. Save the file
2. Restart your computer (some versions of Windows only - not Windows XP)

[edit] External links

More Information

• Hosts File Info A hosts file resource directory
• Blocking ads on the Internet with a list of ad server hostnames and IP addresses.
• Eliminate Web Advertisements The author describes how to combine hosts files with multiple technologies to block advertisements.
• Eric L. Howes - Spyware Warrior contains many good links for security and hosts-file-related stuff.
• SSMedia hosts file and Utilities
• Why Should You Wait for Internet Propagation? - An Alternative Use to the Hosts File

Custom Hosts Files

• Andrew Short's Hosts file project comprehensive hosts file.
• MVPS hosts Information on blocking ads using a HOSTS file and a free, comprehensive, updated HOSTS file download (commercial use restricted!)
• BadHosts Henry Hertz Hobbit's superset of the MVPS hosts file (commercial use restricted!)
• HPHosts Good ad blocking hosts file.
• The Security Now! podcast page on the hosts file
• Dan Pollock's hosts file Pretty thorough website, lots of comments, lot of work went into this as shown in his credits.
• Mikes Ad-Blocking hosts file available as a direct download to merge in, or as an installer.
• Hosts-pider A public hosts file with over 100,000 hostnames in the blacklist and counting.
• SCoooBY's Hosts File A huge list of ad servers that he's gathered & acumulated over time.
• Ad Blocking Lists Peter Lowe's List - Ad blocking with ad server hostsnames and IP addresses - blocklist available in many different formats.
• (French) Airelle Lists Thematic recently updated Hosts (anti-malwares, anti-ads, anti-porn, anti-tracks) and big blacklist of 400,000 sites.

Applications to Manage Hosts Files

• Abelhadigital's HostsMan 3.0 beta 1 is a freeware application that lets you manage your hosts file (now with auto-updates).
• Bluetack, B.I.S.S Hosts Manager
• Funkytoad's Hoster 3.1 free application to arrange, and edit your hosts file.
• Mike Meyer's HostsToggle 2.1 an open source hosts file tweaker
• KH Blocker KH Blocker is a free app which downloads/updates/protects an AD Blocking HOSTS file (Windows XP/2000 only).

Alternatives to using Hosts Files

• Ad Muncher AdMuncher will work with all browsers on Microsoft Windows
• AdBlock Plus AdBlock Plus works with Firefox on all operating systems to block ads
• King Of The PAC PAC filter that blocks common spy domains and filters some porn. Will work on all operating systems with most modern browsers
• DNS Redirector an intermediary DNS server which replaces known ad server names with the IP of your own page, usually a blank page or message indicating content is blocked. As a DNS server this works for all computers on the LAN, without having to manage/distribute Hosts files to each machine.
• Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, modifying web page data, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk.

[edit] References

1. ^ http://support.microsoft.com/kb/318803 - How to Disable Client-Side DNS Caching in Windows XP and Windows Server 2003