Question

In particular I'm looking for an IP address that I can put in my hosts file that will black-hole a given DNS name. Right now I'm using 127.0.0.1 but that would start acting odd if I installed any services.

How can I prevent a 3rd party program from contacting a given server?

Was it helpful?

Solution

Actually the loopback IP 127.0.0.1 is ideal for ad blocking. If you run Apache anyway, you setup a virtual server that returns 404 for requests on 127.0.0.1. That way your browser is not constantly waiting for the connect to an unknown host to timeout. All those ad requests return instantly, freeing up resources in your browser to get the actual page content.

OTHER TIPS

RFC-3330 seems to be the goldmine

The best option seems to be:

192.0.2.0/24 - This block is assigned as "TEST-NET" for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. Addresses within this block should not appear on the public Internet.

I've used 0.0.0.0 in my hosts file to block ad web sites. Not sure if there are any side affects?!?!

I see that you've correctly found that 192.0.2.0/24 is reserved for testing, and won't appear on the Internet.

However if your local area network relies on a default route to get to the rest of the Internet then you'll still be sending this traffic out of your network towards your ISP.

Best case is that your ISP will send back ICMP_NET_UNREACHABLE errors and your applications will notice those and act accordingly. Worst case is that the traffic is completely blackholed, at which point your applications will sit around until the connections timeout.

The correct strategy for avoiding this depends on your OS and local network configuration. On a Linux system I'd just add a route for that /24 with "reject" as a target.

Addresses 127.0.0.0 to 127.255.255.255 can be used for loopback connections.

So have your httpd listening on 127.0.0.1 and use any of the others for the blacklist.

If you use any of the private IP address ranges (10.whatever, 192.168.whatever) that you aren't connected to that should work.

One advantage of using 127.0.0.1 is that an attempt to contact the server will return immediately with failure (as long as you're not running a local server, of course). If you use any other address that does not refer to a specific machine, such as 192.0.2.x, then attempts to connect to a server at that address will take some time to time out (at least a minute or more).

I use denyhosts for ssh. http://denyhosts.sourceforge.net/ It attempts to block known malicious sources. Is this what you're talking about?

0.0.0.0 ( as another poster put ) shouldn't be used - it has a distinct meaning that isn't "nothing" and it isn't reserved for what in most cases is a dead-end. As for BCS's comment to dulaneyb about DCHP and private ranges - a private range is a private range. If you're kicking to your private range, then you're routing to an empty slot. If you're kicking to one of the other private ranges, then an upstream device should drop it.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top