Block specific (sub)domains without editing hosts file

Hi all,

Can you please recommend an application doing similar job as adding records to the hosts file does? I'm looking for a tool capable of blocking connections for particular subdomains (not entire domains).

I don't really want to install another firewall (as I'm already using one) and I'm not sure if a firewall is able to block subdomains - I've always thought it's meant rather for working with IP addresses.

Your help is highly appreciated!

Use OpenDNS Parental controls. Otherwise you would have to use a router that allows you to set it at the router, in case someone figures out how to change the settings for the adapter DNS, to bypass the security.

A Firewall is the first layer of protection. They are made to allow an admin to protect each computer from receiving info from possible intrusions. Also allows you to stop end users from getting to malware sites, or attempt to go to certain IP's or URL's.

Why not use hosts?????

@Ztruker - yes, I'm fully aware this is a simple and convenient way of disabling access to certain sites. However, it looks it's not efffective enough in my case, as even though I have set certain subdomains to 127.0.0.1, I'm still able to receive response from those sites (meaning I'm not ending up in 127.0.0.1 as expected). I've double checked the hosts file and it's set up correctly, moreover it works correctly at my home. Just the work machine seems to ingnore hosts settings...

What do you mean by sub-domains? Most web servers are actually Virtual Machines running on one Blade Server, or physical server.

As for work. Most likely if they are using a domain or the router is set to use a different set of rules through a Proxy. Your web browser will never even see the Host file in the picture.

mikolajek said:

@Ztruker - yes, I'm fully aware this is a simple and convenient way of disabling access to certain sites. However, it looks it's not efffective enough in my case, as even though I have set certain subdomains to 127.0.0.1, I'm still able to receive response from those sites (meaning I'm not ending up in 127.0.0.1 as expected). I've double checked the hosts file and it's set up correctly, moreover it works correctly at my home. Just the work machine seems to ingnore hosts settings...

Click to expand...

If you are still getting a response from a sub domain after setting it to 127.0.0.1 in the host then you have done something wrong, some browsers cache dns and do need a reboot - did you reboot after setup?

@bore23 - I'm looking to disable only a particular subdomain, like: video.site.com, while still being able to access www.site.com or audio.site.com

@z3r010 - sure I did reboot

You're going to need something a little mire specialized.

DansGuardian running on a server that sits between your network and the internet would work very well if set up right.

That might be overkill though.

As far as ignoring the hosts file goes. Does the work computer use ipv6?

With my Cisco RV320 Gateway, I can trust or Forbid certain domain access. That includes sub-domains. You would still access the Primary domain, as long as you have your rules set up properly.

@hydranix - no, I don't think our network uses IPv6, as I can disable it in the settings and everything keeps working.

If you point video.site.com to Localhost or 127.0.0.1 in hosts that should be all that's affected in that domain. Any other site.com should be okay. Is this not what you experience?

127.0.0.1 should only be used for localhost.

To block hostnames instead use 0.0.0.0

Using 127.0.0.1 will cause requests on the loopback interface and will need to timeout.
If you run a webserver or a special proxy locally, you could run into trouble and potentially security problems.

0.0.0.0 has far better performance, and no chance of something hosted locally slipping into a browser or causing other unintended harm.


I also recommend setting a dummy hostname at the top of the hosts file for 0.0.0.0 to something like "everywhere".


Most tools that monitor network connections resolve through the hosts file, and when a process which is listening on all interfaces (most do) is listed in the tool, it will inaccurately report that the process is connected to the top most entry for 0.0.0.0

@hydranix - the 0.0.0.0 trick worked! Thank you so much for that!

Now when I try to connect to e.g. video.site.com, it's no longer working, while with 127.0.0.1 it somehow worked. This might have been some setting within corporate network / my machine config that was overwritting typical behavior when such settings are recorded.