Hacker News new | comments | show | ask | jobs | submit login
Show HN: Hostsctl – Control /etc/hosts easily, block ads, social networks, etc (github.com)
45 points by 0xl3vi on Mar 19, 2017 | hide | past | web | favorite | 26 comments

I think (on linux, at least), its better to implement this as a nss- module (/etc/nsswitch.conf). You can do things like lookup a hashtable, automatically update databases, etc without having to rewrite system config files.

Also this does not protect you from programs that perform their own dns lookups, and ignore /etc/hosts and /etc/resolv.conf entirely!

What's the advantage of that? How does it protect you against programs that perform their own lookups?

oh nss modules wouldn't either. Perhaps intercepting and rewriting every dns request would be needed.

I would reccomend PiHole [1] for something like this.

Not only is it more robust, it acts as a DNS/HTTP server that blocks this kind of stuff on a whole network.

1: https://github.com/pi-hole/pi-hole

This is pretty cool, I was not aware of this project, thanks for sharing.

I like this and could use something like it, but you should use POSIX sh (/bin/sh) and not rely on Bash in the shebang as well as non-portable functionality it introduces.

This wouldn't work out of the box on FreeBSD.

I recommend this tool: https://www.shellcheck.net/

Related discussion from several years ago: https://news.ycombinator.com/item?id=5264405

Interesting in the demo that pings to fail. Is that a common setup for some distribution to block icmp on the localhost if?

Why resolve blocked domains to anyway? Wouldn't work better?

My thought exactly. I send to instead of

Also, my go to site for hosts is: http://someonewhocares.org/hosts/

and I am more than happy to share that on Windows/Firefox I use a combo of AdBlock+ and NoScript so I only allow FB, and the other "socials" to run their crap ONLY on their own websites and not on others (e.g. the -tracking- "like" buttons on CNN) is not a valid host ip will actually make a TCP connection on the network whereas the loopback won't.

    $ ping
    connect: Invalid argument
    $ ncat 80
    Ncat: Invalid argument.

No, it's my firewall setup. I blocked ICMP for security reasons on my servers (:

Which actual security benefits do you get from blocking ICMP? Is that really worth it, considering that you break Path MTU Discovery, rendering your servers unusable for some people?

For example: https://github.com/inquisb/icmpsh.

"my servers" is my home servers not some "web servers". Maybe it's just me (: ( paranoid on security )


While it's good to be proactive about security, it is also helpful to understand why blocking icmp (particularly wholesale) is a bad idea.

I had a network guy tell me the other day that he is blocking traceroute for "security reasons". I can't even... =(

I made the mistake the other day of reminding my work colleagues of a certain instructional video relating to traceroute that did the rounds some years ago. Now they are joyfully calling it "Tracer T" all of the time. (-:

How about the performance? Big host files AFAIK perform rather bad

With AWK? did you tesed this? we are not using sed(1).

no with the host file in general. I did this once (a while ago) and i did notice a difference in website loading speed when i put 1000 lines into that thing

This was a problem solved in 1983. Read RFC 882 and RFC 883.

One caveat: all your custom enabled/disabled hosts disappear after "update" command.


Use dnsmasq and then you can wildcard the subdomains

Hostctl => as sinkholectl

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact