Could I access a blocked website via a virtual machine if the host OS has the web address blocked in its hosts file?

virtualization hosts-file web-filtering bypass
7,515

Yes. The hosts file does not block anything, it just tells the computer where it can find named websites. When you try to go to google.com, the system will check it's hosts file for that name, and if it exists, it'll use the IP there instead of looking up the IP from a DNS server.

A virtual machine has its own host file, and performs it's own name resolution (i.e., checking its own hosts file and contacting its own DNS server), independent from the host computer.

Even if you redirected google.com to 127.0.0.1 (A common way of "blocking" a website), you can still get to google simply by typing in 173.227.93.99 in your web browser instead.

Additionally, IP-based filters on the host OS may be useless depending on how the VM network is configured. Usually, the VM is "bridged" with the host networking, meaning that all the incoming traffic is duplicated and sent to the VM so that it can see all of the network traffic that the host does. Even if the host is configured to block or filter certain IPs (such as with a firewall), the VM will still get to see its "copy" of the data, which will allow the VM to browse the internet and ignore a filter installed on the host computer.

Remember the cardinal rule of computers and security: If I can physically touch a computer system, then given time I can have full control over it; Kids have lots of free time, and by no means are they an exception to this rule. It's trivial to reboot a system into safemode and remove NetNanny or any other piece of software installed upon it.

If you wish to filter/restrict/monitor what your kids do on the internet, you need to do so at the network level, not the system level. Look into what features your router supports (such as NetNanny Integration like @Keltari suggests), and if it will support alternate router firmwares such as DD-WRT which can do a scheduled disconnect of the child's computer (Say, from 10pm to 6am each day).

Even then, network filtering is often a game of Whack-A-Mole, and often easily thwarted by proxies like Tor; It is next to impossible to stop someone from accessing the internet that really wants to (just ask China or other countries that have massive firewalls which ultimately don't work perfectly).

With kids, you either have to talk with them and explain to them the perils of the Internet and have enough trust that they won't intentionally go seeking the bad sites (and then use NetNanny merely as a backup to stop accidental navigations), or you have to not let them use a connected computer unsupervised.

Share:
7,515

Related videos on Youtube

Vinayak
Author by

Vinayak

Just another computer geek. Need to contact me personally for some reason? Send an email to: [email protected]

Updated on September 18, 2022

Comments

  • Vinayak
    Vinayak almost 2 years

    I was going through this Net Nanny article that mentioned about the various ways its web filter could be bypassed by kids.

    Among other methods, I saw this:

    One way that teens can get around the filter entirely is to install a program that runs a virtual machine on the computer, essentially a computer within the computer. So, for example, if your computer’s operating system is Windows, the crafty teen can download a program that runs a virtual Windows operating system that won’t have Net Nanny installed, and then surf the web with no filter.

    Now I was wondering if this might still be possible if the hosts file on the host OS has blocked access to all unwanted websites (let's assume for the moment, that such a huge, regularly updated hosts file does exist) including sites with adult content, web proxies, P2P file-sharing sites, etc.

    Now would it be possible to visit those blocked sites from within a web browser running in the VM? Let's also assume that no VPN is used, and neither is Tor or Google's "cached" view of the webpage.

    • shortstheory
      shortstheory almost 10 years
      I've tried running ubuntu on my Windows 7 installation with K9 installed but the hack didn't get past K9's defences :(
    • Vinayak
      Vinayak almost 10 years
      You must be doing something wrong because I could easily bypass it.
    • Vinayak
      Vinayak almost 10 years
      UPDATE: You probably set the VM's network connection mode as NAT. Change that to "Bridged" and K9 won't help anymore.
  • Keltari
    Keltari almost 10 years
    +1. Check if your router supports netnanny integration, some do. If not, you can always purchase one that does.
  • Vinayak
    Vinayak almost 10 years
    Thanks! I was just wondering about the same thing (i.e. if it'd work it the VM's network adapter was "bridged" with the host or if it was configured as NAT)
  • user1984103
    user1984103 almost 10 years
    @Vinayak If it's configured as a NAT, then firewalls and IP filters on the host will affect the VM
  • Vinayak
    Vinayak almost 10 years
    @DarthAndroid: I just tried this in VMWare Player with the network adapter configured as NAT and it still worked. That was interesting. The host couldn't access the blocked sites, but the guest could.
  • user1984103
    user1984103 almost 10 years
    @Vinayak It depends on how the sites are blocked (I've not used NetNanny nor looked at exactly how it works). If you configure the VM as NAT, and then configure the Windows Firewall to block an IP address, I would expect the VM not to be able to contact that IP address.
  • Vinayak
    Vinayak almost 10 years
    Thanks! I'll definitely look into DD-WRT and NetNanny integrated routers. Out of curiosity, would it help if there was a restrictive proxy (not sure if that's what its called) sitting between the VM and the Internet? Like in corporate environments?
  • user1984103
    user1984103 almost 10 years
    @Vinayak See my edits to my post; A "blacklist" proxy (where you add sites to be blocked) can help if you want to stop accidental navigation to bad sites, but ultimately someone can get around it if they want to. A "whitelist" proxy (where you add sites to be allowed, and everything else is blocked) can stop people from going to unwanted sites, but requires much, much more work to maintain because you have to add each domain or IP to the whitelist. A site like SuperUser probably has 5-10 different domains that have to be whitelisted, if not more.
  • Vinayak
    Vinayak almost 10 years
    Nice edit by the way. I'd +10 if I could.
  • Digital Chris
    Digital Chris almost 10 years
    @DarthAndroid If the question is "Could I access a blocked website via a virtual machine..." shouldn't the first word of your answer be "yes", not "no"?
  • user1984103
    user1984103 almost 10 years
    @DigitalChris Fixed; It seems I skipped over half of the question that was asked.
  • Brad
    Brad almost 10 years
    +1 for "talk with your kids"... often the best answer.
  • reirab
    reirab almost 10 years
    +1 for "talk with your kids" and for "It is next to impossible to stop someone from accessing the internet that really wants to." I have lots of experience getting around all kinds of filters, not because I was ever trying to access anything inappropriate, but because I often had to get around overzealous filters to get my job done. In general, they're pretty easy to get around if you know much about networking (and not really even that hard with just basic knowledge.)
  • PTwr
    PTwr almost 10 years
    "127.0.0.1 (A common way of "blocking" a website)" - I think that using 0.0.0.0 is better for "blocking" than using localhost.
  • Rohit Pande
    Rohit Pande almost 10 years
    "Talk with your kids" is all well and good, and yes, by all means, you must explain the dangers to your kids. But for those (usually male) teens that already have a propensity (or addiction) for viewing certain provocative material, talking will not stop them. That said, +1 for scheduled router blocking as a secondary measure. I'd also add, use a strong router password (and username!), and a DNS Resolution Service such as OpenDNS (opendns.com).
  • Vinayak
    Vinayak almost 10 years
    @Ogre Psalm33: I tried using OpenDNS FamilyShield and set it up on my router and it worked well on all devices connected to the Wi-Fi but this measure was also easily thwarted by manually changing the network adapter's DNS server entries to use something else like Google DNS.
  • user1984103
    user1984103 almost 10 years
    @Vinayak I believe DD-WRT allows you to intercept and redirect all DNS requests under the hotspot service menu. You might take a look at that. I've not tested it though, so not sure if it works that easily.
  • Vinayak
    Vinayak almost 10 years
    Thanks! But as you suggested, I guess talking to the kids is the most effective way to combat the problem.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Alternative to 127.0.0.1 in hosts file
HAXM Is Not Installing (Windows 10 Home User, Hyper-V is already Not Installed)
Error Creating Project - 'where' is not recognized as an internal or external command, operable program or batch file
Can't enable Hyper-V Platform in control panel
Cannot access the shared folder in Virtual Box
Homestead 2.0 multiple sites, all link to the same url
Can't connect from outside to guest [VirtualBox]
KVM and libvirt: wrong CPU type in virtual host
QEMU: problems with mouse and keyboard settings
Difference between bare metal (hypervisor based) and host virtualization types