16

I was going through this Net Nanny article that mentioned about the various ways its web filter could be bypassed by kids.

Among other methods, I saw this:

One way that teens can get around the filter entirely is to install a program that runs a virtual machine on the computer, essentially a computer within the computer. So, for example, if your computer’s operating system is Windows, the crafty teen can download a program that runs a virtual Windows operating system that won’t have Net Nanny installed, and then surf the web with no filter.

Now I was wondering if this might still be possible if the hosts file on the host OS has blocked access to all unwanted websites (let's assume for the moment, that such a huge, regularly updated hosts file does exist) including sites with adult content, web proxies, P2P file-sharing sites, etc.

Now would it be possible to visit those blocked sites from within a web browser running in the VM? Let's also assume that no VPN is used, and neither is Tor or Google's "cached" view of the webpage.

Vinayak
  • 10,625
  • 10
  • 54
  • 89

2 Answers2

26

Yes. The hosts file does not block anything, it just tells the computer where it can find named websites. When you try to go to google.com, the system will check it's hosts file for that name, and if it exists, it'll use the IP there instead of looking up the IP from a DNS server.

A virtual machine has its own host file, and performs it's own name resolution (i.e., checking its own hosts file and contacting its own DNS server), independent from the host computer.

Even if you redirected google.com to 127.0.0.1 (A common way of "blocking" a website), you can still get to google simply by typing in 173.227.93.99 in your web browser instead.

Additionally, IP-based filters on the host OS may be useless depending on how the VM network is configured. Usually, the VM is "bridged" with the host networking, meaning that all the incoming traffic is duplicated and sent to the VM so that it can see all of the network traffic that the host does. Even if the host is configured to block or filter certain IPs (such as with a firewall), the VM will still get to see its "copy" of the data, which will allow the VM to browse the internet and ignore a filter installed on the host computer.

Remember the cardinal rule of computers and security: If I can physically touch a computer system, then given time I can have full control over it; Kids have lots of free time, and by no means are they an exception to this rule. It's trivial to reboot a system into safemode and remove NetNanny or any other piece of software installed upon it.

If you wish to filter/restrict/monitor what your kids do on the internet, you need to do so at the network level, not the system level. Look into what features your router supports (such as NetNanny Integration like @Keltari suggests), and if it will support alternate router firmwares such as DD-WRT which can do a scheduled disconnect of the child's computer (Say, from 10pm to 6am each day).

Even then, network filtering is often a game of Whack-A-Mole, and often easily thwarted by proxies like Tor; It is next to impossible to stop someone from accessing the internet that really wants to (just ask China or other countries that have massive firewalls which ultimately don't work perfectly).

With kids, you either have to talk with them and explain to them the perils of the Internet and have enough trust that they won't intentionally go seeking the bad sites (and then use NetNanny merely as a backup to stop accidental navigations), or you have to not let them use a connected computer unsupervised.

Darth Android
  • 37,872
  • 5
  • 94
  • 112
  • 2
    +1. Check if your router supports netnanny integration, some do. If not, you can always purchase one that does. – Keltari Jul 28 '14 at 14:54
  • Thanks! I was just wondering about the same thing (i.e. if it'd work it the VM's network adapter was "bridged" with the host or if it was configured as NAT) – Vinayak Jul 28 '14 at 15:00
  • @Vinayak If it's configured as a NAT, then firewalls and IP filters on the host will affect the VM – Darth Android Jul 28 '14 at 15:03
  • @DarthAndroid: I just tried this in VMWare Player with the network adapter configured as NAT and it still worked. That was interesting. The host couldn't access the blocked sites, but the guest could. – Vinayak Jul 28 '14 at 15:08
  • @Vinayak It depends on how the sites are blocked (I've not used NetNanny nor looked at exactly how it works). If you configure the VM as NAT, and then configure the Windows Firewall to block an IP address, I would expect the VM not to be able to contact that IP address. – Darth Android Jul 28 '14 at 15:10
  • Thanks! I'll definitely look into DD-WRT and NetNanny integrated routers. Out of curiosity, would it help if there was a restrictive proxy (not sure if that's what its called) sitting between the VM and the Internet? Like in corporate environments? – Vinayak Jul 28 '14 at 15:14
  • 1
    @Vinayak See my edits to my post; A "blacklist" proxy (where you add sites to be blocked) can help if you want to stop accidental navigation to bad sites, but ultimately someone can get around it if they want to. A "whitelist" proxy (where you add sites to be allowed, and everything else is blocked) can stop people from going to unwanted sites, but requires much, much more work to maintain because you have to add each domain or IP to the whitelist. A site like SuperUser probably has 5-10 different domains that have to be whitelisted, if not more. – Darth Android Jul 28 '14 at 15:16
  • Nice edit by the way. I'd +10 if I could. – Vinayak Jul 28 '14 at 15:16
  • 1
    @DarthAndroid If the question is "Could I access a blocked website via a virtual machine..." shouldn't the first word of your answer be "yes", not "no"? – Digital Chris Jul 28 '14 at 15:27
  • @DigitalChris Fixed; It seems I skipped over half of the question that was asked. – Darth Android Jul 28 '14 at 16:18
  • 14
    +1 for "talk with your kids"... often the best answer. – Brad Jul 28 '14 at 16:56
  • +1 for "talk with your kids" and for "It is next to impossible to stop someone from accessing the internet that really wants to." I have lots of experience getting around all kinds of filters, not because I was ever trying to access anything inappropriate, but because I often had to get around overzealous filters to get my job done. In general, they're pretty easy to get around if you know much about networking (and not really even that hard with just basic knowledge.) – reirab Jul 28 '14 at 21:27
  • "127.0.0.1 (A common way of "blocking" a website)" - I think that using 0.0.0.0 is better for "blocking" than using localhost. – PTwr Jul 29 '14 at 06:34
  • "Talk with your kids" is all well and good, and yes, by all means, you must explain the dangers to your kids. But for those (usually male) teens that already have a propensity (or addiction) for viewing certain provocative material, talking will not stop them. That said, +1 for scheduled router blocking as a secondary measure. I'd also add, use a strong router password (and username!), and a DNS Resolution Service such as OpenDNS (opendns.com). – Ogre Psalm33 Jul 29 '14 at 16:55
  • @Ogre Psalm33: I tried using OpenDNS FamilyShield and set it up on my router and it worked well on all devices connected to the Wi-Fi but this measure was also easily thwarted by manually changing the network adapter's DNS server entries to use something else like Google DNS. – Vinayak Jul 29 '14 at 18:04
  • @Vinayak I believe DD-WRT allows you to intercept and redirect all DNS requests under the hotspot service menu. You might take a look at that. I've not tested it though, so not sure if it works that easily. – Darth Android Jul 30 '14 at 14:47
  • Thanks! But as you suggested, I guess talking to the kids is the most effective way to combat the problem. – Vinayak Aug 01 '14 at 18:04
0

The hosts file DOES block images, ads and websites if you preceed the URL with the address of either 0.0.0.0 or 127.0.0.1. The system checks the hosts file for addresses and if you give it the "home" or "null" address as a place to look for a resource, then that item is effectively blocked.

People use it all the time to block malicious sites, advertising URLs and many other things. OpenDNS does the same thing for you by blocking access to categories of websites, etc. that you don't want to see.

The correct answer is YES you CAN get around the hosts file's blocking of content by using a virtual machine, because the virtual machine uses its own hosts file.

But to say the hosts file doesn't block anything is just a load of manure.

Boss
  • 11