Hosts: Blocking AAAA (IPv6) Requests

Created on 24 Nov 2015 · 15Comments · Source: StevenBlack/hosts

I'm running OpenWRT with dnsmasq on my personal router where I use the generated hostfile.

The Problem
Host names that are blocked by the hostsfile (0.0.0.0 redirect) can be _bypassed_ by AAAA requests.

Background:
nslookup google-analytics.com (which is blocked by the hostsfile) on a local machine in my network returns "0.0.0.0" _and_ a remote IPv6 adress.

Looking into the log files of the router one could see that the A-Request is blocked by the hostsfile, but the AAAA request is redirected to the remote DNS-Server.

Solution
Shouldn't we start blocking AAAA (IPv6) requests as well by generating ::1 entries to the existing entries? That would result in a doubled size of the hosts file.

0.0.0.0 www.blocked-host-nr-1.com
0.0.0.0 www.blocked-host-nr-2.com

would become

0.0.0.0 www.blocked-host-nr-1.com
0.0.0.0 www.blocked-host-nr-2.com
::1 www.blocked-host-nr-1.com
::1 www.blocked-host-nr-2.com

Testing
As a "real life test" I applied the mentioned change (adding ::1 entry for _every_ 0.0.0.0 entry).
The log files show that within 20 hours there were 49 of the ::1 entries that were blocked (which normally wouldn't have been).

So this really seems to be a thing to think about.

The point is that I'm not 100% sure if that applies to hosts files on local machines too or if that's just a dnsmasq thing.

I myself find it necessary to implement the AAAA Blocking as well. For personal use I wrote a script for that. The question is if you want/need to integrate this in your project.

Any ideas or opinions anyone?

enhancement

Source

HansiHase

Most helpful comment

I know this is a old post but i just want to thank @hd074 for implementing the solution.I recently figured out how to use dnsmasq on my router and noticed that all IPv6 addresses going trough and i found this post which saved me a lot of time to research on "how to".I'm pretty sure that this post would help others like me in the future so i'll post how i decided to do it: I basically (due to using two hosts files from different sources) first removing empty lines,comments etc. on both of them then merging them and removing duplicates if any and then creating additional identical hosts file for the IPv6 only and adding it (addn-hosts=) to dnsmasq.conf (the whole process takes about 11 sec. which is not bad). Now dnsmasq reads from two hosts files and so far i didn't notice any delays when loading pages which is very good news.I'll post my little script here just for reference if anyone needs it:

!/bin/sh

wget https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts -O
/media/AiDisk_a1/Hosts/addhosts
wget https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/win10/spy.txt -O /media/AiDisk_a1/Hosts/windowshosts
sed -i '/#/d; /^$/d; /^255/d; /^127/d; /::/d; /^0.0.0.0 0.0./d' /media/AiDisk_a1/Hosts/addhosts
sed -i '/^#/d; /^$/d' /media/AiDisk_a1/Hosts/windowshosts
# remove duplicates and merge both files
awk '!x[$0]++' /media/AiDisk_a1/Hosts/addhosts /media/AiDisk_a1/Hosts/windowshosts > /media/AiDisk_a1/Hosts/hosts
# check again for duplicates in the new "hosts" file
uniq -d /media/AiDisk_a1/Hosts/hosts
# create additional IPv6 hosts file
cat /media/AiDisk_a1/Hosts/hosts | sed 's/0.0.0.0/::/g' > /media/AiDisk_a1/Hosts/IPv6
# prints the number of lines to compare(for testing)
wc -l /media/AiDisk_a1/Hosts/hosts
wc -l /media/AiDisk_a1/Hosts/IPv6
# remove the original files
rm /media/AiDisk_a1/Hosts/addhosts /media/AiDisk_a1/Hosts/windowshosts
# restart dnsmasq
killall dnsmasq && /usr/sbin/dnsmasq
exit 0

THANKS AGAIN TO ALL PARTICIPANTS

dnmTX on 14 May 2018

👍2

All 15 comments

https://github.com/qutorial/hoststool
This fork generates configuration for dnsmasq. Using it you could block domains and subdomains as well.
Maybe this would be a working solution for you?
Description could be found here: http://molotnikov.de/dnsmasq
if you would like to learn more.

qutorial on 24 Nov 2015

@hd074 interesting proposal. I like it.

StevenBlack on 24 Nov 2015

@qutorial Thanks for that.
I already wrote myself a bash script for the A+AAAA hostsfile, so I'm fine at this point.
But I'll have closer look into dnsmasq part of your implementation. Thank you!

If somebody is interested in the IPv4+IPv6 bash script:
https://github.com/hd074/hosts/blob/ipv6Branch/mergeIpv4Ipv6.sh
If you want to use it make sure you change the first variable (workpath) to your needs.

HansiHase on 24 Nov 2015

@hd074 nice bash!

StevenBlack on 25 Nov 2015

Gitoffthelawn on 25 Nov 2015

Wouldn't using :: instead be better, because that is the IPv6 equivalent to 0.0.0.0, while ::1 is the equivalent to 127.0.0.1?

lewisje on 9 Dec 2015

@lewisje that's a fair point. Thanks!

StevenBlack on 9 Dec 2015

@lewisje Thanks! updated my scripts.

HansiHase on 11 Dec 2015

Good suggestion. The only thing to be mindful of is that sometimes IPv6 sites are hosted on different sub-domains to their IPv4 domains. I think this is less common these days now than it once was (eg Google used to only have AAAA records on ipv6.google.com but now AAAA is included on the google.com as well). But it does mean that there _may_ be a few instances where IPv6 lookups slip through the net. However partial protection is still better than none :)

lmorg on 16 Feb 2016

+1 for this issue.

micressor on 1 Apr 2016

👍1

@hd074 Your script works great on my DD-WRT router, thanks!

Startup script:

wget -qO /tmp/ad-hosts-v4 https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts 

H_MERGE=/tmp/ad-hosts
H_ORIG=/tmp/ad-hosts-v4

sort $H_ORIG | uniq | grep "^0" >> $H_MERGE
sort $H_ORIG | uniq | grep "^0" | sed "s/0\.0\.0\.0/::/g" >> $H_MERGE
stopservice dnsmasq && startservice dnsmasq

Additional DNSmasq options:
addn-hosts=/tmp/ad-hosts

stordoff on 26 Apr 2016

Can someone draft an edit for the readme-template.md for the takeaways from this issue to be added to the "Interesting Applications" section so we can close this issue before it hits the two-year mark, with over a year of no activity? Preferably someone who can verify the validity of the information provided with their own working knowledge and a working version of dnsmasq.

ScriptTiger on 20 Aug 2017

!/bin/sh

THANKS AGAIN TO ALL PARTICIPANTS

dnmTX on 14 May 2018

👍2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 daysif no further activity occurs. Thank you for your contributions.