I don't even waste time or cpu cycles with browser based blocking applications. Steven Black's[1] maintained hosts files are the best for blocking adware, malware, fakenews, gambling , porn and social media outlets.

[1] - https://github.com/StevenBlack/hosts/

Depending on your threat model, you might need to go the proxy/firewall route.

Hosts file is a weird middle ground - that has to be installed and maintained on every device, many of which (e.g. iphone/ipad) won't let you do that. It's better to set up a local DNS, which will serve every local machine; and as I mentioned, doing this at a firewall level is better yet.

Edit: spelling

It doesn't quite work well while on the road sometimes. For those cases, I have a docker running diginc/pi-hole (with some additional hosts file blocking going on), then I point my laptops DNS towards that and am good to go.

1) processes and machines that bypass hosts are also caught 2) a large hoss file takes time to parse, line by line, slowing every DNA lookup. A DNs server should cache the entire better.

Dnsmasq takes entries in a hosts file format.

Zone files are more flexible than HOSTS files, but I still use HOSTS as well. I have never had a concern about the speed of using HOSTS. It is certainly faster than DNS.

There is a comment in this thread where someone asserts that HOSTS was never designed to handle "millions of entries".

I would be interested in reading about a user who visits "millions" of websites or otherwise needs to do lookups on "millions" of domains.

I maintain a database of every IP address I am likely to use on a repeated basis, in several formats, with kdb+ as the "master" format. I believe most users will never come close to intentionally accessing "millions" of IP addresses in their entire lifetime.FN1 I could be mistaken and it would be interesting to learn of a user who can dispel this belief.

FN1. If you think about this, it may cause you to question the necessity of DNS for such users. Or not. Times have changed since the advent of HOSTS. They have also changed since the advent of DNS. For example, using "consumer" hardware, I can fit all the major ICANN TLD zones on external storage and the entire com zone (IMO, by far the most important) in memory. This is many, many more domains than I will ever need to look up. Assuming at best I will not live much longer than 100 years, I could not and will not explore them all or even a significant fraction.

Until DNS changes.

If I move a server from one IP to another, I change DNS, and in $TTL time everyone's pointing at the new server. Apart from you with a hosts file. How does that work if everyone has a hosts file?

If I say "check out this interesting story on blahblah.com", you don't have it in your hosts file, how do you get it?

I maintain a list of every phone number I am likely to use on a repeated basis, but sometimes I need to look up a phone number I don't know (in the old days this was a phone book locally, and directory inquiries further afield. Now it's ddg and assume they have a website. Which isn't in my hosts file or dns cache, and I've never visited before)

I maintain DNS entries for my home network of a dozen devices -- I host it on my mikrotik, but it's handy to have, when I type "ssh laptop" rather than remembering if it's on .71 or .73. It's one step better than a plain text file, as there's a standard based way to remotely query it. At work I maintain a DNS server with 2000 entries on my network, which is actually hosts file powered, but again I use dnsmasq for the DNS server rather than rsyncing that hosts file to 2000 machines.

In your particular case, I dont know. You have to do what best suits your needs, whatever they are.

Here is how someone else solves the problem of changing IP addresses. For my needs, I actually like this method.

The entire ICANN DNS used to be bootstrapped to a small text file called "root.hints", db.cache, named.root, named.cache, or something else. As far as I know, it still is.

How does one know the IP address from which to retrieve this text file?

Maybe they have it memorized, or written down somewhere, or perhaps it is written into some DNS software default configuration. In all cases, they have this address stored locally.

No remote lookup.

What happens when the administrator of the server that publishes the text file wants to change IP addresses?

This does not happen very often, but it does happen. What do they do? Considering that the entire ICANN DNS was bootstrapped to this one file, and assuming this is truly meant to be a dynamic system, then this is arguably the most important IP address on the internet.

They notify users in advance that the IP address is going to change.

Thats it.

As a www user, of course I would have to do a DNS lookup for blahblah.com. However I do not do lookups for the server with db.cache, for the .com nameservers, and in most cases not for the nameserver for blahblah.com either, and I do not do lookups using recursive caches. If blahblah.com changes its IP address I do not have to wait for changes to propagate through the system via TTLs. I am querying the authoritative nameserver, RD bit unset. If an IP address changes from the one I have stored, I know immediately when I try to access it. (I like being aware of these changes.) If I was relying a recursive cache I would probably not notice that the IP address had changed.

IME, IP address changes happen less frequently than people writing about DNS on the web would have one believe. Hence this system works well for me. Most domainnames I encounter are keeping the same IP address for long periods.

Ideally, if blahblah.com is not changing IP addresses frequently or unexpectedly but needs to make a change, she could publish a notice somewhere on her web server informing users she will be moving to a new IP address, just like the server that serves db.cache.

One benefit to the hosts file is that it travels with you everywhere you go. I have my DNS configured at home, but my hosts file for when I'm at a coffee shop, on a plane, work trip, or vacation.

https://github.com/2ndalpha/gasmask/releases

I heard that blackholing requests to Microsoft telemetry URLs also has no effect. Any way of finding the unlockable list I wonder.

Malware would redirect facebook.com to some scam site probably.

Given how popular FB is, Microsoft decided to "fix" this.

(This is all a hypothetical, I don't actually know this for sure.)

I guess they hardware the IPs into Windows.

More likely they just bypass looking at the local hosts file for such names, so the request always goes out to your DNS servers.

Therefore blocking these names by redirecting to 127.0.0.1 will work if done at your DNS server (for instance if you run an instance of https://pi-hole.net/ for that).

Unless of course they make the lookup use specific name servers that they run, instead of the local resolvers that your machine is configured to look at, for those names but that is less likely.

    nslookup google-analytics.com 8.8.8.8

    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8

    Name:    google-analytics.com
    Addresses:  192.168.1.2

This is objectively false. A hosts file blocklist cannot:

- Global blacklist and whitelist select URLs

- Block all sub-domains of a given URL

- Block third-party iframes and scripts (with whitelist)

A hosts file's feature set is not a superset of a browser based solution and the two complement each other.

Mind, I use both hosts and uMatrix. Each has its place.

Hosts file is a real pain to disable/enable, at least quite a bit worse than clicking one button in your browser.

I do something very similar to hosts file (at router level rather than os), but there are a few drawbacks over an extension.

On my jailbroken iphone(s) one of my first steps of security hardening is to replace the hosts file.

* Pi-hole®: A black hole for Internet advertisements – curl -sSL https://install.pi-hole.net | bash || https://pi-hole.net/

My 1blocker rule called "Bye Facebook" is:

  https?://([a-z\.]*)?facebook\.com.*

- [1] https://1blocker.com (This costs money)

- [2] https://developer.apple.com/library/content/documentation/Ex...

Most browsers rely on WKWebView, which uses the Safari Nitro JavaScript engine but allows customization of the user interface as well. UIWebView is pretty much legacy at this point, and SFSafariViewController does not allow any customization beyond basic theming.

> Safari Content Blockers apply globally preventing web visits

Unfortunately, this is not true. They only work in Safari and Safari view controllers.

> Safari Content Blockers also prevent Messages from rendering Facebook content inline

Are you sure about this? As far as I know, Messages uses a web view.

Sorry about the confusion... I'm really doing a lot to keep myself off of Facebooks radar.

- [1] https://itunes.apple.com/us/app/adblock/id691121579?mt=8

What's your threat model? Mine is third-party tracking cookies, and desktop apps don't share my browser's cookie jar. So while technically I can be tracked by IP from a desktop app, Facebook can't tell if it's me or someone else at the same coffee shop.

In particular, one nice thing about Chrome extensions is that they don't apply to incognito windows. I regularly use HTTPS Everywhere in block-all-HTTP-requests mode + an incognito window on wifi connections I don't trust, because the incognito window will permit plaintext requests, but it doesn't read my cookies or write to my cache, so it's sandboxed from my actual web browsing. I can safely read some random website that doesn't support HTTPS with my only concern being my own eyes reading a compromised page; none of my logged-in sessions are at risk.

> any software dependency library that you install without properly checking if it's got some social media tracking engine built in.

... is this a thing? (I totally believe that it's becoming a thing, I just haven't seen it yet and am morbidly curious.)

Eventually, they will tie your various devices to you.

These a chapter / section on this (and FB) in Chaos Monkeys.

https://www.antoniogarciamartinez.com/chaos-monkeys/

That book was published 2+ yrs ago. I can only assume the technology is more thorough and sophisticated now.

p.s. see also Dragnet Nation

http://juliaangwin.com/dragnet-nation-available-now/

1: https://panopticlick.eff.org

I use uMatrix only experimentally (I rely on NoScript) but it offers a fascinating flexibility of control if one is in the mood. As well, NoScript is near useless when doing stuff with AWS where uMatrix offers the right flexibility (allow from site Y, but only when fetched from site X).

I had heard of uMatrix but didn't realize it had that functionality, which is pretty cool! Thanks for sharing!

Edit: your browser history (which may contain your profile URI) might be pretty out in the open, too.

My threat model is a developer who includes a standard tracking snippet from a third party but is not going out of their way to reliably violate my privacy at all costs (because they have other features to ship, and the tracking snippet works on most computers). If your threat model includes actively malicious developers, stop running native apps from them at all.

I would dearly love to, if all OSes came with a permission system other than just "run in admin mode/sudo".

you can enable extension to run in incognito mode in settings

IP whitelists could also be aggregated and shared on github similar to the current DNS blacklists.

HOSTS files are static. They were never designed for blocking ads or tracking. And for all we know, every connection does a linear search through the HOSTS file so the larger it gets, the more wasted time, because it was never designed to have millions of entries.

My public broadcaster (http://www.abc.net.au/news/) for instance is completely reliant on third parties for it's "live story" functionality. It loses half it's functionality at work where twitter is blocked and uBlock kills the other half. It also kills the live stream when it can't load one of the half a dozen trackers on the page.

I'd love the no-script functionality to be merged in too so that I could turn off javascript by default.

I default deny all 3rd party scripts and frames, in addition to the blocklists, and I only sparingly noop relevant domains, the bare minimum to make pages work, on a page-by-page basis.

On top of that, I have Privacy Badger, Cookie Autodelete Decentraleyes and I've turned on first-party isolation.

It's mostly unobtrusive once my most important websites have been properly noop'ed, and it's relatively simple to add temporary exceptions if needed.

That's just putting rules into /etc/hosts ?

edit - answered my own question :) Yes it will.

My ISP won't but there are ways around that. The biggest problem I've faced is on the modem side of things, finding something I'd trust to be open to the internet, ideally something I can install openWRT or similar on and something I know will work in my market. It's an options minefield.

Not to say /etc/hosts doesn't work, these days I just find I prefer things with better UX.

---

[1] https://www.obdev.at/products/littlesnitch/index.html

[2] https://www.obdev.at/products/microsnitch/index.html

I also don't pre-emptively load in rules into Little Snitch - I have it running in active/interrupt mode, so it prompts me whenever it tries to make a new connection I haven't signed off on before. Unsurprisingly, not very many apps try to connect to Facebook.

[1]: https://github.com/evilsocket/opensnitch

The dynamic filtering matrix should be available after that.

Granted the defaults are not as strict as uMatrix, it's a good middle ground.

I would recommend "Medium mode"[1] as defined in the uBlock wiki.

[1] https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium...

https://support.mozilla.org/en-US/kb/tracking-protection

It runs after any add-ons. It's a useful second step that can catch things add-ons miss.

What do you mean?

And, btw, I use Privacy Badger instead of Disconnect.