Is it stupid to schedule a script to update 'hosts' file by coping contents from my online text file?

0

I'm using this site to upload a text file that I'll update occasionally. On another system, I'm planning to add a task in Task Scheduler to run a Python script that accesses this online text file, appends a line from it to the hosts file stored in C:\Windows\System32\drivers\etc\.

Of course, I'll schedule the task from administrator's login, and I'll enable the "Run whether user is logged on or not" option so that this script will run even if other users are logged in.

The online file is only readable. Only the owner can modify the text file.

So, what are the security concerns here? Is this really a stupid set-up? Am I better off not scheduling the task?

user313811

Posted 2017-10-17T10:51:15.490

Reputation:

I have to wonder why you would not just setup a DNS server. – Seth – 2017-10-17T11:15:05.153

@Seth, I don't have any knowledge about networking. So I'll look that up in Google first. – None – 2017-10-17T11:18:06.910

3It sounds potentially dangerous and a security risk to do it. Someone could (if they were so inclined) hack into the website, modify the file for you and redirect Google to a malware infested domain. That sort of change shouldn't be made automated IMO and should never rely on some random page on the internet. – Mokubai – 2017-10-17T11:36:23.937

the specific vulnerability is that it makes man-in-the-middle attacks trivial, if the attacker can inject or alter entries into the list you are copying down. – Frank Thomas – 2017-10-17T11:44:47.260

1Seriously, just set up a DNS server on your network to do the name resolution. As I mentioned in your previous question dnsmasq should be able to handle this, it's just a matter of getting your network set up correctly. Basically your router needs to be set up to use your new internal DNS server and your DNS server then goes through the gateway to your "old" DNS servers. You can then get all the benefits of name resolution in a centrally configured location without dangerously mangling the hosts file. – Mokubai – 2017-10-17T11:45:17.463

@Mokubai, I've dropped my idea. I just wanted to get opinions of everybody here about the vulnerabilities, as I don't know much about networking. I'll check out your suggestion. I already read your comment to my previous question, googled what dnsmasq meant. But I couldn't understand much, and concluded it was probably overkill for the task I was trying to accomplish. – None – 2017-10-17T13:45:00.333

@Mahesh then tell us about your actual problem. So far I've seen two potentially scary solutions to a problem I don't understand. Help us to solve your problem by telling us what it is. If you have a partial solution then that's cool, you've obviously been thinking about ways around this, but to really help we need to know *why* as well as *how* you are doing the things you are doing. – Mokubai – 2017-10-17T13:51:17.973

@Mokubai, I'll edit the question to specify the entire problem. It might not fit inside a single comment. – None – 2017-10-17T13:53:46.340

1It might be worth leaving this question as is and starting a new one. That way you can reference back to your previous questions saying what ideas and solutions you tried. And why they were discounted. Your original method in your previous question could still be workable but this question is currently quite definite in its scope. – Mokubai – 2017-10-17T14:00:58.977

@Mokubai, I've added a new question describing my situation and my attempts. – None – 2017-10-17T14:48:48.417

Answers

0

Doing this is a very bad thing from a security perspective.

You would essentially be trusting your internet connection to an insecure file stored on an open host on the internet, with little or no way to validate that the file has not been maliciously altered.

If anyone gets access to that location then they could easily populate it with every popular location on the internet and redirect every one of them to malware hosting locations. They could wreak all sorts of mischief and you wouldn't know until it is way too late to do anything about it. You would have effectively given administrator access to an important system file to "some guy on the internet".

This could be done by hacking the website, guessing your username and password or other means. You could be spearfished into accidentally disclosing your login details.

By default though, it looks like those pages can be viewed over http rather than https. I would hope that you'd at least try to download over https (secure http) because if you use non-s http you could easily be MITM'ed by someone sniffing and modifying traffic as it went through a router between you and that site. Again this would effectively allow someone to rewrite your hosts file and do fun things to or with your computer.

What you should actually do, if you need to have regularly changing hostnames, is to set up a DNS server on your network to do the name resolution. As I mentioned in a comment on your previous question dnsmasq should be able to handle this, it's just a matter of getting your network set up correctly. Basically your router needs to be set up to use your new internal DNS server and your DNS server then goes through the gateway to your "old" DNS servers. You can then get all the benefits of name resolution in a centrally configured location without dangerously mangling the hosts file. 

Mokubai

Posted 2017-10-17T10:51:15.490

Reputation: 64 434

Asked: 2017-10-17T10:51:15.490

Viewed: 167 times

Active: 2018-05-26T01:47:56.520