Blocking *.example.com at the OS (Windows) level

For privacy and performance reasons, I'd like to prevent my computer from ever communicating with certain Internet hosts. I'd like to do this at the OS level, not through web browser plug-ins (not broad enough), or even through my home router (my laptop travels). I'd prefer to use built-in tools.

I'm running Windows 7 Professional 64-bit. I'm all too familiar with the Windows hosts file - and its limitations. There seems to be some confusion over whether hosts supports wildcards, but my own tests confirm that it does not.

I have experimented with Windows Firewall and the IP Security Policy MMC snap-in. So far as I can tell, both require numeric addresses. I don't want to block specific IP addresses, or ranges of addresses, in part because IP-address-to-hostname mappings can and do change.

Is there any tool in Windows 7 Professional with which I can block (or route to 0.0.0.0) communication with Internet hosts by hostname mask? If not, are there any good, free, third-party tools?

Metaphile

Posted 2010-08-30T00:16:26.010

Reputation: 225

Wildcard based blocking using hosts is not possible - have a look at Using wildcards in names in Windows hosts file

– Sathyajith Bhat – 2010-08-30T00:21:44.453

1He knows, he's looking for an alternative solution that does support wildcard. – Tamara Wijsman – 2010-08-30T00:24:01.373

1I was going to say resolv.conf may help, but you're running Windows... – digitxp – 2010-08-30T01:04:58.577

Answers

The "easiest" way to do this would be to run your own DNS server and add primary zones for the domain(s) you want to block. You wouldn't even need to create 'A' records. any references to hosts within the zone (domain) would be returned unresolved by your DNS server. Posadis is one freeware/open source DNS available that runs under Windows (though I have not used is personally). Of course, if you have just about any version of Windows Server running anywhere, you can use Microsoft's DNS server.

One side "benefit" of this solution is that you could (if you wanted to) redirect requests to the "banned" domains to an internal "not allowed" web page.

BillP3rd

Posted 2010-08-30T00:16:26.010

Reputation: 5 353

You sure it's the easiest way? – zneak – 2010-08-30T03:01:22.780

Hmm, run my own DNS server. Hadn't thought about that. BIND now runs under Windows and there are a number of ugly but functional web-based GUIs. I bet BIND is every bit as fun to configure as Gentoo Linux is to compile from source. I will have to consider how desperate I am. – Metaphile – 2010-08-30T18:12:30.917

You'll find easy-to-follow instructions in this article: http://alex.charrett.com/bind-on-windows-mainmenu-3

– BillP3rd – 2010-08-30T20:57:31.100

Try an IP blocker

http://blocklistpro.com/download-center/protowall/

There are many other IP blockers available, most allow you to make your own block lists and allow for ip ranges

Some do not work with W7 very well, do your homework.

Moab

Posted 2010-08-30T00:16:26.010

Reputation: 54 203

I've searched for solutions via Google and not had much luck. That's why I'm here. ProtoWall appears to operate on IP addresses, which is specifically not what I'm looking for. I could achieve the same effect, and probably more ... effectively, via Windows Firewall. – Metaphile – 2010-08-30T17:52:40.637

Taking over the DNS resolver functions is a good solution. You may want to sign up for an account at OpenDNS and hard code the DNS server settings in Windows to use OpenDNS as your resolver. They allow you to enter domains that will always be blocked. Sign up is free but a small fee gets you extra features.

Shaman Hack

Posted 2010-08-30T00:16:26.010

Reputation: 21

Kevin M also suggested OpenDNS. I asked him, Will my OpenDNS configuration follow me around from network to network? How does it identify my computer? Via MAC address? Or is there a client I have to install? – Metaphile – 2010-08-30T17:56:16.043

Use OpenDNS. They can do category filtering('Nudity', 'Pornography', 'Gambling', 'Adware', etc) in addition to individual domains. Downside is that it requires a little extra setup on the server side for dynamic updates, but it is documented here.

Kevin M

Posted 2010-08-30T00:16:26.010

Reputation: 2 396

Will my OpenDNS configuration follow me around from network to network? How does it identify my computer? Via MAC address? Or is there a client I have to install? – Metaphile – 2010-08-30T17:34:17.387

You have to install a client. – digitxp – 2010-08-31T12:51:56.290