Can't block connections to google via HOSTS file

Discussion in 'privacy general' started by bopbop, Oct 16, 2016.

  1. bopbop

    bopbop Registered Member

    Joined:
    Sep 27, 2016
    Posts:
    22
    Location:
    italy
    Steam and Spotify connects to "clients.l.google.com" (172.217.21.206) using 5 to 100 kb.

    It might be analytics.

    I blocked google.com, www.google.com, clients.l.google.com via hosts file, somehow HOSTS file doesn't stop it. Maybe I'm not writing right domain name to block but I don't know.

    How would I get rid of it with or without hosts file?
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,043
    If you know IP, you can block it using your firewall.
     
  3. bopbop

    bopbop Registered Member

    Joined:
    Sep 27, 2016
    Posts:
    22
    Location:
    italy
    I know the IP but the last one or two parts of it changte everytime, so blocking that number wont work.
     
  4. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    104
    I don't know if you can completely block clients.l.google.com with just hosts file.

    Doing whois 172.217.21.206 gives CIDR 172.217.0.0/16. That would mean that you would have to block whopping 65534 IP addresses to block completely 172.217.0.0

    What you need is firewall (either software or hardware) to block DNS requests you want. That way you could block all *.google.com stuff that you wanted
     
  5. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
  6. bopbop

    bopbop Registered Member

    Joined:
    Sep 27, 2016
    Posts:
    22
    Location:
    italy
    I use Sphinx Firewall, it just shows me what's trying to make outbound/inbound connections and asks me what to do. Since I wouldn't totally block Steam or Spotify, it lets them connect to wherever they want. Also I love Sphinx's simplicity so I'll refrain from changing it.

    What do I do with the information on that page? I'm not that tech savvy.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Many third party firewalls do not support domain names; only IP addresses.

    However many AV/IS vendor products have web filters. These do support domain name blocking and most have wildcard capability.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    In Linux, you could just drop everything to 172.217.0.0/16 in iptables.
     
  9. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    104
    Im not familiar with Sphinx firewall but it's Windows only, right? And it does not provide any DNS filtering capability?

    Then go with the itman suggestion and check for AV with filtering capabilities. That could be simplest.

    What I personally use is my own build raspberry pi router that blocks DNS request with unbound DNS server.

    Anyway, adding tons of IP addresses (65534 in this case) to hosts file in this case is pointless because, as you already found out, google often uses multiple DNS A records to point into single hostname. Most often this is used for load balancing.

    Edit: Just to be clear, that 65534 is list of *potential* IP addresses that google can choose from in this case.
     
  10. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    @bopbop
    Googlebot is the search bot software used by Google, which collects documents from the web
    to build a searchable index for the Google Search engine.

    The following IP ranges are used by Googlebot while it crawls the Internet:
    https://evert.meulie.net/faqwd/googlebot-ip-ranges/

    You could use software firewall that can block IP ranges or a hardware router that has the
    ability to block domain names. Other alternatives are proxy filters and browser add-ons.
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Sometimes it is good to test whether your hosts file is working as expected. You can do this by using an application that reports lookup results (and doesn't bypass the hosts file). It isn't clear that IPv6 is playing a role in the problem reported here, but some applications allow you to differentiate and that can be useful. For example, at a Windows 7 Command Prompt:

    ping -4 localhost (IPv4)
    ping -6 localhost (IPv6)

    If you copy/paste where possible you reduce the possibility of typos and misinterpreting similar looking characters.

    Sometimes it is good to double check that you have all the DNS names straight. There are different types! For example, while using an application that literally connects to host111.example one firewall/tool might report it connecting to host111.example, another might report it connecting to host222.example, and a third might report it connecting to host333.example. All might even be correct but in their own way: if one showed you the name that was queried for in the forward lookup, two showed you that's canonical name, and three showed you the results of a reverse lookup of the IP Address that was actually connected to. To complicate matters those tools might not even make clear to you which of those names they show you. Plus, those names are usually not interchangeable. If you don't use the right name in the right place you lose.

    By extension, you simply stating that something is connecting to clients.l.google.com doesn't make the situation clear. You haven't specified what type of name clients.l.google.com is.
     
    Last edited: Oct 16, 2016
  12. bopbop

    bopbop Registered Member

    Joined:
    Sep 27, 2016
    Posts:
    22
    Location:
    italy
    @wind

    Indeed, as I don't have the means.
    I tried to use and understand Wireshark but it was too complicated. I threw the towel.
    IPv6 is disabled.
     
  13. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    What about DnsQuerySniffer? Which offers several capture options. One of them is WinPcap and that is also what Wireshark uses. So you may still have it on your system.

    Regarding record types (A, AAAA, CNAME, PTR, etc):
    https://en.wikipedia.org/wiki/List_of_DNS_record_types

    Begin by having DnsQuerySniffer running while you create a few known lookups. For example, do a:

    ping www.example.com

    In this case you can literally use www.example.com because a host with that name exists. You know ping will have to lookup the IP Address for www.example.com. Assuming it isn't in your hosts file, that means a DNS query will happen and DnsQuerySniffer should show you it (unless there is a capture limitation and/or DNS queries are encrypted). Look for www.example.com in its Host Name column and then look at the other columns.

    Some other known lookups you can try:

    ping www.msnbc.com
    ping clients1.google.com
    ping clients2.google.com

    Notice the CNAME column for the last two. Also, you might want to know about the command ipconfig /flushdns. FYI there is also ipconfig /displaydns, but quickly expiring cache entries and some applications doing their own caching can make it less reliable than it sounds.

    Once you have your bearings, try to capture DNS queries triggered by Steam and Spotify. DnsQuerySniffer doesn't tell you which process/application generated a query. However, you can zero in by knowing what you were communicating with, looking for queries at the time you did something or a firewall reports something. You can also search for names and IP Addresses in DNSQuerySniffer (seems you have to have a row selected first). This may all sound complicated but it really isn't. You should get the hang of it quickly and I think you'll find it helpful. Better than flying blind ;)
     
    Last edited: Oct 17, 2016
Loading...