Let me start by saying that I find CIS just too complex to install in the computers of friends and family who are not computer-savy. It drowns them in questions they do not know how to answer and becomes a nuisance to them. They have no idea how to configure or answer all the constant Firewall and Defense+ questions. I appreciate that someone with more knowledge can use all those many options to tailor the firewall to do very narrowly what he wants but most people just do not have that knowledge and I continue to install Zonealarm in those computers.
On my own computer I am running Win XP PRO SP3 x86 and Comodo free firewall V.4.1.150349.920.
I use the HOSTS file to block a large number of sites but I have noticed that in my computer it is not working right, it is not blocking them, while in all the computers with ZA it is working just as intended. For this reason I am suspection the cause of the issue may lie with Comodo firewall. Is it that it somehow disables the use of the HOSTS file for DNS? Because if that is the case I do not like it.
The client checks to see if the name queried is its own.
The local Hosts file (%SystemRoot%\system32\drivers\etc\hosts on WinNT and later) is queried.
The specified Domain Name System (DNS) servers are queried.
NetBIOS over TCP/IP (NetBT) is queried.
So, I thought the HOSTS file was always consulted, before any online DNS but it seems this is not happening in my computer.
For example, the server pingomatic.com is listed in my HOSTS file but If I use Internet Explorer it will still access the online server there instead of getting a “page not accessible” message as I would expect and want.
I’m not sure I understand. The HOSTS file is supposed to block sites entirely. As I said, it worrks in all the computers I have tried except the one running Comodo firewall.
The hosts file should be the first point for name resolution. Sometimes the Internet Exploder temporary files can still display older data from websites, even if the site is not reached. I suggest that you clear the IE temporary files and give it another go.
If it is not that then I have to scratch my head as I just tested on my system and CIS does not bypass the hosts file.
Please note that the URls that I am testing are random names pulled from the HOSTS file and to which I have never been before so there is no chance that there is any previous memory of them.
I select a random name from the HOSTS file and put it in the web browser address. Some times I get a 404 but I do not know if this is due to the HOSTS file blocking it or if the site was unreachable. Sometimes I get the site itself so obviously the HOSTS file did not block it. I have no idea if this is related to Comodo firewall except that in the only machine where this happens I have the Comodo firewall but it could be a coincidence.
I do not have extensive test data which would confirm or discard any hypothesis. I have only tested this in one machine with Comodo firewall and I have not done a lot of testing with sites listed in the HOSTS file to see how often I get through and how often I am blocked, if the results are repeatable for the same URL or if they are random, etc. It would take some time to do some tests and gather data.
If you tell me some simple tests I could try then I could do them. Is there any way to trace how a name is resolved? Could it be that the Hosts file is saying 127.0.0.1 but then the machine goes and looks at the internet DNS anyway?
ETA: every time I post I get an error that my session timed out. It takes me only a few minutes to compose the post and yet I get this error. Maybe it would be possible to extend that time?
OK, I just did a test although I do not know if it tells us anything useful. Using Microsoft Network Monitor I captured the traffic on the network adapter. I put the address of a file listed in the HOSTS file in the browser and, sure enough, a packet goes out to the DNS server asking for the IP.
There is definitely something wrong with the way my machine resolves addresses. It is not following the conventional order (at least not always). I do not know if it consults the HOSTS file but, in any case, it does not stop there and it goes on to the internet DNS. It should find the name in the HOSTS file and stop there.
Packet:
Ipv4: Src = (my machine’s local IP),
Dest = 4.2.2.1, Next Protocol = UDP, Packet ID = 11130, Total IP Length = 62
Dns: QueryId = 0x6AB7, QUERY (Standard query),
Query for www.ads.sina.com of type Host Addr on class Internet
By the way, my browser is configured to not serve pages from cache. My home page is google but if I disconnect from the internet I immediately get “page not found”. Not that it makes any difference since, as I said, I am asking for sites I have never been to.
Well, after much messing I decided to uninstall Comodo and reinstall Zonealarm.
The problem seems to be gone and the Hosts file now seems to work correctly. I am always cautious and say “seems” because many times problems that seemed fixed were just changed into other problems. But, for now, the hosts file seems to be working correctly.
I decided to go back to Zonealarm because I also noticed CIS was not blocking internet access to a program that it should be blocking. I know Zonealarm blocks it and, indeed, after installing Zonealarm it is blocked. It seems it accesses the internet via some other windows program because the request that appears in ZA is for destination IP: 127.0.0.1, Port 1110 but somehow ZA does know to block it.
So I have decided to return my only computer where I had CIS to using ZA which is what I have in the rest of the computers I maintain. As much as I do feel that ZA has some limitations it is simpler for me to configure and seems to work better for me.
I also want to stress that while it is apparent to me that CIS was causing the hosts file to not block sites and was not blocking one of my programs from internet access, I have no definitive proof that this is so and there is a chance that there could be some other factors involved. Who knows. It just appears that in my particular machine and for my particular use ZA is more suitable.
Still I thank you for CIS and I will surely try it again in the future.
127.0.0.1 is your localhost adress, meaning it is neither routable nor visible from the wan.
Some softwares have buid-in localhost control, or no specific control at all, only considering it as any other ip.
CIS Firewall has an option for that in general settings, alerts (loopback), altough i don’t see the point being alerted from localhost rules, and altough if needed (e.g. Firefox) they can be made as individual firewall rules for a particular application.
I don’t have at the time speaking any use of the hosts file (excepting, again, a standard entry
127.0.0.1 localhost), but i have tried to use a large anti-malware host file provided as hosts.rsk
(Fichier hosts - Accélérer et sécuriser sa navigation sur Internet, 4th paragraph “téléchargements”, the paper is in french) that i deleted because it intensively slowed the computer, meaning it actually was read (xp pro sp3, cis v3).
In these conditions, your hosts file issue does not seem to be directly and systematically comodo related.
Yes, I understand 127.0.0.1 is the localhost and is not routable and that is the principle of how the HOSTS file filtering works.
On the other hand I have one of those pesky call home programs which I wish to prevent from calling out to the internet but it was getting around CIS even when I named it specifically in the rules and yet ZA blocked it easily. So now when I installed ZA again I checked to see what the program was doing and ZA reported the program wanted to reach destination IP: 127.0.0.1, Port 1110. If I allowed it then it would reach out to some internet IP but if I denied it then it was blocked. ZA asks me if I want to allow the program internet access and I say NO and it blocks it. I have no idea how that works but that is what happens. I wonder is it reaches some local service which then connects to the internet.
Regarding the huge HOSTS file slowing down the machine, I have heard that but I do not notice it so it has never been a problem for me. My HOSTS file is huge (downloaded from A detailed guide for using the MVPS HOSTS file) and I have often wondered how much it takes by way of resources but I do not notice any delay. Most computers I have seen are slower than mine in displaying pages and I attribute the delay to antivirus and other bloated software. I do not run an AV (and I have never had an infection). I have had too many problems with AV software and I prefer to configure my browser very tightly and not run AV software. I have a policy of making regular backups in case I get infected one day but up to now it has not happened in the many years I have been using computers. Even if it does happen It would have been worth it because I have seen AV software cause a lot of trouble and hog resources and slow down machines.
At any rate, for now I will keep the HOSTS file and ZA firewall as that combination seems to work for me.