You have to know that your dns overrides in /etc/hosts are not a tool of really-awesome-and-brave-hacker who knows how to bypass firewall and filters setuped by your system & network administrator.

You are still leaving footprints. Not exactly you, but software you’re using. There is no defined default algorithm to retrieve dns records on your system, each software choses how to do this on it’s own. It may also use custom DNS servers. I hadn’t seen this, but this is something that is possible to implement.

I bet that your usual /etc/hosts file right now looks like

127.0.0.1       localhost
::1             localhost

192.30.252.128 github.com

Remember that curious times when github in Russia was blocked? - Actually, this entry for this times. My ISP as well as Russian Government Department Roskomnadzor(Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications), who limits humans civil rights and decides what sites to ban, forgot to add one of the 6 load balancing servers to black list. And this sounds really funny, because you are accessing to server that hadn’t been blocked.

Do you think that everything is fine with this /etc/hosts file layout?.. In other words, will your browser leak dns query to site, you’ve putted on it(i.e. github.com)?

Firefox -- the bad part

No. Firefox may do additional IPv6 lookup. Yes, yes, yes. You may run tcpdump and see such queries :

192.168.10.2.64600 > 208.67.222.123.53:  43550+ AAAA? github.com. (28)

That’s not all. Want to know even more?

This behaviour is seen on Mac OS X for non-local ip addresses. On Windows, Firefox simply ignores /etc/hosts! Actually, it uses /etc/hosts to obtain proper ip address, where subsequent http(s) queries will go, but moreover, it does unnecessary NS lookup! Yau!

How to manage this and eliminate this queries?

Digg deeper and find root algorithm in firefox that does this lookup, fill out bug request. Actually, it uses some OS-based domain lookup techniques(like gethostbyaddr) with additional lookup to /etc/hosts file. As for now, it’s better to configure external(local) DNS server which will be able to handle such leaks.

Also, it may be usefull but my Firefox-es have following parameters setuped. (Don’t be fooled by browser caching when you’ll decide to do your own investigation!)

network.dnsCacheEntries;400
network.dnsCacheExpiration;0

Chrome -- the good part

With Chrome browser we have some good parts : It does everything properly! Hooray!

On both Mac OS X and Windows it does the following :

  • Look for in entry /etc/hosts and get either ipv6 or ipv4 resolution
  • If nothing found, do system NS lookup.

It may be good to know, but Google Chrome also does many DNS requests to google-related servers. Also, there is an additional forgery check on start: Google Chrome emits 3 weird DNS queries.

Conspiracy part about DNS

This looks ridiculous, but you are simply can be tracked by your DNS queries.

  • First of all, DNS is not encrypted, so every Man in the Middle knows what you're doing, what sites you visit. Your ISP knows about your DNS queries. Furthermore, you're using Google DNS, right? eight-eight-eight-eight or eight-eight-four-four? Use something different for more :)
  • Second, you are usually have grey dynamic IP address, and this thing can also be tracked. Consider you're the one person who uses this grey IP. Maybe there are 10 or 20 of you who use this grey IP. This is not that much and by additional browser fingerprinting you may be tracked. That's it!

Conclusion

So, just to know, your /etc/hosts is not the proper way to block or allow certain sites. You may still leaking DNS queries to sites listed in it.