Snitch blocks IP's instead of domains?

General discussions about Little Snitch
hummingdrone
Posts: 11
Joined: Fri Jan 06, 2017 6:04 pm

Snitch blocks IP's instead of domains?

Postby hummingdrone » Sun Jan 08, 2017 1:36 am

After playing around with Little Snitch for a bit, and trying to tame Chrome, I sometimes don't understand what is going on. Am I correct in my understanding here:

When I block access to "google-analytics.com" over port 433, my expectation is that other websites that later try to access a URL on that domain will also fail.

But what seems to be happening instead is that Little Snitch resolves the ÙRL into the associated IP addresses, and blocks access to that instead.

In other words:
- I expected to be blocking http://www.google-analytics.com (/script-etc-etc.js)
- I am blocking access to 212.142.7.13

This is problematic, because Google uses the same IP address to host multiple virtual servers. Some of those virtual servers I want to block, while others are needed for Chrome to even function. The only way to separate them, is by filtering based on URL, and not IP.

Is my understanding correct?
Last edited by hummingdrone on Mon Jan 09, 2017 1:03 pm, edited 1 time in total.

hummingdrone
Posts: 11
Joined: Fri Jan 06, 2017 6:04 pm

Re: Snitch blocks IP's instead of domains?

Postby hummingdrone » Sun Jan 08, 2017 5:17 pm

OK, I an answer my own question now:

First of all, my question was a bit vague. I didn't understand the difference between domains and hostnames. And I should have used "URLs" instead of "domains" in the title of this question. What I want control over is which (sub)domains are allowed to resolve.

It turns out that my suspicion in the first post was correct, and that Little Snitch doesn't offer a lot of control over DNS Resolving at all. Sure, it offers some:

https://twitter.com/littlesnitch/status ... 5701391361

..but it's clearly not the app's focus.


Just for fun I had a look at Hands Off. It can allow a domain to resolve or not, and allows you to define this blocking by inputting a URL, in which you can also use wildcards. This offers a lot more control over blocking certain sub-domains. Better yet, this is its default behavior. It's the focus.

A lot of feature requests have been made about this, since at least 2008:
viewtopic.php?t=1082&start=30
viewtopic.php?t=10501
viewtopic.php?t=10313
forums.obdev.at/viewtopic.php?t=8430

It seems in 2010 there was a test version that added wildcards. But it never materialized?
https://foliovision.com/2010/01/little- ... ards-hosts

On that page it is pointed out that Little Snitch, indeed, focusses on blocking IP addresses. In a world of virtual servers, this seems to my layman eyes to be an outdated approach?

So, Little Snitch is wonderful, and I wanted it to be the solution because I don't like how HandsOff has blatantly copies Little Snitch's design, and it has better designed interface things. Little Snitch has a better network monitor for example, which helps you to quickly find the rules that 'overblock'.

Though this, for me, then doesn't help a lot because I can't then finetune the rules optimally, as described above.

hummingdrone
Posts: 11
Joined: Fri Jan 06, 2017 6:04 pm

Re: Snitch blocks IP's instead of domains?

Postby hummingdrone » Fri Jan 27, 2017 1:02 pm

From the help:

"Little Snitch’s filter engine is implemented in the operating system’s kernel. It works on Internet addresses (IP addresses), not hostnames. When a connection is attempted, Little Snitch only receives the numeric IP address, not the hostname. Since we want to present a meaningful computer name to the user (e.g. in a connection alert), we must somehow translate this numeric address to a name."

"For rule matching, all hostnames resolving to the IP address in question are taken into account. Among all rules that match any of the hostnames, the one with the highest precedence determines the action taken."


So Little Snitch basically claims that at the bare metal of the OS, it can only filter IP addresses, and not hostnames.


But.. but.. then how does HandsOff work?

"Little Snitch intercepts close to the application layer, but does not modify processes in any way (it does no code injection of any kind). Instead, it registers a Kernel Extension utilizing standard API calls provided by Apple. No hacks, no undocumented features, no reverse engineering."


Does this imply that HandsOff does 'hack' itself into the OS?


Return to “Little Snitch General”

Who is online

Users browsing this forum: No registered users and 7 guests