Block subdomains?

General discussions about Little Snitch
timelessbeing
Posts: 9
Joined: Fri Dec 25, 2009 11:44 pm

Re: Block subdomains?

Post by timelessbeing » Mon Mar 22, 2010 5:09 pm

Yup that's true.

Whenever there's a conflict, you could have a dialog pop-up saying "the rule you are creating would conflict with an existing rule xxxxxx". However, as has been said, the user would be overwhelmed with constant dialog boxes. Tough call...

christian
Objective Development
Objective Development
Posts: 1443
Joined: Thu Nov 09, 2006 11:46 am

Re: Block subdomains?

Post by christian » Mon Mar 22, 2010 11:13 pm

Not only that: The problem arises not when the rule is created, but any time later. Maybe hours, maybe days or maybe even months later, when the name-to-IP mapping for a service changes...

PhilMac
Posts: 7
Joined: Wed Apr 29, 2009 2:21 pm

Re: Block subdomains?

Post by PhilMac » Wed Mar 24, 2010 8:49 pm

Would it be possible for LS to track name-to-IP mappings?

It seems to me that, as much effort as this would entail, it would be a valuable feature, considering the increasingly capable tracking mechanisms being implemented today.

norbert
Objective Development
Objective Development
Posts: 648
Joined: Thu Nov 09, 2006 6:30 pm

Re: Block subdomains?

Post by norbert » Thu Mar 25, 2010 10:50 am

PhilMac wrote:Would it be possible for LS to track name-to-IP mappings?


Little Snitch does track name-to-IP mappings. But that doesn't solve the problem.

The mapping between hostnames and IP addresses is not a 1:1 relationship, but an n:m relationship. That means, one hostname can resolve to multiple IP addresses, and different hostnames can resolve to the same IP address. So, although we track and therefore know the name-to-IP mappings, we cannot always convert an IP address back into its originating hostname, because there's more than one possible match.

For example, resolving www.google-analytics.com may sooner or later result in the same IP address that you previously got for www.google.com. Now if there's any traffic to this IP address, it's then no longer possible to tell wether this traffic is targeted to www.google-analytics.com or to www.google.com, since both hostnames resolve to the same IP address.

In other words, it's not possible to block specific Google services based on the hostname. Doing so will sooner or later block all Google services, including ordinary Google web searches.

timelessbeing
Posts: 9
Joined: Fri Dec 25, 2009 11:44 pm

Re: Block subdomains?

Post by timelessbeing » Thu Mar 25, 2010 5:25 pm

Sounds like there is no easy way to implement even simple traffic filtering, due to the non-exclusive relationship between IPs and hostnames.

However, I think the wildcard feature would still be useful. For example, sites that don't use IP pools, and for sites where you don't care if other services are blocked in the process. It could be implemented with the simple 'ALLOW or DENY on conflict' preference I described a few posts ago.

You could include a disclaimer somewhere, that explains that by blocking some host names, you may inadvertently block something you want. In fact, if I understand correctly, this is true for the current release that everyone is using right now anyways.

hagen
Wizard
Wizard
Posts: 594
Joined: Mon Feb 18, 2008 11:05 pm

Re: Block subdomains?

Post by hagen » Thu Mar 25, 2010 6:09 pm

timelessbeing wrote: In fact, if I understand correctly, this is true for the current release that everyone is using right now anyways.


This was my thought too. Is the "Google problem" really a stopper for implementing wildcards in some form?

christian
Objective Development
Objective Development
Posts: 1443
Joined: Thu Nov 09, 2006 11:46 am

Re: Block subdomains?

Post by christian » Thu Mar 25, 2010 6:13 pm

See my first two postings in this thread: Yes, this is already a problem in the current release. And no, this is not a stopper for the wildcard feature. We will implement wildcards, but we want to have them as part of a more general solution.

L-Snitzcher
Posts: 5
Joined: Mon Sep 22, 2008 11:56 pm

Re: Block subdomains?

Post by L-Snitzcher » Sat Mar 27, 2010 2:12 am

Thanks go to Norbert and Christian. It is great to finally see some concrete feedback from the developers in this thread. Caveats aside, it is very encouraging to know that wildcards will eventually be implemented in LS's codebase. While wildcards may not be a cure-all for every situation, and may actually introduce new problems of their own, I still feel that implementing this feature is a positive step in the right direction. It will be great to allow or deny multiple links to avatar image sites, etc.

PeterMoller
Posts: 2
Joined: Tue May 11, 2010 9:35 am

Re: Block subdomains?

Post by PeterMoller » Tue May 11, 2010 9:41 am

I to want to allow DropBox, so count me in!

As a reply to all those who want to reduce ads: I use a *very* large hosts-file (/etc/hosts) that I get from http://www.mvps.org/winhelp2002/hosts.txt. It's about 17,000 lines long and gives me a nice, quite surf (and saves CO2 while doing it! :-). I don't really see why one would want to involve LS in ad-blocking: LS is about *outgoing* connections, ads are *incoming*… As a side-benefit: the hosts-file affect all applications, so you can change browser and still have the same protection.

smeier
Posts: 3
Joined: Thu May 13, 2010 11:57 am

Re: Block subdomains?

Post by smeier » Thu May 13, 2010 12:02 pm

Hi,

just a thought: If the ambiguity of the hostname-IP connection is the problem, couldn't you stop the problem from the beginning by blocking the DNS resolving for domains like 2O7.net? So instead of trying to filter the traffic based on the IPs, just stop the name from resolving (so the traffic isn't generated at all). Of course this would require to intercept DNS resolving requests and block it or redirect it to a harmless IP?!?

Stefan

christian
Objective Development
Objective Development
Posts: 1443
Joined: Thu Nov 09, 2006 11:46 am

Re: Block subdomains?

Post by christian » Thu May 13, 2010 2:57 pm

This is basically the same approach as an /etc/hosts file. Note, however, that this blocks access to the server system-wide, not just for a single application. Little Snitch rules can be limited to a particular application.

smeier
Posts: 3
Joined: Thu May 13, 2010 11:57 am

Re: Block subdomains?

Post by smeier » Fri May 14, 2010 8:08 am

Hi Christian,

I think the interesting question is, if Little Snitch might be able to do something like a "dynamic hosts resolution" which decides whether to allow or deny a DNS request based on the application/service that is sending the request. Or do all the DNS requests run through the local DNS resolver before they arrive at LS?

Stefan

christian
Objective Development
Objective Development
Posts: 1443
Joined: Thu Nov 09, 2006 11:46 am

Re: Block subdomains?

Post by christian » Fri May 14, 2010 12:08 pm

There is a system-wide cache for DNS data. The first application which requests an IP for a name triggers the DNS request. Subsequent queries (also from other applications) are answered directly from the cache.

If we want to filter name resolution on a per-application basis, we must override functions in system frameworks. This is technically possible, but it's a hack, may cause unexpected behavior (including application crashes) and is something we certainly don't want to do.

paulc
Rank 2
Rank 2
Posts: 62
Joined: Fri May 22, 2009 7:13 pm

Re: Block subdomains?

Post by paulc » Fri May 14, 2010 1:59 pm

christian wrote:This is technically possible, but it's a hack, may cause unexpected behavior (including application crashes) and is something we certainly don't want to do.


Then again, it also may get you an e-mail from Jobs with something trenchant like "cut it out."<g>

smeier
Posts: 3
Joined: Thu May 13, 2010 11:57 am

Re: Block subdomains?

Post by smeier » Fri May 14, 2010 3:13 pm

christian wrote:If we want to filter name resolution on a per-application basis, we must override functions in system frameworks. This is technically possible, but it's a hack, may cause unexpected behavior (including application crashes) and is something we certainly don't want to do.


Ok, that makes sense. A hack is obviously not an option. What a pity. I guess it sounded too easy to come true anyway... :)

Stefan

Post Reply