Page 5 of 6

Re: Block subdomains?

Posted: Mon Mar 22, 2010 5:09 pm
by timelessbeing
Yup that's true.

Whenever there's a conflict, you could have a dialog pop-up saying "the rule you are creating would conflict with an existing rule xxxxxx". However, as has been said, the user would be overwhelmed with constant dialog boxes. Tough call...

Re: Block subdomains?

Posted: Mon Mar 22, 2010 11:13 pm
by christian
Not only that: The problem arises not when the rule is created, but any time later. Maybe hours, maybe days or maybe even months later, when the name-to-IP mapping for a service changes...

Re: Block subdomains?

Posted: Wed Mar 24, 2010 8:49 pm
by PhilMac
Would it be possible for LS to track name-to-IP mappings?

It seems to me that, as much effort as this would entail, it would be a valuable feature, considering the increasingly capable tracking mechanisms being implemented today.

Re: Block subdomains?

Posted: Thu Mar 25, 2010 10:50 am
by norbert
PhilMac wrote:Would it be possible for LS to track name-to-IP mappings?


Little Snitch does track name-to-IP mappings. But that doesn't solve the problem.

The mapping between hostnames and IP addresses is not a 1:1 relationship, but an n:m relationship. That means, one hostname can resolve to multiple IP addresses, and different hostnames can resolve to the same IP address. So, although we track and therefore know the name-to-IP mappings, we cannot always convert an IP address back into its originating hostname, because there's more than one possible match.

For example, resolving www.google-analytics.com may sooner or later result in the same IP address that you previously got for www.google.com. Now if there's any traffic to this IP address, it's then no longer possible to tell wether this traffic is targeted to www.google-analytics.com or to www.google.com, since both hostnames resolve to the same IP address.

In other words, it's not possible to block specific Google services based on the hostname. Doing so will sooner or later block all Google services, including ordinary Google web searches.

Re: Block subdomains?

Posted: Thu Mar 25, 2010 5:25 pm
by timelessbeing
Sounds like there is no easy way to implement even simple traffic filtering, due to the non-exclusive relationship between IPs and hostnames.

However, I think the wildcard feature would still be useful. For example, sites that don't use IP pools, and for sites where you don't care if other services are blocked in the process. It could be implemented with the simple 'ALLOW or DENY on conflict' preference I described a few posts ago.

You could include a disclaimer somewhere, that explains that by blocking some host names, you may inadvertently block something you want. In fact, if I understand correctly, this is true for the current release that everyone is using right now anyways.

Re: Block subdomains?

Posted: Thu Mar 25, 2010 6:09 pm
by hagen
timelessbeing wrote: In fact, if I understand correctly, this is true for the current release that everyone is using right now anyways.


This was my thought too. Is the "Google problem" really a stopper for implementing wildcards in some form?

Re: Block subdomains?

Posted: Thu Mar 25, 2010 6:13 pm
by christian
See my first two postings in this thread: Yes, this is already a problem in the current release. And no, this is not a stopper for the wildcard feature. We will implement wildcards, but we want to have them as part of a more general solution.

Re: Block subdomains?

Posted: Sat Mar 27, 2010 2:12 am
by L-Snitzcher
Thanks go to Norbert and Christian. It is great to finally see some concrete feedback from the developers in this thread. Caveats aside, it is very encouraging to know that wildcards will eventually be implemented in LS's codebase. While wildcards may not be a cure-all for every situation, and may actually introduce new problems of their own, I still feel that implementing this feature is a positive step in the right direction. It will be great to allow or deny multiple links to avatar image sites, etc.

Re: Block subdomains?

Posted: Tue May 11, 2010 9:41 am
by PeterMoller
I to want to allow DropBox, so count me in!

As a reply to all those who want to reduce ads: I use a *very* large hosts-file (/etc/hosts) that I get from http://www.mvps.org/winhelp2002/hosts.txt. It's about 17,000 lines long and gives me a nice, quite surf (and saves CO2 while doing it! :-). I don't really see why one would want to involve LS in ad-blocking: LS is about *outgoing* connections, ads are *incoming*… As a side-benefit: the hosts-file affect all applications, so you can change browser and still have the same protection.

Re: Block subdomains?

Posted: Thu May 13, 2010 12:02 pm
by smeier
Hi,

just a thought: If the ambiguity of the hostname-IP connection is the problem, couldn't you stop the problem from the beginning by blocking the DNS resolving for domains like 2O7.net? So instead of trying to filter the traffic based on the IPs, just stop the name from resolving (so the traffic isn't generated at all). Of course this would require to intercept DNS resolving requests and block it or redirect it to a harmless IP?!?

Stefan

Re: Block subdomains?

Posted: Thu May 13, 2010 2:57 pm
by christian
This is basically the same approach as an /etc/hosts file. Note, however, that this blocks access to the server system-wide, not just for a single application. Little Snitch rules can be limited to a particular application.

Re: Block subdomains?

Posted: Fri May 14, 2010 8:08 am
by smeier
Hi Christian,

I think the interesting question is, if Little Snitch might be able to do something like a "dynamic hosts resolution" which decides whether to allow or deny a DNS request based on the application/service that is sending the request. Or do all the DNS requests run through the local DNS resolver before they arrive at LS?

Stefan

Re: Block subdomains?

Posted: Fri May 14, 2010 12:08 pm
by christian
There is a system-wide cache for DNS data. The first application which requests an IP for a name triggers the DNS request. Subsequent queries (also from other applications) are answered directly from the cache.

If we want to filter name resolution on a per-application basis, we must override functions in system frameworks. This is technically possible, but it's a hack, may cause unexpected behavior (including application crashes) and is something we certainly don't want to do.

Re: Block subdomains?

Posted: Fri May 14, 2010 1:59 pm
by paulc
christian wrote:This is technically possible, but it's a hack, may cause unexpected behavior (including application crashes) and is something we certainly don't want to do.


Then again, it also may get you an e-mail from Jobs with something trenchant like "cut it out."<g>

Re: Block subdomains?

Posted: Fri May 14, 2010 3:13 pm
by smeier
christian wrote:If we want to filter name resolution on a per-application basis, we must override functions in system frameworks. This is technically possible, but it's a hack, may cause unexpected behavior (including application crashes) and is something we certainly don't want to do.


Ok, that makes sense. A hack is obviously not an option. What a pity. I guess it sounded too easy to come true anyway... :)

Stefan