using hosts file as http whitelist

sao123 · Jan 19, 2010

I have some public accessworkstations, which I need to limit to certain internet websites. To accomplish this, i am disabling DNS, and setting up a hosts file to enable certain permitted sites to be browsed.
However, doing this, will prevent windows updates from being downloaded.

Does anyone know the proper entries neeeded for my hosts file to re-enable windows update?

ViviTheMage · Jan 19, 2010

try these

download.windowsupdate.com
v5.windowsupdate.microsoft.com

also, if it doesn't work, deploy your own SuS?

Fallen Kell · Jan 19, 2010

Make sure you disable nslookup as well then. Anyone who knows anything about how the internet works will simply bring up a command window and do a nslookup to 4.2.2.1 (or any of the original base DNS servers on the net), get the IP and then enter the IP in the browser...

Nothinman · Jan 19, 2010

sao123 said:
I have some public accessworkstations, which I need to limit to certain internet websites. To accomplish this, i am disabling DNS, and setting up a hosts file to enable certain permitted sites to be browsed.
However, doing this, will prevent windows updates from being downloaded.

That's not a good solution. You really should be making them browse through a proxy and then setup a whitelist on the proxy. That also ensures that no one brings in their own machine and uses that intead.

Fallen Kell said:
Make sure you disable nslookup as well then. Anyone who knows anything about how the internet works will simply bring up a command window and do a nslookup to 4.2.2.1 (or any of the original base DNS servers on the net), get the IP and then enter the IP in the browser...

Which will likely fail anyway because without the HTTP Host header given it'll just return the default website for that server which may or may not be the one you're aiming for.

xSauronx · Jan 19, 2010

seconded on the proxy and wsus suggestions. a wsus server is really easy to set up (though, with thousands of updates to filter from the start, can be tedious) and clients can be configured easily with a GPO. if you have a server that needs some action and has some disk space, a wsus server is worth setting up.

sao123 · Jan 19, 2010

guess I have to be a bit more specific.

These systems are located at each of 40 semi-secure locations. (each essentially a 8x8 wooden shed with an attached outhouse on government property)
Each location has a single DSL/Cable/Verizon Aircard, and a netgear/linksys/dlink wired 4 port router.

Each location has 2 foreman each having a laptop which require full internet access. The above described desktop is to be a restricted weather terminal for all the non-foreman employees to use. it has guest level priviliges only with no logon password, and the internet is to be restricted to only our 4 permitted weather sites. (weather data is critical to our business).

due to the large number of sites, and complete lack of servers, I cant do SuS.
Due to the foremans requirements I cant do this at the router level...well at least not with $40 walmart routers.

sao123 · Jan 21, 2010

ViviTheMage said:
try these

download.windowsupdate.com
v5.windowsupdate.microsoft.com

great start on a partial list, but i need more addresses than this.

skyking · Jan 21, 2010

www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us

That's what I get from my xp pro sp3 updated machine.

Curt K · Dec 1, 2017

I'm doing the same thing- apparently the IP addresses of Win Update are not available due to security reasons.
https://answers.microsoft.com/en-us...e/7d86bbb7-ce5e-468a-b662-c2db574d1526?auth=1

If your DNS is 127.0.0.1 I'm not sure you do have to disable nslookup since it uses DNS. Beware- Defender likes to delete your changed hosts file since it's used for browser hijacks- you have to exclude it in Defender.

VirtualLarry · Dec 1, 2017

Doesn't MS automagically whitelist their update servers inside their internet-related .DLLs, anyways? At least, I think that they have since Vista.

sdifox · Dec 2, 2017

Check pi-hole site for whitelisting.

If the machine is fast enough, maybe pi-hole in vm player as dns.

Also, I thought you can restrict browsers to only existing bookmarks?

Curt K · Dec 4, 2017

VirtualLarry said:
Doesn't MS automagically whitelist their update servers inside their internet-related .DLLs, anyways? At least, I think that they have since Vista.

I've seen that too but WinUpdate sure doesn't work if the DNS is 127.0.0.1...

Elixer · Dec 4, 2017

Curt K said:
I've seen that too but WinUpdate sure doesn't work if the DNS is 127.0.0.1...

Why necro a ~7 year old thread, and not start your own?

There are also some hardcoded IPs that don't use DNS, and that would fail on those.

Search

using hosts file as http whitelist

sao123

Lifer

ViviTheMage

Lifer

Fallen Kell

Diamond Member

Nothinman

Elite Member

xSauronx

Lifer

sao123

Lifer

sao123

Lifer

skyking

Lifer

Curt K

Junior Member

VirtualLarry

No Lifer

sdifox

No Lifer

Curt K

Junior Member

Elixer

Lifer

TRENDING THREADS