Google, Roku, Sonos To Fix DNS Rebinding Attack Vector (bleepingcomputer.com)

8844 by Anonymous Coward · 2018-06-20 10:04 · Score: 0

Hate dot hate dot hate dot hate

I rebinded my AppleTV 4K by Anonymous Coward · 2018-06-20 10:07 · Score: -1

To goatse and I've never looked back

Trump will be fixed also - by decades in Prison by Anonymous Coward · 2018-06-20 10:12 · Score: -1

"How young Donald Trump was slapped and punched until he made his bed"

http://www.nydailynews.com/opinion/donald-trump-fellow-cadet-article-1.3401110

My last conversation with Donald Trump was at the New York Military Academy, where we were both cadets. It was 1964, the year he graduated. We were walking together near the baseball field where, he reminded me, he'd played exceptionally well. He demanded that I tell him the story of one of his greatest games.

"The bases were loaded," I told him. "We were losing by three. You hit the ball just over the third baseman's head. Neither the third baseman nor the left fielder could get to the ball in time. All four of our runs came in; we won the game."

"No," he said. "That's not the way it happened. I want you to remember this: I hit the ball out of the ballpark! Remember that. I hit it out of the ballpark!"

Ballpark? I thought. We were talking about a high school practice field. There was no park to hit a ball out of. And anyway, his hit was a blooper the fielders misplayed.

But I wasn't going to argue with Donald. What was the harm in a little embellishment, if it helped him survive New York Military Academy?

NYMA, the private boarding school where Trump's parents sent him and where mine sent me, could be a brutal place where grown men who were veterans of the real military ruled with threats and force.

Trump's first year, under the command of Major Theodore Dobias, was hellish. Dobias slapped and punched him until he learned to make his bed and polish his shoes — things that Donald, an aggressive little wiseguy, had at first refused to do.

At some point Dobias assumed that he had broken Trump and eased up. More probably, Trump had figured out Dobias' weak points and had begun to exploit them. He flattered the major and became one of his "winners" who was favored with privileges and praised.

As the Academy's unofficial PR man, Dobias even contributed to the Trump myth, eventually telling Rolling Stone that pro scouts vied to sign Trump. As with many things Dobias asserted about Trump, this story may or may not be true.

Besides sports, most of Donald's years at the Academy were unremarkable. In his junior year, he was a supply sergeant in charge of the World War II M1s rifles we all lugged around at parade. But even in this laid-back position he was brash and assertive.

A member of the school band recallsTrump throwing shoes at him and yelling at him to shut up when this young man stood too close to the barracks trumpeting Reveille. Rumor had it that he got away with stuff like this because his father donated large sums to the school.

In his senior year, Donald was promoted to captain of A Company. Unlike other cadet captains who took an interest in the lives of the adolescents in their charge, Trump commanded at a remove. Aside from a determination that cadets in his care would always polish their brass belt buckles and keep the spit-shine on their boots, come evening he'd retreat to his room.

My friend Peter Ticktin, who was an A Company platoon sergeant, emailed me recently to say he saw Trump as someone who kept his thoughts to himself and delegated his responsibilities. "DT put his trust in me," Ticktin wrote . "(Although trust) may be too strong (a word), as I was not a confidant as to his personal thoughts. No one was. He was much to himself. A good guy, but no one's real buddy."

Trump couldn't remain aloof after one of his minions allegedly hazed a younger cadet. Ignoring the unwritten barracks rule that no report to the adult authorities be made, this cadet finked to his parents, who demanded a meeting with the superintendent. It resulted in Donald's removal as captain.

Any other cadet caught in such a scandal would have been busted to a lower rank and exiled to a different barracks. But Donald was transferred, with no loss of rank, to what was probably intended as a desk job. (He called it a promotion.)

While Donald had not succeeded as a manager of young men

Browser solution by amorsen · 2018-06-20 10:19 · Score: 0

Browsers could start ignoring DNS answers that point to addresses in the local LAN, unless the request was for a record that matches the local DNS domain or the answer comes from mDNS. That should be a relatively quick 90% solution that still keeps e.g. Active Directory working. It will even work for both IPv4 and IPv6.

And yes, fellow Slashdotters, I know you have networks where such assumptions will break. You also have the knowledge to enter about:config or to reconfigure your DNS server or network as appropriate.

For extra security, block all of RFC1918 + all non-public IPv6 space -- but that means a lot more false positives.

--
Finally! A year of moderation! Ready for 2019?

Re:Browser solution by Anonymous Coward · 2018-06-20 10:24 · Score: 0

Yes, and this story has nothing to do with browsers.
Re:Browser solution by ls671 · 2018-06-20 10:33 · Score: 1

That is only a fraction of the attack vector they are mentioning. The rest of it will be making devices connect to valid public IP addresses.
Example, the user types www.mybank.com and he is directed to the fake hacker site that looks just like his bank site and the hacker steals your credentials when you enter them.

--
Everything I write is lies, read between the lines.
Re:Browser solution by viperidaenz · 2018-06-20 10:45 · Score: 2, Informative

For DNS rebind to work like that, the hacker has control of the DNS servers hosting your bank's domain.
That's already pretty bad news. With complete DNS control of your banks domain they can obtain certificates and pose as a secure copy of your banks website and steal your credentials that way. No DNS rebind attack required.
Public websites that are hosted as virtual hosts aren't vulnerable to rebind attackers either, as they use the HTTP Host header to determine how to handle the request. A rebind attack means the Host header won't match the website and would generally return a 404.
CDN's also stop rebind attacks from working on public websites for the same reason. The Host header is the domain of the attacker, not the destination.
Re:Browser solution by SirAstral · 2018-06-20 11:21 · Score: 3, Insightful

NO NO NO NO NO NO NO NO NO!!!!!
Don't even DARE to come up with the idea that browsers should be performing these functions. The browser needs to do only one thing... trust the DNS server that gave it data because the USER or Admins configured it... OTHER more suitable tools (like inline network devices/services) should be doing this security. It is NOT just about what will or will not break with this, it is also about the thought of Google, Microsoft, Firefox, and Opera deciding what is good or bad DNS and then also dealing with false positives and bugs that is going to definitely come with attempting this. Not only that but this kind of functionality will now be tested on browsers and become included in their "security profiles".
It's just a terrible terrible idea, like putting a governor in every car connected to GPS to make sure it NEVER goes over the speed limit.
Hackers would waste NO TIME in compromising this garbage in a browser and system would become even less secure just having it in them NOT MORE secure.
I cannot expound on how terrible the idea you just had is!
Re:Browser solution by SirAstral · 2018-06-20 11:35 · Score: 2

"With complete DNS control of your banks domain they can obtain certificates and pose as a secure copy of your banks website and steal your credentials that way."
yea, um no... you can't "just get a certificate" like that.
You have to get a publicly trusted CA to issue you a Certificate for a domain you don't own and a CA is not going to do that unless they want to risk going out of business or becoming untrusted defeating the entire purpose of being a CA. And if you go an create your own, well how are you going to get the victim's own system to trust it without a root signer they already trust? Systems do not accept certificates blindly!
You are going to have to trick someone to give you a certificate or find a way to compromise their Certificate or find a way to illegitimately obtain a proper certificate like finding some dumbass admin that left a cert laying around on an easy to access network drive with its private key and an easy to guess password (likely also stored in a txt file right next to it) protecting it.
Re:Browser solution by Junta · 2018-06-20 11:43 · Score: 2

Bad news:
https://blog.nightly.mozilla.o...
Firefox and chrome are both advocating for ignoring the system DNS resolver and baking DNS resolving into their code (also, shifting from DNS over UDP to DNS over HTTPS, with etiher json or the traditional binary format. Instead of trusting your dns server, it trusts https://mozilla.cloudflare-dns... as the equivalent of the DNS server, ignoring the local network suggested settings.
Of course, I presume they must be doing something to support non-internet names to be resolved, but I haven't found yet an article going into that much detail.

--
XML is like violence. If it doesn't solve the problem, use more.
Re:Browser solution by amorsen · 2018-06-20 12:06 · Score: 1

Example, the user types www.mybank.com and he is directed to the fake hacker site that looks just like his bank site and the hacker steals your credentials when you enter them.
That is not a rebind attack. You'd need a cache poisoning attack or a full takeover of the victim's DNS server to do that. My mitigation obviously does not fix that, that's what certificates are for.

--
Finally! A year of moderation! Ready for 2019?
Re:Browser solution by ls671 · 2018-06-20 12:09 · Score: 1

For DNS rebind to work like that, the hacker has control of the DNS servers hosting your bank's domain.
Nope, sorry this is not how it works.
1) You would simply make the device connect to your fake DNS server.
2) In your fake DNS server, you would simply hardcode your fake web server IP to return when asked to resolve "www.mybank.com" so, there is no need to control the bank DNS server.
3) In your website virtualhosts config, you would simply create a domain "www.mybank.com"
This is not only limited to web attacks but it extents to anything trying to connect anywhere by hostname.

--
Everything I write is lies, read between the lines.
Re:Browser solution by duke_cheetah2003 · 2018-06-20 12:10 · Score: 1

Browsers could start ignoring DNS answers that point to addresses in the local LAN,
Despite your original post seeming intelligent, this is not. Are you really this naive about the typical home broadband installation? Where almost always the router is doing DNS duty, thereby pushing out on DHCP itself as the first DNS server. This is standard on millions of devices, and you propose breaking it?
Re:Browser solution by amorsen · 2018-06-20 12:16 · Score: 1

Yes, and this story has nothing to do with browsers.
In most cases the only thing you can achieve with a DNS rebind attack is sending a HTTP or HTTPS request to a target. Usually it will be a browser that sends that request. Many modern email clients can also send HTTP(S) requests, I had forgotten to consider those since I find that extremely silly.
But you are right, email clients that implement HTTP(S) should just a) stop doing that (I know, won't happen) or at least b) block all HTTP(S) access to RFC1918, RFC6598, link-local IPv6, ULA IPv6. And those clients should never send any HTTP requests that aren't GET; hopefully anything harmful that can be done to a homenet device at least requires a POST.
Are there any other clients that are realistically vulnerable to DNS rebind? I'd love to hear if so.

--
Finally! A year of moderation! Ready for 2019?
Re:Browser solution by amorsen · 2018-06-20 12:24 · Score: 1

Despite your original post seeming intelligent, this is not. Are you really this naive about the typical home broadband installation? Where almost always the router is doing DNS duty, thereby pushing out on DHCP itself as the first DNS server. This is standard on millions of devices, and you propose breaking it?
No, that is not my proposal. It is perfectly valid for the local CPE to be DNS server.
Imagine that the client, 192.168.1.10/24 asks the CPE, 192.168.1.1, what is the A record for www.harmless.com? 192.168.1.1 answers www.harmless.com IN A 88.44.22.11, which is a public internet address, so the browser accepts the answer. Then the same thing happens except the request is for evil.attacker.com, and it gets the answer (again coming from the CPE 192.168.1.1) evil.attacker.com IN A 192.168.1.50, which happens to be the Roku. Now the browser says AHA, 192.168.1.50 matches 192.168.1.0/24, someone is doing something bad! It drops the answer and refuses to connect to 192.168.1.50.

--
Finally! A year of moderation! Ready for 2019?
Re:Browser solution by amorsen · 2018-06-20 12:26 · Score: 1

1) You would simply make the device connect to your fake DNS server.
That is not part of the DNS Rebind attack. You can accomplish that WITH a DNS Rebind attack that messes with the CPE settings, but then you have already won. My proposal stops the DNS Rebind attack from messing with the CPE settings in the first place.

--
Finally! A year of moderation! Ready for 2019?
Re:Browser solution by amorsen · 2018-06-20 12:30 · Score: 1

DNS recursive servers are notoriously bad. Anything that comes in through DNS should be viewed with extreme suspicion, unless it is DNSSEC validated.
You COULD implement my proposed defense in the recursive DNS server, like OpenDNS has an option to do, instead of in the browser itself. However, that would mean you are exposed when connecting to a public hotspot with a captive portal that mangles DNS requests and prevents you from connecting to a trustworthy server.

--
Finally! A year of moderation! Ready for 2019?
Re:Browser solution by ls671 · 2018-06-20 12:32 · Score: 1

See my other post just below.

For DNS rebind to work like that, the hacker has control of the DNS servers hosting your bank's domain.
Nope, sorry this is not how it works.
1) You would simply make the device connect to your fake DNS server.
2) In your fake DNS server, you would simply hardcode your fake web server IP to return when asked to resolve "www.mybank.com" so, there is no need to control the bank DNS server.
3) In your website virtualhosts config, you would simply create a domain "www.mybank.com"
This is not only limited to web attacks but it extents to anything trying to connect anywhere by hostname.
Some user will just enter mybank.com to connect to their bank. Normally, the website will redirect them to https://www.mybank.com/ (TLS site). Your fake website won't and will allow connections with plain http. No certificate needed.
Remember that for such an attack to pay off, only 1% of users falling for it is a lot!
Obviously, this isn't limited to banking sites and HTTP connections.

--
Everything I write is lies, read between the lines.
Re:Browser solution by viperidaenz · 2018-06-20 12:49 · Score: 1

That can be mitigated by HSTS being used by your bank
Their browser would refuse to connect without HTTPS to www.mybank.com if they have already visited it before, therefore requiring the attacker to have a valid certificate to perform the redirect.
Your scenario also requires control of the network configuration of the victim.
A DNS rebind attack is re-binding a domain during an attack to a different IP to get around same origin protections.
What you described is not a DNS rebind attack, it's DNS hijacking. That's where you gain control of the DNS server a victim uses, either by changing their network configuration or gaining control of their existing DNS server..
Re:Browser solution by viperidaenz · 2018-06-20 12:56 · Score: 1

Give me control of your domains DNS server and I'll get a Let's Encrypt certificate issued in 5 minutes.
Let's Encrypt use the ACME protocol to verify control of the domain. It's a completely automated process requiring only a webserver running on the IP address listed on the A record of the domain.
Re:Browser solution by Anonymous Coward · 2018-06-20 12:58 · Score: 0

thank for screwing my home network
Re: Browser solution by Anonymous Coward · 2018-06-20 13:27 · Score: 0

Your solution would only cover attempts against a simple network. It would be insufficient against most enterprise networks, and access to external targets. Eg making the victim participate in a DoS.
Re:Browser solution by ls671 · 2018-06-20 14:39 · Score: 1

That is not a rebind attack.
You are correct. I didn't know the term and reading TFS and TFA didn't help me.
So, I googled for it and reading the Wikipedia page enabled me to understand in 2 paragraphs.
Thanks!
https://en.wikipedia.org/wiki/...

The attacker registers a domain (such as attacker.com) and delegates it to a DNS server under the attacker's control. The server is configured to respond with a very short time to live (TTL) record, preventing the response from being cached. When the victim browses to the malicious domain, the attacker's DNS server first responds with the IP address of a server hosting the malicious client-side code. For instance, they could point the victim's browser to a website that contains malicious JavaScript or Flash scripts that are intended to execute on the victim's computer.
The malicious client-side code makes additional accesses to the original domain name (such as attacker.com). These are permitted by the same-origin policy. However, when the victim's browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. For instance, they could reply with an internal IP address or the IP address of a target somewhere else on the Internet.

--
Everything I write is lies, read between the lines.
Re:Browser solution by Anonymous Coward · 2018-06-20 15:03 · Score: 0

For DNS rebind to work like that, the hacker has control of the DNS servers hosting your bank's domain.
Or they can just own the local Wi-Fi/cellular DNS server, return CNAME responses for www.mybank.com to www.pwnedbank.com, and get a valid SSL certificate for www.pwnedbank.com from a lame-ass CA like Let's Encrypt. If they're feeling funky they could even add a Subject Alt Name for www.mybank.com to their lame-ass Let's Encrypt certificate.
Re:Browser solution by Anonymous Coward · 2018-06-20 16:24 · Score: 0

Example, the user types www.mybank.com and he is directed to the fake hacker site that looks just like his bank site and the hacker steals your credentials when you enter them.
Why would your locked down video purchasing/playback machine ever try to stream your purchased content from www.mybank.com?
This is to stop people from tricking a roku or "smart" device from connecting to anything but the official servers you need to pay to use, instead of as the owner redirecting them via dns to connect to your own computer, and run software to stream your potentially pirated, or at least not purchased from the device makers store.
Of course this just means instead of a simple DNS redirect, we now have to setup funky IP masq and redirection rules in a firewall and have it NAT the real public IP to translate to your own, and NAT replies back to it.
Re: Browser solution by Anonymous Coward · 2018-06-20 16:43 · Score: 0

Yes, you can get a certificate like that from LE who only verify first domain in SNI
Re: Browser solution by amorsen · 2018-06-21 03:06 · Score: 1

Enterprise networks can implement any policies they want in the DNS servers that they force the employees, or they can go extra evil and simply intercept all DNS requests from clients. They do not need the browser to help them, and if they do, they probably have more-easily-exploited holes anyway.
DoS against external targets will be a bit pathetic, SYN packets are small and rebind can't spoof the source. For later packets, the host header won't match, so the target is unlikely to spend more than minimal processing time before dumping the request.

--
Finally! A year of moderation! Ready for 2019?

I'm not impressed by Anonymous Coward · 2018-06-20 12:07 · Score: -1

Bin Laden masterminded a plot to demolish three skyscrapers in NYC while sitting on a rock in a cave on the other side of the planet. Now that's a conspiracy theory we can believe in! Yes we can! Duh!
ae911truth dot org

plex by Anonymous Coward · 2018-06-20 12:36 · Score: 0

How are they going to avoid breaking Plex?

Please don't break it for "security" by iduno · 2018-06-20 13:05 · Score: 1

I don't need/want the IOT stuff getting out of my network. They all go to my own server where I can keep the data to myself. I guess I'll just have to redirect 8.8.8.8/8.8.4.4/1.1.1.1/1.0.0.1 to my DNS server.

Re:Please don't break it for "security" by Anonymous Coward · 2018-06-20 14:35 · Score: 0

I guess I'll just have to redirect 8.8.8.8/8.8.4.4/1.1.1.1/1.0.0.1 to my DNS server.
Would be more effective to just redirect anything output on port 53(both TCP and UDP) to your DNS server. Do the same with NTP outbound and redirect those to your local NTP server too.
Re: Please don't break it for "security" by Anonymous Coward · 2018-06-20 16:52 · Score: 0

I've been doing that for years
Re:Please don't break it for "security" by locofungus · 2018-06-21 04:16 · Score: 1

AFAICT, this proposal is designed to stop exactly that.
Too many people are obviously preventing android devices reporting to google.

--
God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.

Ignore the elephant in the room... by ZenShadow · 2018-06-20 14:32 · Score: 1

Prevent unknown third parties from running random code on your machine in the first place and this attack vector is nullified.

Quick! Find someone to stick their thumb in that hole over there!

--
-- sigs cause cancer.

Re:Ignore the elephant in the room... by Anonymous Coward · 2018-06-21 08:21 · Score: 0

Prevent unknown third parties from running random code on your machine in the first place and this attack vector is nullified.
No it isn't. Your own trusted code attempts to access some DNS name. I control the DNS record and give it a TTL (expiry time) of 1 second. I make it point to my server so you communicate with me, then I point (rebind) it to an internal IP name so you communicate with your own private machine that's inside your firewall that I can't talk to myself, then I point it back to my own server. This is the core of the vulnerability.
Finessing this into an exploit where I get to control what you send to your private machine, or that you tell me some/all of what the private is made easier if your program is a web browser running attacker-authored javascript, but there's no inherent requirement that this involve remote code execution.

Wrong definition ... by citizenr · 2018-06-20 14:35 · Score: 1

>DNS rebinding attack is to make a device bind to a malicious DNS server and then make the device access unintended domains

Thats not what DNS rebinding is. Impressive for an article to get it wrong while explaining how it works just few lines above :/. You dont "bind" to malicious servers, and you dont "access unintended domains". You contact one domain, and access "unintended" local IPs.

--
Who logs in to gdm? Not I, said the duck.

The true reason they are wanting to stop it. by Cito · 2018-06-20 14:37 · Score: 3, Interesting

PiHole DNS servers

Anyone can pick up a raspberry pi for 35 bucks or fire up a Debian virtual machine and install PiHole dns.

It blocks advertisements at the dns level. I have a roku, Chromecast, and of course kodi attached to my TV, and both the Roku and Chromecast not to mention my tablet never gets ads on YouTube or any streaming service.

I bet this change is to try and stop pihole users from blocking ads on their devices so easily.

Re:The true reason they are wanting to stop it. by Anonymous Coward · 2018-06-21 04:38 · Score: 0

Thank you. I was not aware of PiHole DNS. Now I am, and have a use for one of th Pi's I have sitting in a drawer right now.

That's not DNS rebind. Rebind attacks local by raymorris · 2018-06-21 01:09 · Score: 1

If you get the victim to start using an attacker-controlled DNS server, you can indeed do bad things. That's not what DNS rebind is, though.

Let me explain what DNS rebind is.

The attacker creates a web page which has an iframe for http://nest.attacker.net/temp/...

The attacker sets the DNS record to for nest.attacker.net to be 192.168.1.2

The browser then connects to 192.168.1.2, which is the victims thermostat, and requests temp/90

The victim has now turned their thermostat up to 90
--

The attacker doesn't know the exact IP of the thermostat, but it's probably in the range 192.168.1.2 - 192.168.1.10

The attacker therefore retries the attack with each IP in that range, updating their DNS record once per second.

AVOID DNS security issues by Anonymous Coward · 2018-06-21 04:48 · Score: 0

See subject & resolve FASTER locally via APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).

Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address that most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ bugs (DNS/AntiVir) + their overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).

* Created in FreePascal/Lazarus 1.8.2 via GTK3 & OpenGL 3.1 on KDE Plasma desktop on Kubuntu 18.04. ONLY 1 of its kind in GUI on Linux/BSD!

APK

P.S.=> Much better vs. Windows model in speed & efficiencylus new "merge" feature... apk

Registered /.ers opinions of the Win64 model by Anonymous Coward · 2018-06-21 04:50 · Score: 0

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

(APK's work), I've flat out said it's good by BronsCon February 11 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

I do use APK's host file on all my systems at home by OrangeTide December 01 2017

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* See subject: Best part is this Linux 64-bit model is faster & more efficient (does 2x the work in 1/2 the time, literally)

APK

P.S.=> Enjoy a faster/safer/more reliable internet... apk

Re: Registered /.ers opinions of the Win64 model by Brockmire · 2018-06-21 12:03 · Score: -1

You're quoting people who have never seen or reviewed your Linux shit and doesn't apply. That's some scumbag marketing.

I'll do you 1 better for FREE by Anonymous Coward · 2018-06-21 04:56 · Score: -1

See subject & resolve FASTER locally via APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).

Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address that most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ bugs (DNS/AntiVir) + their overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).

* Created in FreePascal/Lazarus 1.8.2 via GTK3 & OpenGL 3.1 on KDE Plasma desktop on Kubuntu 18.04.

(ONLY 1 of its kind in GUI on Linux/BSD!)

APK

P.S.=> Much better vs. Windows model in speed & efficiency + new "merge" feature... apk

Re: I'll do you 1 better for FREE by Brockmire · 2018-06-21 12:11 · Score: -1

How much time do you spend every day curating and fixing your fucking hosts file? What stats are available?
Re:I'll do you 1 better for FREE by Anonymous Coward · 2018-06-22 00:37 · Score: 0

How's that supposed to work on his roku Chromecast kodi and tablet?

Registered /.ers opinions of the Win64 model by Anonymous Coward · 2018-06-21 04:58 · Score: -1

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

(APK's work), I've flat out said it's good by BronsCon February 11 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

I do use APK's host file on all my systems at home by OrangeTide December 01 2017

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* See subject: Best part's the Linux 64-bit model's faster & more efficient (does 2x the work in 1/2 the time)

APK

P.S.=> Enjoy a faster/safer/more reliable internet... apk

Agreed 110% but the IP stack should do it by Anonymous Coward · 2018-06-21 05:01 · Score: 0

See subject & resolve faster locally avoiding DNS security issues + tracking via APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).

Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address that most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ bugs (DNS/AntiVir) + their overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).

* ONLY 1 of its kind in GUI on Linux/BSD!

APK

P.S.=> Much better vs. Windows model in speed & efficiency + new "merge" feature... apk

Registered /.ers opinions of the Win64 model by Anonymous Coward · 2018-06-21 05:02 · Score: 0