How & why do "0.0.0.0" connections get a response?

I have a lot of bad guys in /etc/hosts pointing to 0.0.0.0

If I use host to check the domain name, I get an actual IP address instead of 0.0.0.0

What I expected the resolver to give me is the same thing that is in the hosts file. What I expected from any other access is a failure (timeout).

But when the resolver provides the real IP, I would expect a browser to show the bad guy's website. Instead, both Safari and Firefox show "Blocked!!" with the same font, font size, positioning, etc. The HTML is identical: <html><body><h1>Blocked!!</h1></body></html> suggesting that it comes from somewhere/something else. Where does this HTML come from? What would happen if the Mac tried to go there on some other (non-http/https) port?

This is the latest MacOS update on a 2012 MacBook.


Solution 1:

As I said in a comment, host is misleading because it bypasses the system resolver (and /etc/hosts) and queries DNS directly. The 0.0.0.0 entries are probably working normally.

From my tests it appears connections to 0.0.0.0 actually connect to localhost (specifically 127.0.0.1), so that <html><body><h1>Blocked!!</h1></body></html> message must be coming from a web server running on your own Mac.

You can confirm this by running sudo tcpdump -Aqns0 -ilo0 port 80 to watch the raw connection. Note that it'll ask for your admin password, but will not echo anything as you type. Also, you'll have to use Control-C to exit it. In the output, you'll see traffic back & forth between two different ports on 127.0.0.1 (ports 80 and whatever your browser is using), but in the request you'll see a "Host:" header indicating the site name the browser is trying to reach.

So... why is a web server running on your Mac, and why is it serving a "Blocked!" message? I have no idea, do you?