How & why do "0.0.0.0" connections get a response?
I have a lot of bad guys in /etc/hosts pointing to 0.0.0.0
If I use host
to check the domain name, I get an actual IP address instead of 0.0.0.0
What I expected the resolver to give me is the same thing that is in the hosts file. What I expected from any other access is a failure (timeout).
But when the resolver provides the real IP, I would expect a browser to show the bad guy's website. Instead, both Safari and Firefox show "Blocked!!" with the same font, font size, positioning, etc. The HTML is identical:
<html><body><h1>Blocked!!</h1></body></html>
suggesting that it comes from somewhere/something else. Where does this HTML come from? What would happen if the Mac tried to go there on some other (non-http/https) port?
This is the latest MacOS update on a 2012 MacBook.
Solution 1:
As I said in a comment, host
is misleading because it bypasses the system resolver (and /etc/hosts) and queries DNS directly. The 0.0.0.0 entries are probably working normally.
From my tests it appears connections to 0.0.0.0 actually connect to localhost (specifically 127.0.0.1), so that <html><body><h1>Blocked!!</h1></body></html>
message must be coming from a web server running on your own Mac.
You can confirm this by running sudo tcpdump -Aqns0 -ilo0 port 80
to watch the raw connection. Note that it'll ask for your admin password, but will not echo anything as you type. Also, you'll have to use Control-C to exit it. In the output, you'll see traffic back & forth between two different ports on 127.0.0.1 (ports 80 and whatever your browser is using), but in the request you'll see a "Host:" header indicating the site name the browser is trying to reach.
So... why is a web server running on your Mac, and why is it serving a "Blocked!" message? I have no idea, do you?