Could I access a blocked website via a virtual machine if the host OS has the web address blocked in its hosts file?

I was going through this Net Nanny article that mentioned about the various ways its web filter could be bypassed by kids.

Among other methods, I saw this:

One way that teens can get around the filter entirely is to install a program that runs a virtual machine on the computer, essentially a computer within the computer. So, for example, if your computer’s operating system is Windows, the crafty teen can download a program that runs a virtual Windows operating system that won’t have Net Nanny installed, and then surf the web with no filter.

Now I was wondering if this might still be possible if the hosts file on the host OS has blocked access to all unwanted websites (let's assume for the moment, that such a huge, regularly updated hosts file does exist) including sites with adult content, web proxies, P2P file-sharing sites, etc.

Now would it be possible to visit those blocked sites from within a web browser running in the VM? Let's also assume that no VPN is used, and neither is Tor or Google's "cached" view of the webpage.


Yes. The hosts file does not block anything, it just tells the computer where it can find named websites. When you try to go to google.com, the system will check it's hosts file for that name, and if it exists, it'll use the IP there instead of looking up the IP from a DNS server.

A virtual machine has its own host file, and performs it's own name resolution (i.e., checking its own hosts file and contacting its own DNS server), independent from the host computer.

Even if you redirected google.com to 127.0.0.1 (A common way of "blocking" a website), you can still get to google simply by typing in 173.227.93.99 in your web browser instead.

Additionally, IP-based filters on the host OS may be useless depending on how the VM network is configured. Usually, the VM is "bridged" with the host networking, meaning that all the incoming traffic is duplicated and sent to the VM so that it can see all of the network traffic that the host does. Even if the host is configured to block or filter certain IPs (such as with a firewall), the VM will still get to see its "copy" of the data, which will allow the VM to browse the internet and ignore a filter installed on the host computer.


Remember the cardinal rule of computers and security: If I can physically touch a computer system, then given time I can have full control over it; Kids have lots of free time, and by no means are they an exception to this rule. It's trivial to reboot a system into safemode and remove NetNanny or any other piece of software installed upon it.

If you wish to filter/restrict/monitor what your kids do on the internet, you need to do so at the network level, not the system level. Look into what features your router supports (such as NetNanny Integration like @Keltari suggests), and if it will support alternate router firmwares such as DD-WRT which can do a scheduled disconnect of the child's computer (Say, from 10pm to 6am each day).

Even then, network filtering is often a game of Whack-A-Mole, and often easily thwarted by proxies like Tor; It is next to impossible to stop someone from accessing the internet that really wants to (just ask China or other countries that have massive firewalls which ultimately don't work perfectly).

With kids, you either have to talk with them and explain to them the perils of the Internet and have enough trust that they won't intentionally go seeking the bad sites (and then use NetNanny merely as a backup to stop accidental navigations), or you have to not let them use a connected computer unsupervised.