I have a lot of bad guys in /etc/hosts pointing to 0.0.0.0
If I use host to check the domain name, I get an actual IP address instead of 0.0.0.0
What I expected the resolver to give me is the same thing that is in the hosts file. What I expected from any other access is a failure (timeout).
But when the resolver provides the real IP, I would expect a browser to show the bad guy's website. Instead, both Safari and Firefox show "Blocked!!" with the same font, font size, positioning, etc. The HTML is identical:
<html><body><h1>Blocked!!</h1></body></html>
This is the latest MacOS update on a 2012 MacBook.
Best Answer
As I said in a comment,
hostis misleading because it bypasses the system resolver (and /etc/hosts) and queries DNS directly. The 0.0.0.0 entries are probably working normally.From my tests it appears connections to 0.0.0.0 actually connect to localhost (specifically 127.0.0.1), so that
<html><body><h1>Blocked!!</h1></body></html>message must be coming from a web server running on your own Mac.You can confirm this by running
sudo tcpdump -Aqns0 -ilo0 port 80to watch the raw connection. Note that it'll ask for your admin password, but will not echo anything as you type. Also, you'll have to use Control-C to exit it. In the output, you'll see traffic back & forth between two different ports on 127.0.0.1 (ports 80 and whatever your browser is using), but in the request you'll see a "Host:" header indicating the site name the browser is trying to reach.So... why is a web server running on your Mac, and why is it serving a "Blocked!" message? I have no idea, do you?