-tictech message:
At 08:54 PM 9/26/02 -0700, you wrote:
>There is a system built into Windows that allows a number of Internet
>options including faster name resolution, letting you use shortcut names
>rather than IP addresses to contact other computers, and to do some
>Internet filtering. This involves a file in Windows named "hosts". I've
>held off posting this since I'm having trouble getting it working at
>Ingraham (it works great at home). I don't know if the problem is related
>to Ingraham or everywhere inside Seattleschools WAN. So, I hope a few
>people will try it and report if it works at their school site. Here is
>how it works.
[snip]
The "hosts" file is a pretty standard internet thing. I know that all Unix
machines can be supplemented this way (including OS X Macs), but I am not
sure if OS9 Macs include it. There are some caveats:
This will not prevent students from accessing a web site if they know the
IP (the dotted quad number, ala 206.117.45.101). This is trivial to get,
even non-tech savvy students can easily learn how from those in the
know. It is also a blunt instrument, it does not work on individual URL's,
but on the entire hostname. If you want to cut off parts of a site, but
not the whole site, using the hosts file won't work. A web proxy such as
squid will work here, and it would be possible to run a nightly script to
translate forbidden names into their IP's so getting around the proxy using
the IP won't work. A proxy can also be used to strip out obnoxious parts
of an otherwise useful site such as popups or other annoying javascript
doodads. We are having such a problem at AS#1 where some sites have
annoying javascript that hoses a computer to the point that it has to be
wiped and reinstalled.
If you use this to "speed up" access to a site, you may find that it no
longer works at some point. It isn't unusual for web sites to move to new
IP's and this is usually transparent because they will update the DNS at
the same time. If getting DNS translation is a major slowdown in internet
access at your site, a better solution is to run an internal DNS
server. DNS entries are given a "time to live" (TTL) value by the owner of
the domain, and a properly run DNS server will cache the name translation
according to the value. Most have TTL's of around 3 days to a week. When
a site plans to move to a new IP, they will lower the TTL down to hours or
even minutes to ensure that caches are cleared of the old IP very quickly
after the new IP is put in place. This means that you will have fast local
translation of names and still not be caught out when an IP changes.
If you put too many names in the hosts file, name lookup performance will
suffer, not only for the names in the file, but for all DNS lookups. This
is because the computer will consult the hosts file first before going to
the DNS server, so all DNS queries will involve a search through the hosts
file. Since it is a flat text file, lookup is fast for a few names, but
becomes progressively bogged down with larger and larger files. If you
have a problem that is well solved by the use of a few names in the hosts
file, then it is an excellent solution. If the problem is more extensive,
it may not be a good solution.
As for the problem with working inside the Seattle Schools WAN, it may have
to do with the interactions with the Bess proxy. I would expect a web
proxy to do its own DNS, which means that the hosts file becomes irrelevant
for web access. Using an internal web proxy that cascades to Bess should
work. Bess may also be outside the gateway that connects the 10.x.x.x WAN
to the greater internet, and thus be unable to connect to sites inside the
10.x.x.x address space.
Mary K. Conner <trif@imp.serv.net>
-end tictech message. To join, leave, or visit
the message archive, go to tictech on the Web:
http://www.earthdaybags.org/tictech/
This archive was generated by hypermail 2b29 : Fri Sep 27 2002 - 06:35:57 PDT