No matter how hard you try to keep your kids safe from undesirable websites on the Internet, it seems like there is always some method of circumventing any protection you set up. Today's SuperUser Q&A post discusses the possibility of using a virtual OS to access websites blocked in the host OS's hosts file.

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

Screenshot courtesy of John M (Flickr).

The Question

SuperUser reader Vinayak wants to know if it is possible to use a virtual OS to access websites blocked in the host OS's hosts file:

I was reading through a Net Nanny article that mentioned the various ways its web filter could be bypassed by kids.

I saw this among the methods listed:

• One way that teens can get around the filter entirely is to install a program that runs a virtual machine on the computer, essentially a computer within the computer. So, for example, if your computer’s operating system is Windows, the crafty teen can download a program that runs a virtual Windows operating system that will not have Net Nanny installed, and then surf the web with no filter.

Now I was wondering if this might still be possible if the hosts file on the host OS has blocked access to all unwanted websites. Assume for the moment that such a huge, regularly updated hosts file does exist (including websites with adult content, web proxies, P2P file-sharing, etc.).

Would it be possible to visit those blocked websites using a web browser running in the virtual OS? Also, assume that no VPN or TOR is used, nor Google's "cached" view of the webpage.

Is it possible to access undesirable websites in the virtual OS or will the hosts file in the Host OS block access to them?

The Answer

SuperUser contributor Darth Android has the answer for us:

Yes. The hosts file does not block anything, it just tells the computer where it can find named websites. When you try going to google.com, the system will check its hosts file for that name, and if it exists, it will use the IP address there instead of looking up the IP address from a DNS server.

A virtual OS has its own hosts file, and performs its own name resolution (i.e. checking its own hosts file and contacting its own DNS server) independent from the host OS.

Even if you redirected google.com to 127.0.0.1 (a common way of blocking a website), you can still get to Google simply by typing 173.227.93.99 into your web browser instead.

Additionally, IP-based filters on the host OS may be useless depending on how the virtual OS network is configured. Usually, the virtual OS is bridged with the host's networking, meaning that all incoming traffic is duplicated and sent to the virtual OS so that it can see the same network traffic that the host OS does. Even if the host OS is configured to block or filter certain IP addresses (such as with a firewall), the virtual OS will still get to see its copy of the data, which will allow the virtual OS to browse the internet and ignore a filter installed on the host OS.

Remember the cardinal rule of computers and security: If I can physically touch a computer system, then given time I can have full control over it. Kids have lots of free time, and by no means are they an exception to this rule. It is trivial to reboot a system into safe mode and remove Net Nanny or any other piece of software installed upon it.

If you wish to filter/restrict/monitor what your kids do on the Internet, you need to do so at the network level, not the system level. Look into what features your router supports (such as Net Nanny Integration like @Keltari suggests) and if it will support alternate router firmware such as DD-WRT, which can do a scheduled disconnect of the child's computer (such as 10 p.m. to 6 a.m. each day).

Even then, network filtering is often a game of Whack-A-Mole, and often easily thwarted by proxies like Tor. It is next to impossible to stop someone from accessing the Internet if they really want to (just ask China or other countries with massive firewalls that ultimately do not work perfectly).

With kids, you either have to talk with them and explain the perils of the Internet, then have enough trust that they will not intentionally seek out the bad sites (using Net Nanny merely as a backup to stop accidental navigations), or you refuse to let them use a connected computer unsupervised.

Have something to add to the explanation? Sound off in the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.