不管你如何努力讓你的孩子遠離網際網路上不受歡迎的網站，似乎總有一些方法可以繞過你設定的任何保護。今天的超級使用者問答文章討論了使用虛擬作業系統訪問被阻止在主機作業系統的hosts檔案中的網站的可能性。

今天的問答環節是由SuperUser提供的，SuperUser是Stack Exchange的一個分支，是一個由社群驅動的問答網站分組。

截圖由John M（Flickr）提供。

問題

超級使用者讀者Vinayak想知道是否可以使用虛擬作業系統訪問主機作業系統的hosts檔案中阻止的網站：

I was reading through a Net Nanny article that mentioned the various ways its web filter could be bypassed by kids.

I saw this among the methods listed:

• One way that teens can get around the filter entirely is to install a program that runs a virtual machine on the computer, essentially a computer within the computer. So, for example, if your computer’s operating system is Windows, the crafty teen can download a program that runs a virtual Windows operating system that will not have Net Nanny installed, and then surf the web with no filter.

Now I was wondering if this might still be possible if the hosts file on the host OS has blocked access to all unwanted websites. Assume for the moment that such a huge, regularly updated hosts file does exist (including websites with ***** content, web proxies, P2P file-sharing, etc.).

Would it be possible to visit those blocked websites using a web browser running in the virtual OS? Also, assume that no VPN or TOR is used, nor Google’s “cached” view of the webpage.

是否有可能訪問虛擬作業系統中不需要的網站，或者主機作業系統中的主機檔案是否會阻止對這些網站的訪問？

答案

超級使用者貢獻者Darth Android為我們提供了答案：

Yes. The hosts file does not block anything, it just tells the computer where it can find named websites. When you try going to google.com, the system will check its hosts file for that name, and if it exists, it will use the IP address there instead of looking up the IP address from a DNS server.

A virtual OS has its own hosts file, and performs its own name resolution (i.e. checking its own hosts file and contacting its own DNS server) independent from the host OS.

Even if you redirected google.com to 127.0.0.1 (a common way of blocking a website), you can still get to Google simply by typing 173.227.93.99 into your web browser instead.

Additionally, IP-based filters on the host OS may be useless depending on how the virtual OS network is configured. Usually, the virtual OS is bridged with the host’s networking, meaning that all incoming traffic is duplicated and sent to the virtual OS so that it can see the same network traffic that the host OS does. Even if the host OS is configured to block or filter certain IP addresses (such as with a firewall), the virtual OS will still get to see its copy of the data, which will allow the virtual OS to browse the internet and ignore a filter installed on the host OS.

Remember the cardinal rule of computers and security: If I can physically touch a computer system, then given time I can have full control over it. Kids have lots of free time, and by no means are they an exception to this rule. It is trivial to reboot a system into safe mode and remove Net Nanny or any other piece of software installed upon it.

If you wish to filter/restrict/monitor what your kids do on the Internet, you need to do so at the network level, not the system level. Look into what features your router supports (such as Net Nanny Integration like @Keltari suggests) and if it will support alternate router firmware such as DD-WRT, which can do a scheduled disconnect of the child’s computer (such as 10 p.m. to 6 a.m. each day).

Even then, network filtering is often a game of Whack-A-Mole, and often easily thwarted by proxies like Tor. It is next to impossible to stop someone from accessing the Internet if they really want to (just ask China or other countries with massive firewalls that ultimately do not work perfectly).

With kids, you either have to talk with them and explain the perils of the Internet, then have enough trust that they will not intentionally seek out the bad sites (using Net Nanny merely as a backup to stop accidental navigati***), or you refuse to let them use a connected computer unsupervised.

有什麼要補充的解釋嗎？在評論中發出聲音。想從其他精通技術的Stack Exchange使用者那裡瞭解更多答案嗎？在這裡檢視完整的討論主題。