Safari ignoring hosts file?

[Nermal]

I just noticed an oddity with Safari. In /etc/hosts I have www.facebook.com redirected to 0.0.0.0 and ::1. If I ping www.facebook.com then it correctly reports "Socket is not connected".

However, in Safari, I can open www.facebook.com and it comes up with the login page. Weirdly, other redirected hosts seem to fail as expected. Any idea what's going on here? Are there separate DNS settings inside Safari somewhere?

I'm running OS 15.1.1 with Safari 18.1.1. As far as I know, this was working correctly under OS 14.

Edit: Firefox correctly gives an "unable to connect" message. The problem seems to be limited to Safari.

 

[Bigwaff]

Is iCloud Private Relay enabled?

 

[Nermal]

As far as I can tell, no. It appears that you need to pay for it, and I don't.

 

[Slartibart]

the reason for this - since macOS 11 (?) - is that Safari supports “Service binding and parameter specification via the DNS (DNS SVCB and HTTPSSV)”.

Use e.g., Lulu and setup a simple network filter for FB.

 

[bogdanw]

Or use web content filters.
“filterBlacklist [string] The array of URLs that defines a deny list. When restrictWeb and useContentFilter are enabled, no URLs in the deny list are available to the user.”
ParentalControlsContentFilter https://developer.apple.com/documentation/devicemanagement/parentalcontrolscontentfilter
Parental Controls MDM payload settings for Apple devices https://support.apple.com/guide/deployment/dep1c778f77/web
iMazing Profile Editor https://apps.apple.com/app/imazing-profile-editor/id1487860882

Example for Yahoo https://forums.macrumors.com/threads/everything-has-failed-to-block-yahoo-com-search.2379256/

 

[Nermal]

I haven't really had time to look into this, but I don't understand what's happening.

the reason for this - since macOS 11 (?)

It was working as expected in 14.

I don't understand what the RFC is talking about. I also don't understand how it's finding Facebook at all when a DNS lookup for its domain fails. Is there a plain English explanation available somewhere?

I don't like the idea of having to use additional software to work around something that "should" be doable via the underlying Unix infrastructure.

 

[Nermal]

This seems to be working again in Safari 18.3. Blocked sites are once again not loading in Safari.

 

[Nermal]

As at 18.5 it's ignoring the hosts file again

 

[Slartibart]

are we still talking macOS?

 

[Nermal]

Yes. Safari 18.5 (so MacOS 15.5).