To amplify, a computer checks it's file before doing a DNS lookup. If an entry for a domain is in the hosts file then the DNS query will never be made, and a service like OpenDNS will have no chance to block or allow anything.

As rotblitz said, in order to prevent that type of "bypassing" you have to prevent your users from having local administrator access to the device. There might be ways to modify a computer to not use a hosts file, but if users don't have administrator access you won't need to go to that length, and if they had  administrator access they could just turn it back on, so it wouldn't matter anyway.

oh ok.. so basically, OpenDns and any other similar filtering service is effective only the computers that actually reside in my house (which I have control of), but anyone's that connects to the internet using my router could go anywhere they wish whether I like it or not by just using their host file.. very interesting.

Thanks guys for the info.

One more thing.. we use OpenDns in our church. We have a wifi guest account available for members and visitors. Knowing this about the hosts file means that anyone can easily visit innapropriate sites while using the chruche's internet. 

If we invest lets say on an expensive firewall such as Barracuda, can the same thing happen with users using their hosts file to bypass the Barracuda firewall?

"Knowing this about the hosts file means that anyone can easily visit innapropriate sites"

No, this is far from being easy because of:

• You were not sure if the hosts file can be used for circumvention of OpenDNS.  Most other people may not be aware too.
• Are you able to present me with a hosts file which would circumvent OpenDNS blocking of e.g. Google or YouTube?  Hardly!
  This is because such a hosts file must have hundreds of entries, to be worked out for hours or even days.  And this is usable only for a limited time due to ever-changing IP address and domain name information.   So you had to invest these efforts and time again and again.  Would you do that?  Hardly!

As you can see, this is not an economic and realistic way for anyone to go.  It is purely theoretical.  Such visitors rather use a VPN or related browser-plugin to simply circumvent OpenDNS.  This is the way to go for an administrator of an end user device.  And this again can be blocked by OpenDNS and by firewall rules.

"If we invest lets say on an expensive firewall such as Barracuda, can the same thing happen with users using their hosts file to bypass the Barracuda firewall?"

No, not for using the hosts file, but for restricting connectivity.  DNS is not about connectivity, but about name resolution.  DNS is the phone book of the internet, not the phone lines.

"Are you able to present me with a hosts file which would circumvent OpenDNS blocking of e.g. Google or YouTube?"

I have actually done this in my network.. I have added this to my hosts file

206.125.164.82 www.sex.com    -    and that site will open rightaway.

but thank you Rotblitz for the explanation.

All of this points to the difficulties and limitations of having a guest network, or otherwise allowing devices onto your network that you don't control and which the users have administrative access to. Basically they have multiple ways, such as using a hosts file, VPN, or other methods to bypass whatever restrictions and controls you've put on the network.

Most people don't have the technical knowledge or desire to bypass those restrictions, but some do, especially those who might "sit outside" and aren't actually who the guest network was intended for. Using OpenDNS or other filtering products you can probably prevent 80% to 90% of people, perhaps more, from doing things that you don't want them doing on your network. That leaves a small percentage of people who have the knowledge and motivation to bypass your restrictions who can actually do it. What you need to decide is if having the guest WiFi is important enough to outweight the risk that someone "might" be doing something with their device on your network that you don't approve. Depending on which of those is more important you either need to beef up the restrictions to the point where the risk is acceptable, or you need to turn off the guest network.

Regardless of what you decide you need to make sure that under absolutely no circumstances should you allow anyone who is a guest to have access to your "production" network. If you can't control the devices on that network then they have no business being on it. If you do decide to continue with the guest WiFi test it to make sure that it doesn't somehow allow access to the devices on your production network.