DNS piracy blocking orders: Google, Cloudflare, and OpenDNS respond differently
torrentfreak.com180 points by DanAtC 3 days ago
180 points by DanAtC 3 days ago
> When OpenDNS was first ordered to block pirate sites in France, the company made a simple but drastic decision to leave the country entirely, effectively affecting all French users. Last week, it repeated this response in Belgium following a similar court order.
Who would have thought that Cisco would be on the side of the good guys for once?!
As for Cloudflare, what they do is scary. The screenshot clearly shows a valid HTTPS certificate, so either they don't do DNS blocking but instead implement the block on their loadbalancer side or they mis-issue HTTPS certificates. The former is only possible when the target site is also served by Cloudflare (which leaves the question what Cloudflare does for domains that are targetted by a court order but not using Cloudflare loadbalancing), the latter would be a serious breach of how HTTPS certificates should be issued.
And in the end I believe that courts need to be educated on how the Internet works. Companies should not be allowed to target DNS, they should be forced to target the actual entities doing the infringement - and if the target isn't in the scope of Western jurisdictions (that have various legal-assistance treaties), it's either tough luck (e.g. if the pirates are in Russia, China or other hostile nations) or they should get their respective government involved to use diplomatic means.
> And in the end I believe that courts need to be educated on how the Internet works
This is not an education issue. Rights holders want to use every tool in the box to add friction and barriers to piracy, courts offer pushback only when that would result in a marked loss in utility for ordinary users. They do not care about the sanctity of DNS or whatever engineer-brained ideals are being violated.
The sanctity of TLS certificates is the backbone of internet banking and basic privacy for everyday users. It's surprising that you or the courts would see this as a problem that only affects engineers, when it weakens the guarantees that everyday people and businesses rely on to conduct their business safely.
The trust we have in the CAs who are embedded in our root stores is very important - yes.
Thankfully, in this case the issue at hand is entirely unrelated to TLS, rogue CAs etc. Or even DNS record manipulation (for now)...
Cloudflare put a 'You're blocked' page, on the web server that Cloudflare are already running for their customer. The customer being the website that Cloudflare is being ordered to block (for users in certain countries).
Cloudflare's actions seem to me to be similar to sending out letters saying "this client has been banned from using our services" using that client's own letterhead. Are they not misrepresenting the communication as though it's from the client, when really it's from Cloudflare? Sure, it's benign, but it's an unnecessary muddying of the waters.
> The screenshot clearly shows a valid HTTPS certificate, so either they don't do DNS blocking but instead implement the block on their loadbalancer side or they mis-issue HTTPS certificates. The former is only possible when the target site is also served by Cloudflare (which leaves the question what Cloudflare does for domains that are targetted by a court order but not using Cloudflare loadbalancing), the latter would be a serious breach of how HTTPS certificates should be issued.
Cloudflare's statement in that screenshot:
> Given the extraterritorial effect as well as the different global approaches to DNS-based blocking, Cloudflare has pursued legal remedies before complying with requests to block access to domains or content through the 1.1.1.1 Public DNS Resolver or identified alternate mechanisms to comply with relevant court orders. To date, Cloudflare has not blocked content through the 1.1.1.1 Public DNS Resolver.
I interpret this part of what Cloudflare said to mean, that so far every domain they've been asked to block has either been appealed successfully or they were using Cloudflare's CDN, DDoS mitigation & WAF services therefore they could just selectively block the visitors with HTTP 451. If they were asked to block a domain that wasn't using Cloudflare, I'm sure that would be the first instance of them having to modify the DNS response - but they would have to, or stop doing business in that jurisdiction like what OpenDNS did.
Cloudflare is quite notorious about not policing the content being fronted by their service, and are quite popular with less than legal (but still clearnet) sites.
In the example cases, they already had TLS certificates issued and were using them for the legitimate traffic of that domain as it was fronted by Cloudflare.
> it's either tough luck (e.g. if the pirates are in Russia, China or other hostile nations)
This is not an acceptable outcome in the courts view
Not really sure what you find scare about that. If you set cloudflare as your dns provider, they own the dns response they give you. If they get court ordered to redirect you to a site saying this is illegal. Is your preference for this to be over plaintext?
Cloudflare is a public CA. Your browser or OS trusts it implicitly. If you don’t trust Cloudflare, remove it from that list I guess.
>If you set cloudflare as your dns provider, they own the dns response they give you. If they get court ordered to redirect you to a site saying this is illegal. Is your preference for this to be over plaintext?
Very important distinction here, the people being 'impacted' by this court order are end-users who decide to use Cloudflare's recursive DNS resolver (1.1.1.1 / 1.0.0.1 etc).
There's also the topic of what authoritative nameserver a domain uses. And also if a domain uses Cloudflare's WAF/CDN services to front their website.
A website can use Cloudflare's WAF/CDN without using their authoritative nameserver, and vice versa.
In this case, every domain that's been ordered to be blocked was already using Cloudflare's WAF/CDN service. So Cloudflare did the block at that level, rather than changing how Cloudflare's recursive DNS resolver responds to DNS queries.
No additional TLS certificates were issued - they already had valid certs because they're fronting the domain.
A website can use Cloudflare's WAF/CDN without using their authoritative nameserver, and vice versa.
Is this true for the free accounts? My understanding was that only enterprise and possibly pro accounts permitted this. I thought that people using free accounts had to point their entire zone entirely to CF to be managed only by CF. I could be wrong.
I believe you're thinking of the domain registration side. If you want to use Cloudflare as your domain registrar, you must use their authoritative nameservers - unless you're on the enterprise plans.
I don't use them for either, they've got too much market share for my comfort.
No I am not referring to domain registration. I am fairly certain that if I want to use their free accounts I would have to point the root servers at them to manage my zones even though they are registered through a dozen other registrars. In other words I can not manage my own DNS if I use their free accounts. It's not a big deal since I also do not use them. I make my own tiny CDN's when I need one. It's all hobby sites for me these days, retired from tech and no longer manage big zones.
So in other words, instead of being able to have the root servers provide the IP addresses of my bare metal servers running NSD NS records I would have to tell the root servers via the registrars I use to give the NS names/IP's of cloudflares DNS servers. The domains are still on the dozen registrars I use but CF have to be authoritative for them for the free accounts or at least that is they way it was when I first played with CF after they stopped being honeypots that I contributed to. I would say custom DNS but nowadays that means 50 different things to 50 different DNS admins on HN. It's just apex NS records in the root anycast clusters.
You're right, I was mistaken. Using a CNAME or A record as the only method to direct traffic at a label towards Cloudflare's reverse proxy is not available on the Free or Pro tier.
https://developers.cloudflare.com/dns/zone-setups/partial-se...
They have a trusted CA root subject to strict policy rules that I’m pretty sure don’t allow this.
CAs are well known for being lazy & incompetent.
Look at how much bullshit we tolerate from just Entrust: https://wiki.mozilla.org/CA/Entrust_Issues
> Not really sure what you find scare about that
For me it’s Cloudflare circumventing its transparency reporting. That’s lying. If they’re willing to lie about something like this, I wonder what else they found a technical workaround for.
Note that the CA's that Cloudflare uses have not mis-issued any certificates in this case, the certificate was legitimately issued for Cloudflare to front the site in question with their CDN/WAF services. It just happens that the court order will make Cloudflare front them with a HTTP 451 instead, for visitors from the relevant countries.
There is no bypassing of certificate transparency, as there was no additional TLS certificate issued, it was already in use.
If Cloudflare was demanded to block a different site that did not use Cloudflare's WAF service, they would have to do something else at the recursive DNS resolver level. So far that hasn't happened, because Cloudflare is incredibly popular, especially so for less-than-legal sites.
> There is no bypassing of certificate transparency
Transparency as in their reporting, not the technical details of certificate issuance.
FTA: “Interestingly, Cloudflare maintains in its transparency report that it is not blocking content through its public DNS resolver. Instead, it points out that it uses ‘alternate mechanisms’.”
I thought their transparency report was quite clear https://www.cloudflare.com/en-gb/transparency/
> 5. Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
That's accurate, the DNS responses for these domains previously did, and still do, point to Cloudflare's WAF/CDN.
They haven't said anything like '...never blocked access to customer content...'.
> That's accurate, the DNS responses for these domains previously did, and still do, point to Cloudflare's WAF/CDN. They haven't said anything like '...never blocked access to customer content...'.
It’s accurate in that bullshit isn’t technically a lie. If they’re willing to do this, they’re potentially willing to use their CDN to MITM DNS requests. Because after all, they’d be leaving the DNS request unmolested while doing the dirty work on their CDN.
Cloudflare is a public CA. They can issue themselves a certificate for literally any domain, whether it is served by cloudflare or not.
Cloudflare are not a public CA (see bottom), they use public CAs just like the rest of us. I'm sure they have special enterprise arrangements with each of them.
Supported TLS certs via Cloudflare: https://developers.cloudflare.com/ssl/reference/certificate-...
Those public CAs have to verify domain ownership via the methods outlined in the CA/Browser Forum's baseline requirements. None of which Cloudflare would be able to follow (on behalf of these domains in question) if they did not use either of Cloudflare's authoritative nameservers or WAF/CDN.
Now, if Cloudflare were a public CA, they would still have to behave correctly and follow the baseline requirements otherwise they would be distrusted by clients.
Note that Cloudflare have a certificate authority called 'Origin CA' https://blog.cloudflare.com/cloudflare-ca-encryption-origin/, it is not publicly trusted though. It doesn't need to be, it's for website operators to install on their own web server, before it gets fronted by Cloudflare - rather than just running a self-signed cert or serving plaintext.
Trusted root certs:
Apple: https://support.apple.com/en-gb/121672
Mozilla: https://ccadb.my.salesforce-sites.com/mozilla/CAInformationR...
Microsoft: https://ccadb.my.salesforce-sites.com/microsoft/IncludedCACe...
Chrome: https://chromium.googlesource.com/chromium/src/+/main/net/da...
I'm pretty sure Cloudflare uses Let's Encrypt.
It doesn't look like they are a sponsor of Let's Encrypt though, so I doubt they have any kind of special arrangement with them.
So they are the official man in the middle? If that is true then it is a complete mockery of the entire theater of https everywhere.
Cloudflare have only ever been able to do their job (on the reverse proxy CDN/WAF side), by doing full TLS interception. They see the session in plaintext.
The customer grants Cloudflare a TLS certificate for their site either by uploading a cert manually, or letting Cloudflare issue a cert via the ACME protocol. They use that to present the site to the world. Cloudflare connects back to the origin site, and the origin either uses HTTP (bad! but possible), HTTPS with a self signed cert, HTTPS with another publicly trusted cert, or a cert that Cloudflare issues with their own (not publicly trusted) CA called Origin CA.
As the visitor, you there's no big sign saying 'Cloudflare can read this content as well as the origin website'. They're trusted to not be malicious sure, but there's a massive risk with using any sort of service like this that you don't control.
One of those massive risks turned reality with Cloudbleed in 2016/2017: https://en.wikipedia.org/wiki/Cloudbleed
https://project-zero.issues.chromium.org/issues/42450151
https://blog.cloudflare.com/incident-report-on-memory-leak-c...
https://blog.cloudflare.com/quantifying-the-impact-of-cloudb...
> As the visitor, you there's no big sign saying 'Cloudflare can read this content as well as the origin website'. They're trusted to not be malicious sure, but there's a massive risk with using any sort of service like this that you don't control.
In that case there is no way that company is not hooked into the intelligence services. I am certain they do go through the ceremony of legality for many actions but it is unreasonable to think no intelligence service has attempted to critically penetrate it. Add the mix of ideology du jour of the SV "VC intelligentcia" and software youth brigades.
You are entirely correct to point out that it is our "trust" that is taken for granted. And granted to CloudFlare by SV, YCombinator, and of course HackerNews itself that dumps on any voices raising concerns over these obvious "massive risks" so that the unauthorized delegation of trust is done behind our backs by capital and other interested parties. DDoS prevention is kind of like kiddie porn prevention, a perfect pretext for openning the door to equally serious violations, of our trust and rights.
> They can issue themselves a certificate for literally any domain, whether it is served by cloudflare or not.
They can but they're not allowed to, that's the entire point.
Question: why do courts hit DNS providers instead of domain registrars?
Easier to get jurisdiction over them. Google and Cloudflare has datacenters all over Europe. Meanwhile for the ivesoccer.sx domain, the registry is located in Sint Maarten and the registrar is a Danish company.
The internet is really not that different from shipping companies. Maybe some insights there?
Question: why do courts hit DNS providers instead of domain registrars?
Most of the eggs are in one basket. Same as trying to get individual ISP's to censor something, reaching out to each of the hundreds of registrars is time consuming and prone to being ignored depending on the country. If on the other hand a government can get cooperation from even 3 of the biggest "free" resolvers then its a big win for them. It's also easier to monitor people when they choose to use corporate resolvers like Cloudflare, Google, OpenDNS, etc...
Interesting. But dns registrars don't operate in the importing country. E.g: the .com registry is operated by verisign is in US Jurisdiction. If I wanted to block a website in Argentina it wouldn't make sense to ask Verisign to delete a website, I would ask the court to order a dns block to local ISPs registered as local companies
Everyone should just start running their own authoritative DNS servers like Unbound. That will eliminate the issue. And why is it still the norm that all major OSes don't ship with authoritative DNS... Same with all consumer routers. It is not an option at all, or if you run OpenWRT, you'd have to manually set it up. Hopefully, there will be some change in that direction.
I think you mean "running your own recursive resolver", an authoritative server is one which is authoritative for some zone (e.g. example.net), whilst a recursive resolver is one that goes and walks from the root of the DNS hierarchy to the leaf that you have queried.
It is probably quite a bit slower though needing to have roundtrips at each stage of the resolution, which is also likely a reason that these public resolvers get so much use (latency improvement via caching).
> It is probably quite a bit slower though needing to have roundtrips at each stage of the resolution
The average load time for a website is 2.5 seconds. The added load time from running your own recursive resolver, which is only added the first time the site is loaded, would be around 50ms, or 2% increase load time.
DNS resolving is not a major aspect of a typical websites load time. If you want to speed things up, run a local proxy which local cached version of all popular web frameworks and fonts, and have it be be constantly populated by a script running in the background. That will save you much more than 2% on first load.
I just did some measurements and am impressed on both fronts: DNS recursive resolution is faster than I anticipated, but also page load times for well optimised sites are also very fast (sub 0.5s). Here's some data:
Recursively resolve bbc.com: 18ms https://pastebin.com/d94f1Z7P Recursively resolve ethz.ch: 17ms https://pastebin.com/x6jSHgDn Recursively resolve admin.ch: 39ms: https://pastebin.com/DUTg8Rit
Page load in Firefox: bbc.com DOMContentLoaded: ~40ms, page loaded: ~300ms reuters.com DOMContentLoaded: ~200ms, page loaded: ~300ms google.com DOMContentLoaded: ~160ms, page loaded: ~290ms
So it's quite reasonable to do full recursive resolution, and you'll still benefit from caching after the first time it's loaded. One other idea I had but never looked into it was instead of throwing out entries after TTL expiry to just refresh it and keep it cached, no idea if BIND/Unbound can do that but you can probably build something with https://github.com/hickory-dns/hickory-dns to achieve that.
The page you get when DOMContentLoaded is finished is a white page with no content. The page is only loaded in a very technical sense for sites like bbc.com.
Google page speed (https://pagespeed.web.dev/analysis/https-bbc-com/yxcpaqmphq?...) use two other terms. First Contentful Paint, that is the first point in the page load timeline where the user can see anything on the screen, and Largest Contentful Paint, the render time of the largest image, text block, or video visible in the viewport, relative to when the user first navigated to the page. For bbc.com, those sites around 1 second mark.
Other measuring aspect is Time to First Byte, which is the time between the request for a resource and when the first byte of a response begins to arrive. For bbc.com that is 300ms.
It is probably quite a bit slower though needing to have roundtrips at each stage of the resolution
My experience does not align with this. My Unbound instances cache only what I am requesting and I have full control over that cache memory allocation, min-ttl, zero-ttl serving and re-fetching, cron jobs that look up my most common requests hourly, etc... I do not have to share memory with anyone outside of my home. Just about anything I request on a regular basis is in the micro-seconds always shows as 0 milliseconds in dig. I've run performance tests against Unbound and all the major DNS recursive providers and my setup always wins for anything I use more than a few times a month or more than a dozen times in a year.
For the cases where I am requesting a domain for the first time the delay is a tiny fraction of the overall page loading of the site as belorn mentioned. I keep query response logs and that also has the response time for every DNS server I have queried. I also use those query response logs to build a table of domains that I look up hourly NS and A records to build the infrastructure cache in addition to resource record cache.
Now where there would be latency is if I had to enable my local Unbound -> DoT over Tinc VPN -> rented server Unbound -> root servers. That would only occur if my ISP decided to block anyone talking to the root servers directly and my DoT setup would only be in place while my legal teams get ready to roast my ISP and I start putting up billboards. That would of course be a waste of time and money when I could just get the IP's of censored sites from a cron-job running on multiple VM's and shove them into my hosts file. This could even be a public contribution into a git repo and automated on everyone's machines.
There is life outside major population centers. I have pings in excess of 200 ms to many major websites; if every DNS lookup requires doing several queries with 100-300 ms of waiting for each one, the web becomes unusable. From reading HN, users from e.g. New Zealand run into similar issues.
I too am in a rural area, just not as rural as NZ. My setup would also be 0ms in NZ and AU for 98+% of my requests. The real impactful delays come from the excessive requests browsers have to make to bloated frameworks, excessive cookies and third party integrations, ads, videos and so on. uBlock can clean some of that up but not all of it.
It will help with spoofing but will not protect from eavesdropping. Most of the times cloudflare is a least dangerous adversary.
I would be shocked it they’re not taking money to let US TLAs back-door them.
That will ruin the stocks. No need to use back doors, court order is pretty easy to get especially if the site in question is true malicious.
I do run my bind in my lan (and in my vpn, serving a private zone) and i’m only occasionally reminded about dns blocking issues by articles like this.
Needless to say, the bar is way lower. Anybody willing to pirate stuff can easily change their dns to any public dns service and access any website. You don’t even need a vpn.
> Everyone should just start running their own authoritative DNS servers like Unbound.
I used to do that, but it caused some odd issues at my former ISP, which I suspect were due to connection tracking state table exhaustion on their CGNAT box; running your own recursive server means a lot of UDP connections, and unlike with TCP, there's no well-defined point at which the connection tracking state can be released, which can lead to it accumulating. Making unbound use DoT to cloudflare made things much more stable (since DoT uses TCP, the connection tracking state can be released immediately when each connection is closed).
If Alice runs her own DNS server, where does she get the information "example.com resolves to 10.23.45.6"? At some point Alice will have to ask someone else -- Bob, let us say -- and Bob won't give her that information if he's been court-ordered not to.
I don't think traditional DNS can work if your adversary can get court orders [1]. You need some sort of decentralized solution that's hard to block even with court orders, e.g. Namecoin or ENS.
[1] Is evading a court order a legitimate objective? Most people would say "no" but the Internet functions in all countries, including repressive ones. Even in the US, it's not entirely inconceivable the Trump administration could make an executive order to require DNS providers to block certain websites he doesn't like (perhaps using post-9/11 powers granted to the executive branch to fight terrorists, that never got revoked even though Osama bin Laden is dead and the wars in Afghanistan and Iraq are over). The US has strong protections on freedom of speech, but working through the courts takes time, and becomes difficult when someone says the magic words "national security".
If I set up my own authoritative DNS servers, can I still use DNS over TLS or DNS over HTTPS?
If you set your own authoritative DNS, you could use it only for your zones. To use DoH, etc for the whole traffic, you need a recursive server. Unbound is a recursive server with some rudimentary authoritative extensions.
Sure you can run TLS/HTTPS to your own server or to localhost if you want to keep private from the intervening systems that you are querying for a certain domain
> Google’s response also appears to go against the advice of the Belgian court, which required the DNS providers to redirect users to a dedicated page, presumably to provide further detail.
That advice made sense in the plain-text HTTP era, but it's not longer viable; attempting to do that nowadays would only lead to an "invalid certificate" error page. The only ones which can make that work are the site itself, or a CDN in front of it (which, as others have noted, often means cloudflare can do that, but not other DNS providers like google).
Suprised no one has mentioned RFC 8914 Extended DNS Errors, specifically section 4.17[1]:
> 4.17. Extended DNS Error Code 16 - Censored
> The server is unable to respond to the request because the domain is on a blocklist due to an external requirement imposed by an entity other than the operator of the server resolving or forwarding the query. Note that how the imposed policy is applied is irrelevant (in-band DNS filtering, court order, etc.).
Which would be relevant for Google DNS's "Query refused" at least. Although I guess it's possible maybe they do support it but Windows/Chromium don't...
[1] https://www.rfc-editor.org/rfc/rfc8914.html#section-4.17
It's very clear that DNS is fundamentally broken and any resolver that does not resolve because of political decisions should be considered not fit for purpose; it is advised not to use any resolver that is mentioned in this article as they have all been affected.
My understanding is DNS resolves a domain to an IP address. If there is any process that prohibits that, then it's not working by design.
Thankfully there are many resolvers that will always resolve no matter what 'legal' may throw at it. This is fundamental despite what content lies on the other side.
There will always be cat and mouse with speech and rights to access, and any protocols will be challenged. Thankfully, others will say 'no thank you' and refuse to listen to any order, legal or otherwise. And thankfully, they cannot be touched (VPNs, TOR et al).
Even the most censorship heavy countries in the world have to resort to physically shutting the internet down, because if there is a pathway, it will be found. It's just human nature.
[flagged]
Man, that's is some hardcore "think of the children" bullshit. Things which protect people will inadvertently also end up protecting some bad people. The only solution to that is killing all humans.
Similarly, there are laws for subpoenas in banking. If you wire wire 100k to some random account, courts can ask who you wired to.
This, again, is used to prevent crime. It is the system we have whether you like it or not.
You can implemet ridiculous amounts of encryption such that providers not only can't see the contents, but also can't see headers or where info is being sent to. But those technologies are munitions providers that sell that are enemies of the law.
I read that using pirated sites is ok if you do it for learning. Why do courts block them if they have legal uses?
>I read that using pirated sites is ok if you do it for learning
1. I don't think anyone has been prosecuted for accessing/using pirated materials. The people who have been prosecuted for torrenting were liable because torrent clients also upload, thereby making them go beyond merely accessing/using.
2. Claiming that those sites (ie. live soccer streams) is "learning" is a stretch. Moreover no such "learning" exemption exists, at least in the US. The closest you have is fair use, which has a 4 part test. "Learning" is one of the tests, but isn't a sole determinant. Photocopying textbooks wholesale is obviously illegal, even if it's for "learning".
> The people who have been prosecuted for torrenting were liable because torrent clients also upload, thereby making them go beyond merely accessing/using.
It's not clear why this would be a relevant distinction. If the use in question is fair use then copying is permitted. Why wouldn't this be the case for the person uploading the data as well as the person downloading it? Suppose you have a physical copy of a book and your friend wants a copy of a page for a use which is indisputably fair use, so you make a copy for them and give it to them for that purpose. How is that any different?
> Claiming that those sites (ie. live soccer streams) is "learning" is a stretch.
Wouldn't that depend on what the user is actually doing with it? If you're just watching the game with your friends, presumably not. If you're doing scientific research on sporting events and you need to run the video of every sporting event in the last 10 years through a computer for your study, maybe it is.
What fair use argument can be made for just having GameOfThrones.mp4 on my web server for people to download?
> What fair use argument can be made for just having GameOfThrones.mp4 on my web server for people to download?
The server operator isn't the one using it.
Is it possible for anyone to make any fair use of GameOfThrones.mp4? Presumably yes, under some set of circumstances. And then the server operator has put it there for the people who want to use it in that way.
Some people might then use it in some other way, but some people might borrow a book from the library and then use it to author an infringing derivative work. Why should that be the responsibility of the library rather than the party using it in an infringing way?
These are arguments ai companies like meta have made to justify pirating material to train their models.
Nb: open source torrent clients can be patched so they will never ever upload even a single bit of data.
I know it flies in the face of how the bittorrent protocol should operate, but there's a technical possibility.
Another is using so called "seedbox" in the safe country, or torrenting only via vpn.
default settings on most BT clients allow uploads, however that can be changed. the biggest reason for infringment notice nowadays, seems to be IP monitoring of pirate sites, trackers and swarm/DHT for "obvious" behaviour.
of course, IP is recycled across many users, and connecting to these BT resources is not proof of piracy, the very practice of monitoring, is undeniable proof,that connectivity, != undeniable proof of piracy, so you have to offer fake BT pieces, then request download to confirm data is being moved, and argue this is indication of intent.
meanwhile you have to argue that buffer content of a video player, is not downloaded, and there is no right to access those memory ranges on your own system.
> Claiming that those sites (ie. live soccer streams) is "learning" is a stretch.
Maybe I want to be better at soccer and learn by observation.
It's OK if you do it for machine learning. Human learners are still expected to pay.
develop a local machine learning client for desktop users, crowdsource AI training, residuum on users machine is now a product of AI training.
Wao. Thanks for the research on this. This is one reason, beside some others, to run your own recursor.
Spain laughs at those countries and just orders the ISPs to do SNI censoring.
What’s the DNS equivalent of using Yandex for search?
Quad9, OpenDNS. I can recommend both.
Take a look here for a good start: https://www.techradar.com/news/best-dns-server
regarding OpenDNS (from the article):
> When OpenDNS was first ordered to block pirate sites in France, the company made a simple but drastic decision to leave the country entirely, effectively affecting all French users. Last week, it repeated this response in Belgium following a similar court order.
How exactly do they "leave the country"? Do they start blocking French & Belgian IPs?
That's how:
$ dig kernel.org @208.67.220.220
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> kernel.org @208.67.220.220 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 12644 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1410 ; EDE: 16 (Censored) ;; QUESTION SECTION: ;kernel.org. IN A
;; ADDITIONAL SECTION: kernel.org. 0 IN TXT "The OpenDNS service is currently unavailable in France and some French territories due to a court order under Article L.333-10 of the French Sport Code. See https://support.opendns.com/hc/en-us"
;; Query time: 8 msec ;; SERVER: 208.67.220.220#53(208.67.220.220) (UDP) ;; WHEN: Sun May 11 22:56:23 UTC 2025
which means opendns is a non solution and should not be used.
The problem is we don't need a few big providers, we need thousands of smaller ones everywhere. Big providers are easy to attack with a single bullet (court case).
Small providers can also be hit with the same bullet (depending on the wording), it’s whether the laws can actually be enforced, which is a cat-and-mouse game the same way piracy generally is. They are still providing a digital service in the country and are subject to the laws.
Small providers can, but when they are across many countries it takes a lot of work to actually accomplish that.
DNS feels like it should be easy to proxy. Or just have more distributed resolvers. Why isn't it done more? Is it super expensive? Maybe due to UDP allowing traffic-amplification attacks?
What do you mean by "DNS proxy"? What is a DNS resolver if not a proxy for DNS requests?
> What is a DNS resolver if not a proxy for DNS requests?
A DNS resolver... resolves (recursively). unbound[0] would be an example.
A proxy instead only forwards to a trusted DNS server (or servers) and may cache their responses but won't do any resolution by themselves. dnsmasq[1] would be an example.
My guess is a simple proxy is less vulnerable to UDP amplification attacks (and also vastly simpler to implement and maintain).
The drawback is you need a resolver you trust, but that might be okay if you actually do have one. E.g. some DNS server that you know is safe but is not operating in your country (you might just want to proxy it so its closer to you for lower latency).
No, it means that the French and Belgian governments are pieces of shit who should be lynched.
Disagree, because of: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
I think you are looking might be https://dns.yandex.com/
That's brilliant. Thanks for the link.
Hrm. Depending on your location, needs, and preferences, this might shine and sparkle even more brightly:
Get a VPS in a jurisdiction that doesn't do this, install a recursive DNS server and a VPN on it and use it as your DNS server. Or use any service providing the equivalent thing; many VPN services also provide a DNS server.
$ kdig +tls +short @anycast.uncensoreddns.org streameast.app A
104.21.84.29
172.67.185.97Run your own recursive server that directly gets it's data from the authoritative servers.
.... On second thought that is a bad analogy, that is more like running your own search engine. The dns equivalent to yandex would be 77.88.8.8
https://gist.github.com/mutin-sa/5dcbd35ee436eb629db78725810...
Maybe we'll get smart and just install Hyphanet (Freenet). Only thing it needs done to be perfect (imo) is to duplicate the opennet code, make it all TCP only, and swap every IP address field for a .onion address field, and call this new opennet onionnet. He who has the key gets the file anonymously!
A screenshot shows an "Error 451" page, but how can that even happen? It's https. Unless Cloudflare is also the web host, they can't change a page like that without the client seeing a certificate error.
In order to function, CDNs have to act essentially as giant opt-in MITM services. When you setup a CDN in front of your site, you will either need to give them your cert, or let them issue a cert (e.g. via let's encrypt).
If they can serve your site with https normally, they can serve any content they want under it.
This is about CFs public DNS resolver though, and not every domain they're ordered to stop resolving will also happen to be served though their own CDN. In this case it was, which explains how they're able to serve a 451 error over HTTPS, but that won't always be the case as the article implies.
In some other cases I suppose they could downgrade the connection to HTTP in order to show their 451 page, but if the domain is HSTS'ed then that wouldn't work either. That'd have to just black-hole the query like Google does.
It is.
Non-authoritative answer:
ivesoccer.sx nameserver = lou.ns.cloudflare.com
ivesoccer.sx nameserver = venus.ns.cloudflare.comIt’s DNS so they just have to accept the query and redirect it to a local server that answers for anything and returns the 451 error. However, it’s also worth noting that Cloudflare is a giant MitM proxy who already decrypts everything and retransmits it. No communication with any domain fronted by Cloudflare is secure.
Yes...Oh the good times...
"Cloudflare Reverse Proxies Are Dumping Uninitialized Memory" - https://news.ycombinator.com/item?id=13718752
China showed that the Great Firewall was possible. The rest of the world is now following and nothing anyone on this board says or does can change that. Such is the true nature of power.
Once the practice is well established they'll extend it to political opposition, independent journalism, inconvenient science, etc.
Shouldn't countries have the right to control activities inside their borders? The order was approved by the courts, so insofar as due process and checks and balances go, this seems fine. This is no different than any other sort of injunction or court order. What should be the alternative? That the internet should be some sort of lawless wild west? Opposing this on the basis of "they'll extend it to political opposition ..." makes as much sense as opposing the arrest of criminals because "they'll extend it to political opposition ...".
Trying to graft the Internet onto physical country borders has been fraught from the very beginning, but they keep trying. When a user in country A, connected to a satellite Internet provider headquartered in country B, through a VPN whose offices are in country C and their VPN server is in country D, looks up an IP address with a DNS server in country E, to a web site whose headquarters is in country F, and request a file hosted on servers distributed across countries G, H, I, J, and K, whose laws should apply?
So far as I can tell this concern isn't applicable, because it's only blocked in Belgium. I tested myself and it's not blocked in other countries.
In the country where the physical person making the request is located would be a logical solution. Not saying it would be a good solution, but that would follow the logic of most international fiscal law. Super hard to implement though.
How is that supposed to work? If I open port 80 on my desktop I'm suddenly liable in every foreign jurisdiction that has user able to reach me on port 80?
This is an interesting question, but the law is well established, and it has an answer.
"It has an answer" is not how you decide a policy question. It's rather important that the answer be reasonable rather than capricious, burdensome and ineffective.
All the laws that we broke out of were established and had an answer to questions of life: land ownership, slavery, social structure, rights of various groups of people, etc.
The laws that apply on the internet are very desperate attempts by people with no technical knowledge to control something that can't be controlled. They work only because ways to circumvent them are not yet easy to use by the masses.
> Trying to graft the Internet onto physical country borders has been fraught from the very beginning
I’d argue Silicon Valley pretending there is a natural arc of digital history towards freedom and enlightenment if we just leave everything alone is distinctly reminiscent of 90s free-trade optimism. And like that philosophy, this too one finds its tombstone in China.
> Shouldn't countries have the right to control activities inside their borders?
Using the word "activities" implies that something different than what's really happening.
Ask the question like this: Should countries have the right to control information inside their borders? The answer to that question is no.
> Opposing this on the basis of "they'll extend it to political opposition ..." makes as much sense as opposing the arrest of criminals because "they'll extend it to political opposition ...".
If you make it less expensive to do something, you make it more likely that it happens. Incarcerating murderers and rapists is very important and is an effective deterrent against serious violent crimes, so creating prisons that make it easier to incarcerate political prisoners is bad but the thing it's necessary in order to do is more important.
Blocking streaming sites isn't nearly as important and it's also less effective for its intended purpose than it is for the ulterior purpose, because users will go out of their way to bypass censorship of streaming sites whereas inconvenient political content is censored not just with respect to its content but also its existence, and then if you create a censorship apparatus it allows people to be kept in the dark as to what is even being censored. So in that case the badness of the censorship apparatus existing far exceeds its value in being able to inconvenience some minor offenders.
The state exists to enforce the interests of capital against the interests of the people. This is a clear instance of that happening.
Do you really believe that the interests of the people are inferior to the interests of capital? Do you actually believe that the interests of each group are aligned?
The alternative is the belief that humans have some fundamental rights that it's unjust for governments to violate (e.g. the right to private, encrypted communication), and designing systems to make it as hard as possible for governments to violate those rights.
>The alternative is the belief that humans have some fundamental rights that it's unjust for governments to violate (e.g. the right to private, encrypted communication)
In what country is there actually a "right to private, encrypted communication"? At best there's rights for "privacy", which is a pretty woolly concept, but generally don't cover copyright infringement. More to the point, unless you reject the concept of copyright entirely, you have to accept that free speech rights will have to be "violated" to enforce it.
"fundamental rights" implies an ideological belief that those rights should exist for all humans, regardless of whether any country recognizes them or not.
One can believe that something should exist even if it does not.
Like the right to load whatever software we want on the hardware we own. Thanks for allowing me to jailbreak my iPod back in the day.
> In what country is there actually a "right to private, encrypted communication"?
I recognize that this is not a popular opinion, but IMHO IT SHOULD BE covered by the "secure in their papers" section in the 4th Amendment in the US, and/or with established precedent regulating encryption export as armaments, by the 2nd & the Heller decision granting the rights afforded by the 2nd to the individual
at least that's the correct interpretation of the founding document as far as I can tell. not that it matters anymore.
No. The Internet should be borderless
Why?
Because the internet is purely an information medium, so "borders" on the internet can be nothing other than censorship. Censorship is a human rights violation and is disproportionately useful to oppressive regimes.
Why should it not? What's the point of having an effectively open information network if you're going to just let each nation state arbitrarily censor/manipulate it as they see fit for their own peasants?
You'd agree with say, <insert country> mass blocking sites for their people just because the sites say something about democracy?
The internet is a global space that do not belong to countries like the ocean or space.
Eh. "The practice" of blocking some kinds of speech has been in place for a long time. Some countries use it for political oppression, and others don't.
So we shouldn't have mechanisms to combat child pornography and drug sales because it could be used for censorship?
Yes, that’s it on the nose.
The number of things which have been laundered under “prevent child porn” is absurd. No, it is not a problem which warrants a global panopticon state.
As for drug sales, I’m not sure what to say if you think that’s the pitch that’s gonna land here.
Yes.
Giving up civil rights for the perennial boogiemen like terrorism or CSAM never results in less terrorism or CSAM, but does erode the rights of individuals.
The goal is to establish an undemocratic method of control over and coercion of individuals and the means of communication. This has been borne out time and time again.
Requiring a government run cellmodem camera in every residence's home and bathroom would presumably help combat child abuse-- probably vastly better than DNS blocking as well. Am I correct in assuming you'd be all for it?
What do you mean “could be”? Those are both examples of censorship, not non-censorship things thar can be acheived by tools that can also be used for censorship.
But, no, some censorship is acceptable and necessary. But we have to be aware of—and appropriately guard against—the other kind, and sometimes that means having less capacity for the kind that would be acceptable than you would want if there was downside attached to it.
The key is what mechanisms.
Dropping 1,000 nukes that would destroy humanity would be a mechanism to stop drugs and pornography. But it would be the wrong tool.
I’d rather have a free Internet than a restricted one to a small number of individuals using it for unethical behavior. It’s a small price to pay for freedom.
It seems like a centralized authority for DNS that must answer to some government is prone to censorship.
Would moving domain registration into a public Blockchain allow for a more resilient and democratized internet?
more resilient and democratized internet
If you only said more democratized I might lean towards yes with some caveats but you included resilient and DNS is not just peoples workstations and cell phones. It is used by very big and complex systems that make vast numbers of changes every second. Trying to force all of that through blockchain would require a complete re-thinking of how blockchain and the internet work in my opinion. I would be happy to be proven wrong. Someone could try it but that someone would have to be a very big organization for any kind of canary test. The devil would be in the implementation details as to how this monster would scale and handle a myriad of failure scenarios. People would also need to be able to troubleshoot complex misconfigurations. It would take some serious battle hardening before a production revenue generating company would take a chance with it.
the Ethereum Name Service already exists and services this role just fine. Also the only bottleneck for Blockchain is writing to them. Reading them is free and easily available as everyone can have their own copy of the chain and there's already lots of RPC providers like Infura and Alchemy.
If something doesn't work, fix it with Blockchain.
idk, i think it would be cool to have a copy of every dns record on my hard drive
You can do that already now.
Kind of. You can get the nameservers (and glue records if available) for every domain under a TLD if the TLD makes their zone file available. See https://github.com/jschauma/tld-zoneinfo
Well kinda but that would be an incomplete snapshot. Versus a blockchain where every DNS record change is necessarily written into my copy.
IPNS is similar project that already exists.
> Would moving domain registration into a public Blockchain allow for a more resilient and democratized internet?
No, you’d just get the protocol blocked and sanctioned.
Most people use a self hosted recursive resolver, which makes blocking a public resolver pointless
"Most people" certainly do not.
Almost nobody is the better answer. Most people use whatever their ISP, phone, or browser provides.
Well, I'm doing that, and in this case, Cloudflare 'protects' the website and blocks it (based on my Belgian IP). So no matter what DNS I use, it see "Unavailable For Legal Reasons".