Blocking specific sites within certain countries.
hostmaster
hostmaster at nso.org
Thu Nov 14 19:52:33 UTC 2002
This all strikes me as incorrect. The function of the domain name system is
primarily to translate an IP number into a domain name, vice versa. If a
user wishes to browse to <http://64.236.16.20> he/she will arrive also at
<www.cnn.com>. The domain name is propagated and subsequently refreshed
throughout the World. A browser request and reply may take each time
hundreds of different routes through the Internet from end-to-end. If Spain
would want to deploy blocking of the domain CNN.com (or in fact any other
domain) it would have to factually block individual IP's at the telco 'in
and out of Spain routes' to accomplish that. This, by the way is currently
e.g. done in the Peoples Republic of China, be it not really successful
:) It is also so easy to set up secondary dns's anywhere else on the globe
with a ptr to some other IP no., that a dns block sec would never be a
successful action. Blocking a /24 in Spain may be effective, but if the
Spanish site would be hosted elsewhere, or would have a mirror hosted
elsewhere, the elsewhere legislation would be the regulations the telco's
are confronted with, and looking at.
Ola !
Bert Fortrie
At 12:27 PM 11/14/2002, you wrote:
>-- On Thursday, November 14, 2002 12:11 PM -0500
>-- Jim Deleskie <jdeleski at rci.rogers.com> supposedly wrote:
>
>>Its my understanding that since Akamai is based on DNS resolves if you
>>where to use the method of blocking it within the DNS system it would
>>make no difference. Although I'm no Akamai expert.
>
>The issue is really not Akamai or Digital Island or any other service
>someone might buy. The end user is completely unaware of the machinations
>behind the scene, they are just going to type "www.terrorist.com" into
>their browser.
>
>If "terroris.com" is a Bad Domain and ISPs refuse to resolve anything in
>that domain, then nothing else can happen. The first step is the end
>user's machine going to the ISP's name server asking for the IP address of
>"www.terrorist.com". It does not matter if that hostname is CNAME'd to
>another company / host / whatever, the resolution will stop immediately
>and the user will be unable to see the web page.
>
>Or they can just use a publicly available web proxy, in which case it will
>not matter if the domain is Akamaized or not. =)
>
>>-Jim
>
>--
>TTFN,
>patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20021114/bb0d2f1f/attachment.html>
More information about the NANOG
mailing list