Should ISP block child pornography?
Max Tulyev
maxtul at netassist.ua
Sat Dec 8 18:31:03 UTC 2018
Correct.
Also if you update IPs automatically by cron (and you have to automate
it as lists only growing and growing) - blocked sites will troll the
censorship system.
They put IP of some government or critical (for example, VISA/Mastercard
processing) sites in their blocked domain - and those victim sites will
be blocked. This trolling is very popular in Russia, for example.
08.12.18 19:41, Hank Nussbacher пише:
> On 07/12/2018 20:48, Max Tulyev wrote:
>> Yes, you may nullroute some IP with some site, but as the collateral
>> damage you will block part of Cloudflare or Amazon, for example. So
>> you have to buy and install additional equipment and software to do it
>> a bit less painful. That's not so cheap, that should be planned,
>> brought, installed, checked and personal should be learned. After
>> that, your system will be capable to block some website for ~90% of
>> your customers will not proactively avoid blocking. And for *NONE* who
>> will, as CP addicts, terrorists, blackmarkets, gambling, porn and
>> others do.
> It is even more complex. As you said filtering by IP address causing
> collateral damage to multi-host sites.
> But there are sites that use primarily IPv6 addresses so you need to
> filter not only IPv4 but IPv6 as well.
> Also, sites change their IP address after they find out they are
> blocked, so you need a cron job which checks the IP addresses every
> 10-15 minutes and updates the filters (if you are willing to accept
> collateral damage).
>
> But when requested to block a FQDN, and filtering by IPv4 or IPv6 is not
> an option, again there are issues.
>
> You filter/block in your central DNS server, but what about the user at
> home who is using 8.8.8.8 or 9.9.9.9? Or the corporate link to some
> Fortune 500 company with their own DNS servers that bypass the ISP
> servers. So now you are in a situation where you have to divert/capture
> *all *udp/53 and tcp/53 and pass it to some scrubbing server which will
> only block the requests to the forbidden FQDNs. Oh but wait, what
> about DoH?
>
> Governments that require ISPs to block "certain" sites have no clue what
> is required technologically to adhere to their demands.
>
> -Hank
>
>
More information about the NANOG
mailing list