<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 07/12/2018 20:48, Max Tulyev wrote:
</div>
<blockquote type="cite"
cite="mid:852aa696-2311-6c37-30e0-9640b8d65095@netassist.ua">Yes,
you may nullroute some IP with some site, but as the collateral
damage you will block part of Cloudflare or Amazon, for example.
So you
have to buy and install additional equipment and software to do it
a bit
less painful. That's not so cheap, that should be planned,
brought,
installed, checked and personal should be learned. After that,
your
system will be capable to block some website for ~90% of your
customers
will not proactively avoid blocking. And for *NONE* who will, as
CP
addicts, terrorists, blackmarkets, gambling, porn and others do.<br>
</blockquote>
It is even more complex. As you said filtering by IP address
causing collateral damage to multi-host sites.<br>
But there are sites that use primarily IPv6 addresses so you need to
filter not only IPv4 but IPv6 as well. <br>
Also, sites change their IP address after they find out they are
blocked, so you need a cron job which checks the IP addresses every
10-15 minutes and updates the filters (if you are willing to accept
collateral damage).<br>
<p>But when requested to block a FQDN, and filtering by IPv4 or IPv6
is not an option, again there are issues.</p>
<p>You filter/block in your central DNS server, but what about the
user at home who is using 8.8.8.8 or 9.9.9.9? Or the corporate
link to some Fortune 500 company with their own DNS servers that
bypass the ISP servers. So now you are in a situation where you
have to divert/capture <b>all </b>udp/53 and tcp/53 and pass it
to some scrubbing server which will only block the requests to the
forbidden FQDNs. Oh but wait, what about DoH?</p>
<p>Governments that require ISPs to block "certain" sites have no
clue what is required technologically to adhere to their demands.</p>
<p>-Hank<br>
</p>
<p><br>
</p>
</body>
</html>