On 07/12/2018 20:48, Max Tulyev wrote:
Yes, you may nullroute some IP with some site, but as the collateral
damage you will block part of Cloudflare or Amazon, for example. So
you have to buy and install additional equipment and software to do it
a bit less painful. That's not so cheap, that should be planned,
brought, installed, checked and personal should be learned. After
that, your system will be capable to block some website for ~90% of
your customers will not proactively avoid blocking. And for *NONE* who
will, as CP addicts, terrorists, blackmarkets, gambling, porn and
others do.
It is even more complex. As you said filtering by IP address causing
collateral damage to multi-host sites.
But there are sites that use primarily IPv6 addresses so you need to
filter not only IPv4 but IPv6 as well.
Also, sites change their IP address after they find out they are
blocked, so you need a cron job which checks the IP addresses every
10-15 minutes and updates the filters (if you are willing to accept
collateral damage).
But when requested to block a FQDN, and filtering by IPv4 or IPv6 is not
an option, again there are issues.
You filter/block in your central DNS server, but what about the user at
home who is using 8.8.8.8 or 9.9.9.9? Or the corporate link to some
Fortune 500 company with their own DNS servers that bypass the ISP
servers. So now you are in a situation where you have to divert/capture
*all *udp/53 and tcp/53 and pass it to some scrubbing server which will
only block the requests to the forbidden FQDNs. Oh but wait, what
about DoH?
Governments that require ISPs to block "certain" sites have no clue what
is required technologically to adhere to their demands.
-Hank
