On 8/31/12 1:21 AM, Mark Andrews wrote: >> Note to self, run own recursive DNS resolver on my laptop whilst >> travelling in Italy. >> >> 8.8.8.8 ? > > Which is exactly why the DNS is the wrong level to do this at if > you have a legal obligation to block access. The only way to do > that is to block the packets themselves. Given these are gambling > sites the chance of collateral damage is minimal if you just block > all access to the ips in question. Just make sure you can get > through to their nameservers so you can keep the list of IP addresses > to filter current.
Yes and no. Yes, because we all agree that blocking at the DNS level is easy to circumvent. No, because "blocking the packet" is either too expensive (DPI) or causing too collateral damages (nullrouting). Some of the blocked entities started popping up mirrors, proxies and moved their "services" to google, explicitly to make nullrouting unfeasible... Again, it's not about how effective the block is or can be. Unless Italy becomes like China or even worse (but the US had the chance end up almost in the same situation very recently, so this is NOT an Italian-only problem), there is no way to inhibit users from reaching a given resource on the Internet: if the user is motivated enough he/she will circumvent whatever you do, eventually assisted by the counterpart he/she is trying to reach... _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
