Adam Borowski writes: > On Tue, Sep 10, 2019 at 07:46:57PM +0200, Marco d'Itri wrote: >> Well, no. They cannot without significantly more expensive hardware to >> do DPI and a *totally different* legislative framework. >> (Source: I have been dealing with government-mandated censorship in >> Italy for ~15 years, both at technical and policy levels.) > > I don't understand how blocking by IP would be any more expensive than > blocking by DNS. It's _cheaper_: you read a field in the IP header instead > of doing it in a higher level DNS server.
>From the top of my head I can think of several reasons: - For IP-level blocking you need to implement blocking in more places instead of a central place (DNS); also more data needs to be processed in total. Block lists are generally not public and access to them might need different restrictions (for legal reasons). - IP-level blocking leads to more overblocking (anything sharing the same IP); this causes legal problems. So Marco's arguments seem reasonable. >> > * Cloudflare can falsify DNS¹ >> You can use DNSSEC over DoH. > > If implemented. It's probably easier to use DNSSEC with DoH as you avoid broken resolvers at ISP or customer routers that don't speak DNSSEC or not even proper DNS. I've encountered customer routers that knew only about `A` RRs and lied about `PTR` which breaks stuff in interesting ways... Ansgar
