Correct. Also if you update IPs automatically by cron (and you have to automate it as lists only growing and growing) - blocked sites will troll the censorship system.
They put IP of some government or critical (for example, VISA/Mastercard processing) sites in their blocked domain - and those victim sites will be blocked. This trolling is very popular in Russia, for example. 08.12.18 19:41, Hank Nussbacher пише: > On 07/12/2018 20:48, Max Tulyev wrote: >> Yes, you may nullroute some IP with some site, but as the collateral >> damage you will block part of Cloudflare or Amazon, for example. So >> you have to buy and install additional equipment and software to do it >> a bit less painful. That's not so cheap, that should be planned, >> brought, installed, checked and personal should be learned. After >> that, your system will be capable to block some website for ~90% of >> your customers will not proactively avoid blocking. And for *NONE* who >> will, as CP addicts, terrorists, blackmarkets, gambling, porn and >> others do. > It is even more complex. As you said filtering by IP address causing > collateral damage to multi-host sites. > But there are sites that use primarily IPv6 addresses so you need to > filter not only IPv4 but IPv6 as well. > Also, sites change their IP address after they find out they are > blocked, so you need a cron job which checks the IP addresses every > 10-15 minutes and updates the filters (if you are willing to accept > collateral damage). > > But when requested to block a FQDN, and filtering by IPv4 or IPv6 is not > an option, again there are issues. > > You filter/block in your central DNS server, but what about the user at > home who is using 8.8.8.8 or 9.9.9.9? Or the corporate link to some > Fortune 500 company with their own DNS servers that bypass the ISP > servers. So now you are in a situation where you have to divert/capture > *all *udp/53 and tcp/53 and pass it to some scrubbing server which will > only block the requests to the forbidden FQDNs. Oh but wait, what > about DoH? > > Governments that require ISPs to block "certain" sites have no clue what > is required technologically to adhere to their demands. > > -Hank > >
