ho to filter hundeds of domains ?
Emanuele Balla (aka Skull)
skull at bofhland.org
Fri Aug 31 06:08:50 UTC 2012
On 8/31/12 1:21 AM, Mark Andrews wrote:
>> Note to self, run own recursive DNS resolver on my laptop whilst
>> travelling in Italy.
>>
>> 8.8.8.8 ?
>
> Which is exactly why the DNS is the wrong level to do this at if
> you have a legal obligation to block access. The only way to do
> that is to block the packets themselves. Given these are gambling
> sites the chance of collateral damage is minimal if you just block
> all access to the ips in question. Just make sure you can get
> through to their nameservers so you can keep the list of IP addresses
> to filter current.
Yes and no.
Yes, because we all agree that blocking at the DNS level is easy to
circumvent.
No, because "blocking the packet" is either too expensive (DPI) or
causing too collateral damages (nullrouting).
Some of the blocked entities started popping up mirrors, proxies and
moved their "services" to google, explicitly to make nullrouting
unfeasible...
Again, it's not about how effective the block is or can be. Unless Italy
becomes like China or even worse (but the US had the chance end up
almost in the same situation very recently, so this is NOT an
Italian-only problem), there is no way to inhibit users from reaching a
given resource on the Internet: if the user is motivated enough he/she
will circumvent whatever you do, eventually assisted by the counterpart
he/she is trying to reach...
More information about the bind-users
mailing list