Not because I believe that you are wrong, but because I believe in net neutrality. Hopefully my ISP is giving me a dumb pipe to the internet with some IP in it and that is it. We have heard loads of stories from various ISPs on this forum that mess with it, and although they have good intentions, they are creating technical problems.
We have lots of mechanisms in IPFire to detect whether an internet connection was tempered with. A MITM attack and an ISP that want to block some “bad” sites looks the same. DNSSEC is probably one of the best examples for this because it has signatures that you can trust that “www.ipfire.org” has the IP address of 81.3.27.38 and that doesnotexist.ipfire.org actually does not exist. If an DNS provider (which could also be the ISP at the same time) filters something, these signatures don’t exist and they break DNSSEC. It isn’t very good style I think.
Filtering on IP basis (i.e. blackholing some address space) also has some disadvantages that we can see on this forum.
Usually all these ways to censor are politically motivated and pushed through parliaments all over the world with the excuse to protect children. I highly doubt that this is actually working. We usually never benchmark our laws to check whether they are actually effective and in case they are not getting rid of them and try something else instead.
I personally believe that the tools that IPFire is offering are the better choice when combined with a completely neutral internet connection. We have various ways to block hostile ISPs. We have ways to perform content filtering on the network to keep adult websites out which is used in lots of households with younger children, schools, etc. Those tools give you the choice and you can do whatever is right for you.
It is nice that some people want to push all of this into the cloud, but I would also like to highlight that a lot of those DNS services are offered by companies that collect your data, sell it and, in my personal opinion, always use it against you and for their own profits. To encourage people to use those services despite the data collection they are adding these filtering “features”. I personally think that we should rather build this all into IPFire and stop the baddies
I think there’s a small mix-up—Tim (@bloater99) suggested that blocking pirate sites should fall on the hosting provider, not the ISP, which seems closer to Michael’s view than it might’ve read! Too many chocolate eggs, maybe?
It’s interesting that the pirate site addresses OpenDNS was ordered to block are still available via root servers, which DNS providers like OpenDNS query for domain resolution. That means the data’s still out there in the DNS ecosystem, so these blocks are easily bypassed with alternative resolvers, making them pretty ineffective.
I totally agree with Michael on net neutrality—DNS providers shouldn’t be content cops. Forcing them to block sites risks opening the door to censoring political views or even criticism of anti-net-neutrality policies.
Sony tried to sue Quad9 because they refused to block sites that were supposedly involved in copyright infringement.
And Italy tried to get Google DNS to block access to sites that were illegally streaming soccer matches.
None of these issues should be placed on DNS providers. As @ag said, what’s to stop people from just switching DNS resolvers? This is not the solution. If they send their lawyers after anyone, it should be hosting providers.
I think there might be two different kinds of blocking that we are talking about here. There is either taking down malicious websites with a court order, and then there is content filtering for maybe adult and gambling websites for example which we colloquially also call “blocking”.
It should be. But do you know any politicians who actually understand the technical difference here and will actually fund for the police to chase those people? Isn’t it easier to just build some censoring infrastructure and then you can even censor the bad websites who say that politicians are doing a bad job…
I think, no DNS provider should block name resolution. But they shouldn’t priorize answers, also.
The three names cited aren’t free from the suspection to do this, IMO.
And this maybe a reason for the court cases. As Michael mentioned neither the priority of politicians nor lawyers have the profund knowledge.
ISPs were traditionally the first to push back against site blocking but in Spain, all of those now involved have commercial interests in the content being blocked. They agreed to the terms of the blocking order, and they weren’t subjected to it against their will; that’s why the court approved it.
With this result
Vercel blocked IP addresses, who was responsible, and for how long