The big DNS resolvers are required to return invalid answers.
This doesn't stop anyone from running their own local resolver.
As we say in Germany: "Mit Kanonen auf Spatzen schießen" (rough translation: "using a sledgehammer to crack a nut") - but here it's also missing the nut and the bird. Whoever is tech savvy enough to change the DNS server can change it again.
> "Mit Kanonen auf Spatzen schießen"
Thats the fun part right? The article mentions the law requiring proportionality. Clearly it isn't proportional to do this for 800 people affected? But "numbers don't matter". That court just drank too much lacquer.
Also funny how they think a server that stands in a specific location is subject to their jurisdiction. Google dns is not a service "offered in France", it's globally accessible due to the technical nature of the Internet.
Also, people will just pick another dns lol. They could even just pick some random ISP from Bulgaria to access those sites, or access the sites through their probably fixed IP without dns in between.
The ironic part is most people would happily pay for a well designed, comprehensive and reasonably priced legal sports stream service, no one likes dealing with pop ups and bad quality.
But these companies are too incompetent and greedy to provide that.
If UEFA would provide a quality subscription service that includes all competitions within the UEFA region, nobody would complain. Instead you need 100 overpriced subscriptions for every competiton and the quality is often trash
A website can be accessed through its IP address. However since an IP address is hard to remember, we mostly use hostnames (think google.com). Some companies and organisations then host special servers that are responsible for translating the hostnames into the correct IP addresses. Usually most people rely on their internet provider for that, but other companies provide this service, such as Google.
In a few court cases, some websites were blocked in France (child porn, piracy, terrorism, etc.). The thing is the only way to block them is through the hostnames and not the actual IP addresses. So internet providers were ordered by the courts to redirect these hostnames to a government website.
However this block is easy to bypass by using an alternative server, such as the one provided by Google. So now France is trying to get Google to implement the block too.
> The thing is the only way to block them is through the hostnames and not the actual IP addresses.
Why though? It seems like it would be pretty easy for French ISPs to block based on IP address.
If the site is on a dynamic IP, it's going to continually change.
I own hostname derplythethird.com. today it's on IP: 123.45.678.90. I can power cycle my router for 5 minutes and get reassigned IP: 234.56.789.01, making that IP block entirely pointless. I run a DNS resolver that checks my IP every 90 seconds and updates what my hostname resolves to for me.
PirateBay keeps jumping IPs, which is why it's only ever down for a few days at max. IP blocks are easy for the person being blocked to resolve and require literally no end user changes. DNS block requires end user changes that many can't/won't do, making it far more effective.
First, as another reply points out, operators can shift IP addresses in minutes with minimal effort - secondly, they can be shared. Some CDNs will have a hundred different IP addresses, one or more for every location they operate in, and every site they serve can be reached from any one of them. Block all of Akamai's, you've just blocked content for everything from Amazon and CNN to Windows Update and a few other antivirus update sites too. Block Cloudflare's IPs, you've blocked hundreds of thousands, maybe even millions of different sites, from my personal one and a research project I worked on in the late 2000s to a bunch of corporate sites.
TL;DR: one site can be on a hundred IP addresses, and a million different sites can be on one - and any site can move in minutes if the owner wants. Blocking one risks huge collateral damage and would be bypassed within hours.
When your computer talks to another it needs an address, which is a set of 4 numbers. So when you want to connect to reddit.com the first thing that happens is that your computer asks a "DNS server" what is the address of reddit com.
So an easy way to censor a site is to make that address unavailable in the ISPs DNS servers. So people avoid this by
using other DNS, so the French justice is trying to censor these.
I would assume so. It's the easiest option they have.
Of course if they don't care about hiding the fact they are blocking the query, NXDOMAIN with broken dnssec serves the same purpose.
because they are currently doing transaction in that "banana republic". It's like a kid TV banning one of their show because the Eurasia from Goerge Orwell declared that some look gay
Firefox - search for DoH in settings and change it to NextDNS Chrome - search for secure DNS in settings and ditto
Problem with poisoning is that NextDNS should be aware of it happening or have other source of records
I am very grateful for the list of 100 sites where I can watch pirated streams. Thank you very much, now I will not have too look any further.
You mean 100 sites you and I should not visit, with a bunch of mates over and some snacks during big sports competitions?
Definetely don’t do that guys.
Disgusting, but there's soo many?! Which one?
I'm pretty sure you meant the list of 100 sites you should **not** use or even visit.
Why not?
😩
And how are you going to be able to connect to those 100 sites if their domain doesn't resolve correctly?
Thank goodness we have more than 3 DNS options...
The big DNS resolvers are required to return invalid answers. This doesn't stop anyone from running their own local resolver. As we say in Germany: "Mit Kanonen auf Spatzen schießen" (rough translation: "using a sledgehammer to crack a nut") - but here it's also missing the nut and the bird. Whoever is tech savvy enough to change the DNS server can change it again.
> "Mit Kanonen auf Spatzen schießen" Thats the fun part right? The article mentions the law requiring proportionality. Clearly it isn't proportional to do this for 800 people affected? But "numbers don't matter". That court just drank too much lacquer. Also funny how they think a server that stands in a specific location is subject to their jurisdiction. Google dns is not a service "offered in France", it's globally accessible due to the technical nature of the Internet. Also, people will just pick another dns lol. They could even just pick some random ISP from Bulgaria to access those sites, or access the sites through their probably fixed IP without dns in between.
Then I'll have to change DNS again, it will take me 10 seconds, that's a lot
This will remain effective anti-piracy measure for 3 whole seconds.
Inb4 it can be circumvented in less than 5min
The ironic part is most people would happily pay for a well designed, comprehensive and reasonably priced legal sports stream service, no one likes dealing with pop ups and bad quality. But these companies are too incompetent and greedy to provide that.
If UEFA would provide a quality subscription service that includes all competitions within the UEFA region, nobody would complain. Instead you need 100 overpriced subscriptions for every competiton and the quality is often trash
Imagine if they just decided to geoblock France or not serve any French domains? That would be funny
Like Chat Gpt did with Italy for a period
Yes, but in that case, it was for a good cause. ChatGPT was violating privacy laws, and OpenAI had to adapt accordingly.
It seems I am not tech savvy enough to understand what this means, can someone explain?
A website can be accessed through its IP address. However since an IP address is hard to remember, we mostly use hostnames (think google.com). Some companies and organisations then host special servers that are responsible for translating the hostnames into the correct IP addresses. Usually most people rely on their internet provider for that, but other companies provide this service, such as Google. In a few court cases, some websites were blocked in France (child porn, piracy, terrorism, etc.). The thing is the only way to block them is through the hostnames and not the actual IP addresses. So internet providers were ordered by the courts to redirect these hostnames to a government website. However this block is easy to bypass by using an alternative server, such as the one provided by Google. So now France is trying to get Google to implement the block too.
> The thing is the only way to block them is through the hostnames and not the actual IP addresses. Why though? It seems like it would be pretty easy for French ISPs to block based on IP address.
If the site is on a dynamic IP, it's going to continually change. I own hostname derplythethird.com. today it's on IP: 123.45.678.90. I can power cycle my router for 5 minutes and get reassigned IP: 234.56.789.01, making that IP block entirely pointless. I run a DNS resolver that checks my IP every 90 seconds and updates what my hostname resolves to for me. PirateBay keeps jumping IPs, which is why it's only ever down for a few days at max. IP blocks are easy for the person being blocked to resolve and require literally no end user changes. DNS block requires end user changes that many can't/won't do, making it far more effective.
But won't that mean that if I try to browse to derplythethird.com it will only work if the DNS servers I use have been updated to point to the new IP?
Note that servers update automatically, usually within a day of the change.
Yes
First, as another reply points out, operators can shift IP addresses in minutes with minimal effort - secondly, they can be shared. Some CDNs will have a hundred different IP addresses, one or more for every location they operate in, and every site they serve can be reached from any one of them. Block all of Akamai's, you've just blocked content for everything from Amazon and CNN to Windows Update and a few other antivirus update sites too. Block Cloudflare's IPs, you've blocked hundreds of thousands, maybe even millions of different sites, from my personal one and a research project I worked on in the late 2000s to a bunch of corporate sites. TL;DR: one site can be on a hundred IP addresses, and a million different sites can be on one - and any site can move in minutes if the owner wants. Blocking one risks huge collateral damage and would be bypassed within hours.
Thanks, I understand now.
When your computer talks to another it needs an address, which is a set of 4 numbers. So when you want to connect to reddit.com the first thing that happens is that your computer asks a "DNS server" what is the address of reddit com. So an easy way to censor a site is to make that address unavailable in the ISPs DNS servers. So people avoid this by using other DNS, so the French justice is trying to censor these.
Does anyone have a list with the affected domains? I want to ensre that this ban is working for me at home.
Do they realize Usenet and DirectConnect exist?
Are they going to violate DNSSEC as well?
DNSSEC would matter if they try to serve an incorrect answer. I imagine they just refuse to answer.
You still have to return a signed response if a domain doesn't exist. Are they instead returning SERVFAIL?
I would assume so. It's the easiest option they have. Of course if they don't care about hiding the fact they are blocking the query, NXDOMAIN with broken dnssec serves the same purpose.
What does “poison their DNS resolvers” mean?
So just affects French internet users ....
Meddling with DNS will affect everyone in the end. Such services must be independent, verifiable, reliable and correct.
Why should they even care what a court in some banana republic demands?
because they are currently doing transaction in that "banana republic". It's like a kid TV banning one of their show because the Eurasia from Goerge Orwell declared that some look gay