ho to filter hundeds of domains ?

Emanuele Balla (aka Skull) skull at bofhland.org
Thu Aug 30 16:26:25 UTC 2012

On 8/30/12 6:09 PM, Mark Elkins wrote:

>> Still, that kind of setup is *mandatory* for ISPs in Italy :-\
> Is the mandatory setup to actually use 'DNS' to block access to gambling
> sites? Its easy enough to script an automatic update if someone central
> and with the necessary authority decides what it not allowed (eg a
> governmental man). Could even stick the 'bad' names in DNS to do the
> distribution.

No, they don't tell ISPs that thay should hijack DNS resolution (they
probably donn't even know what that means). They just say that ISPs are
expected to inhibit their users from reaching some given sites.

Gambling sites "blacklisted" by Italian gambling monopoly (on an RTF
file almost impossible to parse automatically), sites containing child
porn on a blacklisting maintained by a police division (on a txt file),
and a lot of other domains like torrent sites, sites selling cigarettes
online and similar kind of stuff some prosecutor chooses to send you-ISP
a FAX about.

but still, the DNS hijack approach is the most common and used: any
other solution involves some kind of DPI on customers traffic and would
cost a crazy amount of money for something that is simply worth nothing

Funny, uh?!?

> Suggestion: Don't listen to Niall O'Reilly - although he may be right.
> (tongue firmly stuck in cheek)
> Note to self, run own recursive DNS resolver on my laptop whilst
> travelling in Italy.

You'd better do.

> ?

Usually works. At least we're not expected to force our users to use our
own government-driven resolvers only.

And that's the entire reason why this entire approach is worthless,
unless we're all going to become like China...

Paranoia is a disease unto itself. And may I add: the person standing
next to you may not be who they appear to be, so take precaution.

More information about the bind-users mailing list