ho to filter hundeds of domains ?

Kevin Darcy kcd at chrysler.com
Fri Aug 31 21:20:05 UTC 2012

On 8/31/2012 10:42 AM, Oscar Ricardo Silva wrote:
> On 08/31/2012 08:22 AM, Kevin Darcy wrote:
>> On 8/31/2012 2:50 AM, sthaug at nethelp.no wrote:
>>>> Again, it's not about how effective the block is or can be. Unless 
>>>> Italy
>>>> becomes like China or even worse (but the US had the chance end up
>>>> almost in the same situation very recently, so this is NOT an
>>>> Italian-only problem), there is no way to inhibit users from 
>>>> reaching a
>>>> given resource on the Internet: if the user is motivated enough he/she
>>>> will circumvent whatever you do, eventually assisted by the 
>>>> counterpart
>>>> he/she is trying to reach...
>>> We are in much the same situation in Norway. All the biggest ISPs use
>>> a list of child porn domains to be blocked, specified by the central
>>> police authorities. *In principle* implementing this is voluntary for
>>> the ISPs. In practice there is significant pressure to do so.
>>> Both the police and the ISPs are fully aware that blocking this at the
>>> DNS level (the ISP recursive resolvers) won't prevent somebody who is
>>> determined. But the police (and the government) still want this done.
>>> I sometimes suspect their view is of the type "We must do something.
>>> This is something, therefore we must do it."
>> Nothing is better than paradise.
>> A ham sandwich is better than nothing.
>> Therefore, a ham sandwich is better than paradise.
> And you won't be able to afford that ham sandwich if you've been 
> terminated from your job because you didn't follow the law.  We all 
> have things in our jobs that we don't want to do but we do them 
> anyway.  All the ridiculous suggestions and snarky comments aren't 
> helping the original poster who mentioned these sites were considered 
> illegal and is looking for other ways to do this.
Doesn't the Eurozone have bigger problems right now, than worrying about 
a few people looking at dirty pictures?

In any case, what does the OP expect us to say here? "Yeah, here's a 
nifty way to violate the spirit of the whole DNS protocol"? It's one 
thing to acknowledge casually that DNS software can be abused by 
unscrupulous administrators as form of social control, it's quite 
another to ask technical experts to actually give details on how that 
abuse can be carried out; giving aid and comfort to the enemy, as it 
were. The OP should report to his boss that the technical community 
provides absolutely *NO*HELP* in this travesty, and therefore any 
"modifications" to the DNS to try and implement this "blocking" will be 
incredibly time-consuming and prone to breakage in unforeseen ways.

                 - Kevin

More information about the bind-users mailing list