ho to filter hundeds of domains ?

Oscar Ricardo Silva osilva at scuff.cc.utexas.edu
Fri Aug 31 21:59:50 UTC 2012


On 08/31/2012 04:20 PM, Kevin Darcy wrote:
> On 8/31/2012 10:42 AM, Oscar Ricardo Silva wrote:
>> On 08/31/2012 08:22 AM, Kevin Darcy wrote:
>>> On 8/31/2012 2:50 AM, sthaug at nethelp.no wrote:
>>>>> Again, it's not about how effective the block is or can be. Unless
>>>>> Italy
>>>>> becomes like China or even worse (but the US had the chance end up
>>>>> almost in the same situation very recently, so this is NOT an
>>>>> Italian-only problem), there is no way to inhibit users from
>>>>> reaching a
>>>>> given resource on the Internet: if the user is motivated enough he/she
>>>>> will circumvent whatever you do, eventually assisted by the
>>>>> counterpart
>>>>> he/she is trying to reach...
>>>> We are in much the same situation in Norway. All the biggest ISPs use
>>>> a list of child porn domains to be blocked, specified by the central
>>>> police authorities. *In principle* implementing this is voluntary for
>>>> the ISPs. In practice there is significant pressure to do so.
>>>>
>>>> Both the police and the ISPs are fully aware that blocking this at the
>>>> DNS level (the ISP recursive resolvers) won't prevent somebody who is
>>>> determined. But the police (and the government) still want this done.
>>>>
>>>> I sometimes suspect their view is of the type "We must do something.
>>>> This is something, therefore we must do it."
>>>>
>>> Nothing is better than paradise.
>>> A ham sandwich is better than nothing.
>>> Therefore, a ham sandwich is better than paradise.
>>
>>
>> And you won't be able to afford that ham sandwich if you've been
>> terminated from your job because you didn't follow the law.  We all
>> have things in our jobs that we don't want to do but we do them
>> anyway.  All the ridiculous suggestions and snarky comments aren't
>> helping the original poster who mentioned these sites were considered
>> illegal and is looking for other ways to do this.
> Doesn't the Eurozone have bigger problems right now, than worrying about
> a few people looking at dirty pictures?
>
> In any case, what does the OP expect us to say here? "Yeah, here's a
> nifty way to violate the spirit of the whole DNS protocol"? It's one
> thing to acknowledge casually that DNS software can be abused by
> unscrupulous administrators as form of social control, it's quite
> another to ask technical experts to actually give details on how that
> abuse can be carried out; giving aid and comfort to the enemy, as it
> were. The OP should report to his boss that the technical community
> provides absolutely *NO*HELP* in this travesty, and therefore any
> "modifications" to the DNS to try and implement this "blocking" will be
> incredibly time-consuming and prone to breakage in unforeseen ways.
>
>                  - Kevin


I'm not suggesting this should be implemented and actually agree with 
many of the arguments against it.  Overall it would just be a game of 
whack-a-mole.  Even so, to paraphrase your own response, the reply could 
have been:


*******************
the technical community provides absolutely *NO*HELP* in this situation, 
and therefore any "modifications" to the DNS to try and implement this 
"blocking" will be incredibly time-consuming and prone to breakage in 
unforeseen ways.
*******************

I would also have mentioned something along the lines of:  unless you 
can guarantee that your hosts will use your name servers and ONLY your 
name servers then any solution you implement will be doomed to fail.



Oscar






More information about the bind-users mailing list