The End of DNS-based Site Blocking is near

By admin
For well over

three decades
DATE

,

DNS
ORG

-based site blocking has been used to block users from accessing certain sites on the Internet. Court rulings may commit Internet Service Providers to block their customers from accessing certain sites.

ADVERTISEMENT

These sites may be so-called pirate sites, adult websites or any other site that the court has ruled against. DNS-based blocking is a simple form of blocking access to a site.


DNS
ORG

is used to translate the domain name of a site, say ghacks.net, to its IP address. Computers use IP addresses for communication. The block prevents the lookup from happening. The result is that the site in question can’t be opened on the user’s device. Sometimes, another page is displayed that informs the user about the block.


DNS
ORG

-based blocking has never been effective. Users may use different

DNS
ORG

providers on their devices to access sites in question. It takes just a few clicks in all modern operating systems to switch to a new provider. This can be done in any web browser or also system-wide.

Third
ORDINAL

-party programs like

QuickSet
ORG

DNS may also be of use in this regard. VPNs and proxy servers may also be used.

There are valid reasons for changing

DNS
ORG

providers.

One
CARDINAL

is performance, and a tool like

Namebench
PRODUCT

may help users find the best performing provider by running benchmarks. Another is security. Some

DNS
ORG

providers may support security features that the default provider, often the ISP of the user, does not support.

DNS encryption has seen a push in

recent years
DATE

. DNS-over-HTTPS plays an important part, but it still leaked the domain name. This meant, that providers could still block access to sites on the

DNS
ORG

level or sell the information gathered.

The introduction of

Encrypted Client Hello
WORK_OF_ART

in browsers changes that. It hides the domain name during lookups, so that Internet Service Providers or network operators don’t know what a user accesses on the Internet. It is a major push for privacy, as it prevents ISPs from recording and selling user data, or interacting with certain requests.


Mozilla
ORG

introduced support for

Encrypted Client Hello
ORG

in Firefox

118
CARDINAL

, and

Chromium
ORG

also added support for the security feature recently. You can check your browser here to find out if it supports the feature.

A side-effect of improved user privacy is that

DNS
ORG

-based blocking becomes unusable. The

ISP
ORG

or network operator has no knowledge of the domain name the user tries to access anymore, as this is no longer provided in the clear. As such, websites that are blocked on the

DNS
ORG

level are no longer blocked, provided that the site in question supports

Encrypted Client Hello
PERSON

.


Cloudflare
ORG

has enabled support for

Encrypted Client Hello
ORG

for all of its managed sites

this month
DATE

.

Millions
CARDINAL

of sites support

Encrypted Client Hello
ORG

as a consequence already and many more will follow in the future.

Results are a mixed bag currently, as reported by

Torrentfreak
LANGUAGE

. Sites that use

Cloudflare
ORG

for protection or have enabled Encrypted Client Hello on their servers are no longer blocked on the

DNS
ORG

level in countries in which they are blocked. Nothing changes for blocked sites that do not use Encrypted Client Hello, but it is likely that these will switch to using it in the future.

It is too early to say how this will affect local legislation and rulings to block access to websites. Courts may require that ISPs use different blocking techniques, for instance

Deep Packet Inspection
WORK_OF_ART

.

Now You: are websites blocked by court order in your country?

Summary Article Name The End of DNS-based

Site Blocking
ORG

is near Description The introduction of the privacy technology

Encrypted Client Hello
PERSON

has a side-effect: it makes

DNS
ORG

-based site blocking useless. Author

Martin Brinkmann
PERSON

Publisher Ghacks Technology News Logo

Advertisement