Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?
Le September 12, 2019 4:52:47 PM UTC, Adam Borowski <kilobyte@angband.pl> a écrit :
>On Tue, Sep 10, 2019 at 07:46:57PM +0200, Marco d'Itri wrote:
>> On Sep 09, Adam Borowski <kilobyte@angband.pl> wrote:
>>
>> > With DoH:
>> > * the target server knows about you (duh!)
>> > * the ISP can read the destination of every connection
>> > [reading the IP header, reading SNI header]
>> > * the ISP can block such connections
>> > [blocking actual connection]
>> Well, no. They cannot without significantly more expensive hardware
>to
>> do DPI and a *totally different* legislative framework.
>> (Source: I have been dealing with government-mandated censorship in
>> Italy for ~15 years, both at technical and policy levels.)
>
>I don't understand how blocking by IP would be any more expensive than
>blocking by DNS. It's _cheaper_: you read a field in the IP header
>instead
>of doing it in a higher level DNS server.
I don't think it is, actually. Disregarding the legal framework part, only looking at the technical aspect of things, when you do it with DNS, you just have to create a local version of the zone that has be censored and distribute it normally on your resolvers, for instance.
Anyway you do a high level modification in a high level service. Request will go through your DNS infrastructure the way it's intended to.
However, reading IP headers on routers to block a particular destination is not how network are designed to operate. It's not as cheap a function you'd think, because it means either being able on the customer router, or close to it, and those aren't usually designed to filter that way, or you make sure all traffic pass by a filtering router at some point - which means dedicated hardware with the traffic load involved. This is usually complicated in a large ISP context: networks are huge and evolved over time ; and they weren't designed for censorship to begin with, there was this thing called Net Neutrality... ;)
Cheers,
--
nodens
Reply to: