19 comments

[ 3.0 ms ] story [ 33.8 ms ] thread
I've increasingly taken the attitude that digital media is simply lost to corporate interests and there's nothing we can do about it aside from not spending money or time on the internet.
> “At what point does legal compliance become de facto censorship?”

I genuinely agree with this statement a lot. Also another aspect of this is that the bigger companies can somehow "legally" do things which I don't think would work but they have so many resources to strech the court case for a long time.

And the fact is that even after that, even if they are fined for some dollars. They are more than likely to just pay than try to actually fix the core issues which effects everyone harmfully except the company.

All for profit smh. I sometimes wonder if there is a word for this phenomenon for how our system has gotten into such a rotten state from lobbying to this yet at the same time genuine non profits get existential threats for the same behaviour but they simply don't have the funds...

[flagged]
Going after DNS resolvers seems like the easy win. If a website was breaking the law so egregiously then take it to ICANN to get the domain name seized. I'd wager that's a much harder thing to prove, hence the strong arming of DNS resolvers.
Would the root DNS servers ever get modified or censored as a result of court action?

My thoughts were that DNS-level censorship is essentially a dead end because the root servers are sacrosanct, and there will always be secondary DNS servers to query, who then use the root servers.

Sucks for DNS providers in authoritarian countries though.

Many ISPs in Germany have stopped fighting this fight as well and sadly have now even started to self-censor their DNS servers.[1]

[1] https://cuii.info/en

Re: "Cisco has decided to leave france": (https://web.archive.org/web/20250614052849/https://support.o...)

  Effective June 28, 2024: Due to a court order in France issued under Article L.333-10 of the French Sport code and a court order in Portugal issued under Article 210-G(3) of the Portuguese Copyright Code, the OpenDNS service is not currently available to users in France and certain French territories and in Portugal. We apologize for the inconvenience.
  
  July 23, 2024: Cisco's OpenDNS service has been reactivated in Portugal and is currently available following a decision by the Lisbon Court of Appeal.
It's laudable that Quad9 want to fight censorship, but they too could block French requests in this way. Maybe redirect to an HTTP/HTTPS IP that tells users about the issue and gives them contacts to their government representatives?
This is also why it is important for Switzerland to not sign the deal with the EU next year. The 8k+ page deal would also require Switzerland to pull the line with EU regulation regarding copyright. The freedom we have right now to download would fall away. Doesn't matter if you are left or right, the deal is bad for all of us.
Another side effect of law makers yoloing legislation on things they don’t seem to understand
Hoping the HN DNS savvy reading this can help me understand a Quad9 thing I ran into. I was debugging (as in scratching my head) a bank website login problem and ended up doing some DNS checks against their domain, usual stuff, while using Quad9 as my DNS provider.

While testing, I was using Google and Cloudflare as well, and started noticing something - Quad9 does not return all A records listed for a domain, the same way Google/Cloudflare do.

    dig -t A google.com @8.8.8.8 +short (6x IPs)
    dig -t A google.com @1.1.1.1 +short (6x IPs)
    dig -t A google.com @9.9.9.9 +short (1x IP)
This gave me a weird feeling; I get there's a lot of DNS geo magic and 8.8/1.1 serve 2 different subnets, and 9.9 a third. But... where did the other 5 expected IPs from Quad9 get off to?
This all started, in earnest, with Response Policy Zones being added to BIND. RPZ allow DNS resolvers to lie to clients by returning (nxdomain or redirects to other domains) and the client does not know it is being lied to.

    https://www.isc.org/docs/BIND_RPZ.pdf
At first, RPZ was used to block known malicious domains (drive by malware downloads, etc.). Then, the security weenies started using RPZ to block other things like TikTok (for administrative/legal reasons). That's when the DNS became a big lie.

I guess some day, one political party will use it to block the websites of other political parties, etc. That's stupid to say (I know) but that seems to be the slippery slope we are sliding down.

Does Quad9 run a resolver with DNSSEC but without "malware" blocking? So far I've had multiple instances (twice for a torrent tracker, once for gist.github.com) where they blocked a non-malware domain for a short while, which is really annoying to deal with.
Kind of wild that we're approaching a decentralized internet not for the virtue of decentralization, but because of insane authoritarian censorship.
I just run my own name server. DNS blocking is no longer an issue unless they get to the root name servers. With a little domain warming from the top 5000 domains it’s pretty snappy most of the time.
Are we heading to a place where there will be many DNS resolvers just to get a "full" picture of the internet? Or perhaps topical upstream resolvers?

  if (geoip[sourceIp] === "France") {
    if (geoblocks["France"][sourceIp]) {
      return NOT_FOUND;
    }
  }
I don't think the cost of writing the above code is an existential threat.