nanog mailing list archives
RE: This DNS over HTTP thing
From: Matthew Huff <mhuff () ox com>
Date: Wed, 2 Oct 2019 10:45:10 +0000
From a corporate standpoint, this is exactly correct. There are also some regulatory issues involved (FINRA, SEC, etc...)
We are required to block access to web based email (gmail, etc...) in our corporate network (please don't ask why, ours is not to reason why...), so every method to "bypass" normal network operations creates headaches for us. -----Original Message----- From: NANOG <nanog-bounces+mhuff=ox.com () nanog org> On Behalf Of John R. Levine Sent: Tuesday, October 1, 2019 4:06 PM To: Aaron C. de Bruyn <aaron () heyaaron com> Cc: NANOG mailing list <nanog () nanog org> Subject: Re: This DNS over HTTP thing I assumed my point was obvious but evidently I overestimated my audience. While it is stupid to assert that the only reason to circumvent DNS filters is to look at child abuse material, it is equally stupid to assert that the only reason to filter is to lie, or to censor. There are plenty of good reasons to filter DNS responses, with the most obvious being to block malware sites whose links are sent out in spam (a whole lot of spam these days.) There are also reasons that enterprises filter DNS on their networks, to block stuff that creates a hostile work environment, or is obviously unrelated to what employees are hired to do (i.e., facebook.) R's, John On Tue, 1 Oct 2019, Aaron C. de Bruyn wrote:
"For the children!" "Stop resisting!" "I was in fear for my life!" The age-old cries of the oppressor. ...
On Tue, Oct 1, 2019 at 11:33 AM John Levine <johnl () iecc com> wrote:In article <20191001074011.n4xjouqg6lhsvti7 () nic fr> you write:Note that the UK is probably the country in Europe with the biggest use of lying DNS resolvers for censorship. No wonder that the people who censor don't like anti-censorship techniques.Most UK ISPs use the Internet Watch Foundation's advice intended to block child sexual abuse material. Circumventing it enables people to access that material. We can shout CHILD PORNOGRAPHY just as loud as you can shout CENSORSHIP so perhaps we should both stop now. There are plenty of valid reasons for a DNS resolver to block some results.
Regards, John Levine, johnl () taugh com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
Current thread:
- Re: This DNS over HTTP thing Brandon Butterworth (Oct 01)
- Re: This DNS over HTTP thing Stephane Bortzmeyer (Oct 01)
- Re: This DNS over HTTP thing Tom Hill (Oct 01)
- Re: This DNS over HTTP thing John Levine (Oct 01)
- Re: This DNS over HTTP thing Aaron C. de Bruyn via NANOG (Oct 01)
- Re: This DNS over HTTP thing John R. Levine (Oct 01)
- Re: This DNS over HTTP thing bzs (Oct 01)
- RE: This DNS over HTTP thing Matthew Huff (Oct 02)
- Re: This DNS over HTTP thing Livingood, Jason (Oct 02)
- Re: This DNS over HTTP thing Jay R. Ashworth (Oct 02)
- Re: This DNS over HTTP thing John Levine (Oct 02)
- Re: This DNS over HTTP thing Jay R. Ashworth (Oct 02)
- Re: This DNS over HTTP thing Curtis Maurand (Oct 03)
- Re: This DNS over HTTP thing Curtis Maurand (Oct 03)
- Re: This DNS over HTTP thing Jay Ashworth (Oct 03)
- Re: This DNS over HTTP thing Stephane Bortzmeyer (Oct 01)
- Re: This DNS over HTTP thing Ca By (Oct 02)
- RE: This DNS over HTTP thing Keith Medcalf (Oct 02)
- Re: This DNS over HTTP thing John Levine (Oct 02)