2

I was reading on how ISPs in many countries block access to many sites. This got me wondering -- How do ISPs block sites in the first place? I found answers here, and reading through, it became evident that ISPs usually drop connections going to these blocked domains on their DNS servers, which can be easily circumvented by using a different DNS (optionally also using DoH to a non-compromised server).

I then read on to find that ISPs also block domains by their known IPs, so using another DNS wouldn't fix this issue. This led me to think -- what if the server was on a dynamic IP?

The devil's advocate of my mind quickly told me that all the ISP had to do was to run a dns lookup on the domain itself to find the current IP and block that. But then again, what do you guys say?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Jack Huzerstein
  • 21
  • 1
  • 1
    *"...easily circumvented by using a different DNS..."* - the ISP could simply and cheaply redirect any traffic to port 53 to its own DNS server, which makes it not that easy to use a different DNS. DoH is likely a better option but then commonly used DoH servers could probably just be blocked by IP address or based on a initial normal DNS request too. Harder but likely not be impossible would be blocking based on the traffic pattern which in my opinion is very different from normal traffic (short request with short replies instead of the typical short requests with larger replies). – Steffen Ullrich Feb 28 '19 at 17:46
  • 1
    I'm not sure why the linked question does not answer you. The answers explain the process. – schroeder Feb 28 '19 at 17:47
  • Do people really run high availability servers on dynamic IPs? I suspect not; DNS propagation could struggle to keep up if a server was constantly cycling it's IPs – Caius Jard Mar 01 '19 at 17:37

2 Answers2

2

all the ISP had to do was to run a dns lookup on the domain itself to find the current IP and block that.

Definitely not impossible. In fact it is the way Russian ISPs are required by RKN to censor websites. The requirements are enforced by RKN-owned boxes inside ISPs networks, trying to get access to censored websites and reporting about it to RKN. It is supposed that an ISP is fined for each non-blocked website from the blacklist, though there are rumours that it is not always the case. Some people protest against censorship by buying expired domains still present in the statewide blacklist and making them point to government and big business websites, so ISPs must block them for their clients. There were some rumours about a whitelist of websites that should never be blocked sent to ISPs, though using this whitelist may be illegal for an ISP, so if an ISP wants to play safe, it must block the sites disrespect to the whitelist.

There more sophisticated methods of detection are also used.

KOLANICH
  • 912
  • 6
  • 14
0

Usually the ISP is the gateway for your connection to the Internet.

They can drop it simply by creating a firewall rule that blocks all requests for a specific DNS entry. This kind of rule is very simple to create on modern UTM Firewalls.

Thiago Escobar
  • 79
  • 7