Who was saying that VPNs are useful only for Brit ex-pats?
You are not wrong but I doubt anyone there will bother
But this sort of thing cannot be just ignored. Many years ago I was summarily blocked by an ISP (Clara, UK) following a copyright claim. It turned out to be bogus, but it caused a lot of trouble because in the UK, the ISP owned the physical phone line and thus you could not move to another ISP to get the connection back. It was a deal between BT and the ISPs, to protect them from customers not paying and repeatedly moving ISPs. I finally kicked Clara off the line by terminating the line and ordering another one
So this is potentially dangerous. It just takes someone malicious (in Italy in this case) to file a copyright breach claim and suddenly your site is gone. Fortunately I still own the DNS control panel…
No decent ISP behaves like that though and I am sure CF would not either. Anyway it sounds like there were a huge number of CF IPs blocked by Italy, not just EuroGA’s.
The trouble is that the government types who come up with these rules are totally clueless. It applies in many domains but certainly anything relating to the Internet.
I asked them for details of their allegations, but they have avoided replying while – amazingly – responding to an email!
“In particular, the new rules provide that the blocking of FQDNs and IP addresses, uniquely intended for the illicit diffusion of protected content, takes place within thirty minutes from the notification of the owner through a single technological platform with automated operation.”
So basically the Italian state has set up an automated denial of service attack facility. What could go wrong?
I have not read it properly but someone mentioned that it was implemented by messing with DNS, not by blocking internet packets in IP ranges.
I don’t know how you could do this because the DNS mapping is ultimately controlled by, ahem, the domain owner, and whatever IP etc the owner enters in his DNS control panel gets distributed around the various DNS servers around the world (within an hour or so, usually).
Perhaps Italy passed a law forcing Italian ISPs to not respond to DNS requests within specified IP ranges. Normally, AIUI, say your PC goes to euroga.org, it sends a DNS request (UDP, port 53) to the default gateway IP, which your router typically has on 192.168.1.1, and the router then sends that to your ISP, which looks up euroga.org on its DNS server. There will be some caching also. That DNS server contains a copy of all domains on the whole internet and their IPs (well, it used to, when a friend used to run one some years ago). With a court order it is perfectly feasible for the Italian govt to force that ISP to not respond to that DNS request. But you could still get euroga.org by going direct to its IP, in this case the Cloudflare one of 188.114.97.7.
Or use a VPN terminating outside Italy, or a DNS server located outside Italy.
What could go wrong? It’s already happened
There are some nefarious outfits hiding behind Cloudflare, and if you set one up and you do it right (the original server IP was never online) then in theory nobody can find out your server IP, geo location, etc. That is of course essential for Cloudflare to operate as intended to block DOS attacks, otherwise the attacker would just go direct to the real server IP. Big organisations pay big money to CF for this protection. For example mumsnet.com is habitually attacked so they use CF.
DNS censoring is relatively widespread because it is easily implemented and doesn’t require any changes in the network infrastructure. Usually it can be circumvented by just not using the ISP’s DNS resolver. The collateral damage is of course high because it makes a whole host name unusable and not just one service or even one specific URL. Politicians usually don’t care about that. Ursula von der Leyen went haywire when she tried to censor the internet in Germany and the experts asked her how she thinks blocking single web pages or images shall be implemented.
Well, a court order to an ISP to block DNS resolution if it yields an IP within a given range (which I assume is what you describe) still needs that ISP to install some code to do that, which is not much different to a court order to an ISP to block delivery of traffic from a given IP range.
It is known that ISP routers have a “monitoring port” (a friend who used to work at Cisco told me they used to do this) which is accessible 24/7 to the security services, but that is for surveillance only; it can’t do remote config. Well not as far as is known
How does Russia block Telegram?
Peter wrote:
How does Russia block Telegram?
It doesn’t. They’ve tried to block many IP ranges, blocked access to government sites as a result, then stopped doing it completely.