North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Blocking specific sites within certain countries.

  • From: hostmaster
  • Date: Thu Nov 14 14:55:00 2002

This all strikes me as incorrect. The function of the domain name system is primarily to translate an IP number into a domain name, vice versa. If a user wishes to browse to <http://64.236.16.20>  he/she will arrive also at <www.cnn.com>. The domain name is propagated and subsequently refreshed throughout the World. A browser request and reply may take each time hundreds of different routes through the Internet from end-to-end. If Spain would want to deploy blocking of the domain CNN.com (or in fact any other domain) it would have to factually block individual IP's at the telco 'in and out of Spain routes' to accomplish that.  This, by the way is currently e.g. done in the Peoples Republic of China, be it not really successful :)  It is also so easy to set up secondary dns's anywhere else on the globe with a ptr to some other IP no., that a dns block sec would never be a successful action. Blocking a /24 in Spain may be effective, but if the Spanish site would be hosted elsewhere, or would have a mirror hosted elsewhere, the elsewhere legislation would be the regulations the telco's are confronted with, and looking at.

Ola !

Bert Fortrie


At 12:27 PM 11/14/2002, you wrote:

-- On Thursday, November 14, 2002 12:11 PM -0500
-- Jim Deleskie <[email protected]> supposedly wrote:

Its my understanding that since Akamai is based on DNS resolves if you
where to use the method of blocking it within the DNS system it would
make no difference. Although I'm no Akamai expert.

The issue is really not Akamai or Digital Island or any other service someone might buy.  The end user is completely unaware of the machinations behind the scene, they are just going to type "www.terrorist.com" into their browser.

If "terroris.com" is a Bad Domain and ISPs refuse to resolve anything in that domain, then nothing else can happen.  The first step is the end user's machine going to the ISP's name server asking for the IP address of "www.terrorist.com".  It does not matter if that hostname is CNAME'd to another company / host / whatever, the resolution will stop immediately and the user will be unable to see the web page.

Or they can just use a publicly available web proxy, in which case it will not matter if the domain is Akamaized or not. =)

-Jim

--
TTFN,
patrick