[LINK] Green light for internet filter plans
Karl Auer
kauer at biplane.com.au
Thu Dec 17 08:59:44 AEDT 2009
On Thu, 2009-12-17 at 01:01 +1100, Tom Koltai wrote:
> I know I've said this before - to the shock of all technical people.
> But the only way I know of filtering in a manageable way is via a root
> server.
Ah - the well known, if hardly compelling, "Argument from Personal
Ignorance".
Root server shenanigans can be trivially circumvented by:
a) setting up a competing root server
b) using a local DNS, or other local mapping system
c) not using the DNS at all, people just publish their IP addresses
Block a port and the traffic moves to another. Use DPI and tunnels will
be used. Block all the tunnels and everything stops.
Besides which, many different services can be hosted behind one name -
web, ftp, IM, email... Block the name and you block them all.
So even if you can detect a connection to a name, you then need to do
additional work to inspect the particular connection. Quite a lot of
quite complicated work. Which itself is easily circumventable.
> Authoritative override on DNS.
There is no such thing. The DNS is a distributed database. It depends on
global cooperation to work. No-one can "override" it, and certainly not
a pipsqueak like Australia.
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)
GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
More information about the Link
mailing list