A German ISP changed their DNS to block my website

More censorship is a good inventive to build really uncensorable protocols that ISPs can't mess with.

It's great to have alternatives but in practice those don't really get adoption (until a catastrophe has already happened) and during regular times their usage tends to put a target on your back.

These protocols or revisions already exist - DNSSEC at the site level and DoT/DoH at the user level prevent this kind of malicious tampering with responses by the ISP.

The issue is that they're not commonly used, and even if that changes, the ISPs can roll out harder-to-bypass censorship methods like SNI inspection or IP blocks.

And webmasters can, in turn, ramp up the adoption of QUIC, ECH, IPv6, or bury their frontend in some CDN that you can't feasibly "IP ban" without massive collateral damage.

You can't win the war against corporate censorship and malicious anti-freedom politicians through purely technical means. But you can sure make it much harder for them.

No, more censorship is a reason to vote better governments not to find workaround while accepting tyranny.

Ultimately it all ends on the physical layer. Those who control the physical layer can always suppress communication if they choose so. The only protocol ISP can't mess with is having an army big enough (and somehow the commanders of that army has to be motivated not to mess with the protocol for their own purposes).

Imagine if the radios we all carry with us everywhere could be programmed to communicate with each other.

(I'm not sure why I replied here. I guess I'm saying that establishing some kind of mesh network protocol between all cellphones would be a great addition to those other protocols you mentioned.)

Cellular modems are typically locked down completely to shit. But I know of a few LTE chips that can be obtained with no pre-burned vendor boot keys, and also have the vendor modem sources and toolchains leaked.

These don’t prevent censorship necessarily, they will give you a way to detect it at best.

DNSSEC gives you the ability to verify the DNS response. It doesn’t protect against a straight up packet sniffer or ISP tampering, it just allows you to detect that it has happened.

DoT/DoH are better, they will guarantee you receive the response the resolver wanted you to. And this will prevent ISP-level blocks. But the government can just pressure public resolvers to enact the changes at the public resolver level (as they are now doing in certain European countries).

You can use your own recursive, and this will actually circumvent most censorship (but not hijacking).

Hijacking is actually quite rare. ISPs are usually implementing the blocks at their resolver (or the government is mandating that public resolvers do). To actually block things more predictably, SNI is already very prevalent and generally a better ROI (because you need to have a packet sniffer to do either).

> you can't feasibly "IP ban" without massive collateral damage.

Oh but they can, we are suffering this in Spain every weekend the football league plays.

Tons of Cloudflare IPs sent to a blackhole regardless of how many other non relevant websites are behind.

The protocols already exist. Deploy an I2P router for an effective darknet on the internet, or set up Yggdrasil for a next-generation decentralized & private internet alternative.

An even easier start, just set up unfiltered encrypted DNS on your devices. E.g. Njalla DNS or Mullvad DNS. Or get a good VPN such as Mullvad.

At the same time, keep voting for privacy. And send letters to your politicians!

SNI blocking will hopefully be harder now that Let's Encrypt is rolling out IP certificates, so ECH becomes viable for websites that don't share an IP address with known-good websites (like Cloudflare tunnels). IP blocks will be the only solution on the normal web.

For everything else, there's I2P and Tor.

DNSSEC itself won't help you alone, but the combination of DNSSEC + ODoH/DoT will. Without DNSSEC, your (O)DoH/DoT server can mess with the DNS results as much as your ISP could.

Of course you will need to configure your DNS server/client to do local validation for this, and at most it'll prevent you from falling for scams or other domain foolery.

They block them during games only? Lmao thats some insane lobbying

They do, and they deny they are doing it. The thing works like this: Telefonica owns Movistar, who has the rights to soccer matches. A few webpages offer pirated streams to those matches, behind Cloudflare. Telefonica call the judges and hand them the Cloudflare IP (shared by thousands of sites), who are obviously ignorant about how internet works, through a special "urgent" protocol. As soon as Telefonica has the judge OK, they stop serving Cloudflare, affecting thousands. Their support forums start to boil, but they deny any issue. As soon as the match ends, Cloudflare is back again. This only affects Telefonica and O2 clients.

Some business are really angry because they claim their peak hour of the week is during the matches (e.g. wife buying online while husband watch the match)

In practice, DNSSEC won't do anything for ordinary Internet users, because it runs between recursive resolvers and authority servers, and ordinary users run neither: they use stub resolvers (essentially, "gethostbyname") --- which is why you DHCP-configure a DNS server when you connect to a network. If you were running a recursive resolver, your DNS server would just be "127.0.0.1".

The parent comment is also correct that the best DNSSEC can do for you, in the case where you're not relying on an upstream DNS server for resolution (in which case your ISP can invisibly defeat DNSSEC) is to tell you that a name has been censored.

And, of course, only a tiny fraction of zones on the Internet are signed, and most of them are irrelevant; the signature rate in the Tranco Top 1000 (which includes most popular names in European areas where DNSSEC is enabled by default and security-theatrically keyed by registrars) is below 10%.

DNS-over-HTTPS, on the other hand, does decisively solve this problem --- it allows you to delegate requests to an off-network resolver your ISP doesn't control, and, unlike with DNSSEC, the channel between you and that resolver is end-to-end secure. It also doesn't require anybody to sign their zone, and has never blown up and taken a huge popular site off the Internet for hours at a time, like DNSSEC has.

Whatever else DNSSEC is, it isn't really a solution for the censorship problem.

Wait, does the judge accept each request? I thought at this point LaLiga was giving the ISPs the ranges directly. Plus it's not only Telefonica/O2, this season (started 2 weeks ago) it's also Vodafone, Digi and MasOrange.

And they don't deny doing it, they claim they block Cloudflare because they host piracy, child pornography (how would they know, did they search for it specifically?) and other illegal stuff and their response is basically "complain to Cloudflare" or "those blocks affect only 4 nerds [using Github, Cloudflare tunnels, Docker Hub...] so we aren't going to change anything".

Obviously you need to enable local verification for DNSSEC to do anything in the first place, otherwise the DNS server can just lie about the DNSSEC status. If someone is manually configuring a DoH resolver, they probably have a toggle to do DNSSEC validation nearby.

DNSSEC doesn't prevent censorship, but it does make tampering obvious. Moving the point of trust from my ISP to Cloudflare doesn't solve any problems, Cloudflare still has to comply with national law. DoH is what you use to bypass censorship; DNSSEC is what you use to trust these random DNS servers you find on lists on Github somewhere.

A bit over half the websites I visit use signed zones. All banking and government websites I interact with use it. Foreign websites (especially American ones) don't, but because of the ongoing geopolitical bullshit, American websites are tough to trust even when nobody is meddling with my connection, so I'm not losing much there. That's n=1 and Americans will definitely not benefit because of poor adoption, but that only proves how much different kinds of "normal internet user" there are.

I think we're basically on the same page. With respect to who is or isn't signed, I threw this together so we could stop arguing about it in the abstract on HN:

https://dnssecmenot.fly.dev/