39 replies
18h6m
The title on the website is “Google, Cloudflare & Cisco Will Poison DNS to Stop Piracy Block Circumvention”.
Curious why Cloudflare has been singled out in the submission title?
34 replies
18h7m
Over a decade ago, a ton of tech companies (including Google) coordinated a “blackout the Internet” day of protest against U.S. legislation that would have required them to alter DNS to fight piracy. Interesting that now that France actually does it, they say they will comply.
https://en.m.wikipedia.org/wiki/Protests_against_SOPA_and_PI...
16 replies
17h52m
In the last decade Tech has become part of the establishment. They are one of the dominant controlling forces.
The blackout was _not_ about preserving free speech, or any other moral high road. It was purely about control. Tech hadn’t yet cemented their position as a dominant player and didn’t want to cede the control they had.
Now that they’ve embedded themselves in the ruling class they don’t care as much because they already have control.
7 replies
17h17m
There's also the nuance that while SOPA/PIPA were bills being legislated for potential passage, France is citing laws already in effect.
For better or worse, if you do business in <x> you follow <x>'s laws or GTFO.
5 replies
16h47m
For better or worse, if you do business in <x> you follow <x>'s laws or GTFO.
That does rather imply that the laws are worthless. Obviously there is going to be someone who doesn't do business in France and operates a public DNS server that doesn't censor anything.
Regardless of that, I would challenge your premise. You can violate an unjust law and risk the consequences. And if you get the PR right, there may not even be any consequences:
https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
But to your point, this is one of the reasons it's important to get these laws off the books and keep them off the books. Once you have the law, the government gets to choose the test case. You know perfectly well they'll be using it against dissidents and false positives tomorrow, but the test case is going to be some loathsome terrorists or a commercial piracy operation with no shades of grey, and then that's the case that sets the precedent.
They should never be allowed the opportunity.
3 replies
12h42m
Obviously there is going to be someone who doesn't do business in France and operates a public DNS server that doesn't censor anything.
and so when the rights holders notice enough people pirating using dns resolvers they can't force to do anything via the french courts, they'll probably just take it up with the french ISPs and ask for IP blocks of these resolvers. And I'd guess they may already be trying to IP block various piracy sites.
Will be interesting to see them play whack-a-mole. I wonder if at some point France will just start maintaining national blocklists, that if you want to run an ISP or reply to DNS queries from France, you are legally obligated to follow (or get blocked yourself); from the article, it sounds like the current law is significantly short of that so the whack-a-mole will continue.
2 replies
11h7m
Italy has the system you're thinking of. It's called Piracy Shield. Upon receiving a blocking request from the government through the automated system developed for this purpose, all ISPs are required to block the domain or IP within 30 minutes or else their CEOs could be criminally charged and go to jail.
1 replies
8h4m
Does it work in practice? The Russian censorship machine has only reached these kinds of reaction times in the last year or so, and they had to boil the frog for a decade to achieve that.
0 replies
6h12m
Things can change very quickly when CEOs are threatened with jail time. Maybe we should try it more often.
0 replies
7h20m
The correct link for that Wikipedia page is https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d... :-)
0 replies
15h38m
Yeah! Like Uber, or AirBnB! wait, hold on.
4 replies
17h21m
Tech has always been part of the establishment, funded by capital trying to solve capital's problems. The only part of tech that really deviates from this is the free software community, which has always been hostile to capital. The blackout day emerged from people, not the industry, and people have changed.
1 replies
13h43m
idunno, I remember when everything cool I found on the internet was on a .edu domain, because that's almost all there was. But yeah, capitalist tech has always been part of the establishment. A lot of the good stuff comes from non-profit-related motivations, fortunately.
0 replies
1h11m
I remember how I used to call a BBS rather than go to the internet because there was much more than just universities and their research - took a long time until there wasn't a reason to call the BBS, around the point when all the people moved their content.
1 replies
12h29m
funded by capital trying to solve capital's problems
Is this parody?
Should we start against the trade unions and German barbarians next? (The latter to avenge Varus and recapture the Eagles.)
0 replies
10h0m
Parody?
It's obvious, and common sense.
0 replies
13h22m
If they had control they wouldn’t comply
0 replies
17h47m
This is the right line of thinking. My interpretation is slightly different - I think the tech companies have run afoul of various norms when it comes to things like the privacy of customers, anti-trust, taxation, etc. Because they are now reliant on these unethical ways of holding onto economic power or growing their economic power, they need to not get into trouble with governments. This means playing nice with them so that they do not become subject to legislation that will rein them in.
0 replies
16h9m
What? The tech ( dns in this case) is as neutral as you can get, these are french courts ordering the block, and the dns technicians are controlled by american corps. Dns just executes the orders of the corp, which in turn obeys the local courts.
Tech is under corp in the chain or command, which in turn is under national law.
Gross lack of extra-technical nuance here.
11 replies
16h58m
Same with tech and China. They fold like paper without any protest:
https://www.nytimes.com/2021/05/17/technology/apple-china-ce...
Chinese state employees physically manage the computers. Apple abandoned the encryption technology it used elsewhere after China would not allow it. And the digital keys that unlock information on those computers are stored in the data centers they’re meant to secure.10 replies
15h21m
Apple have repeatedly thrown their customers under the bus especially in China. At least Google had the courage to withdraw entirely.
3 replies
14h49m
Google never left China, they literally just moved to a new building on the other side of the road (in Zhongguancun, Beijing). They even “left a couple of boxes there”[1].
[1] Blum, Andrew, Tubes: A Journey to the Center of the Internet. New York, Ecco, 2012. https://archive.org/details/unset0000unse_p9b6
2 replies
11h26m
You can't even install the play store in China... Google hasn't been accessible there since in 15 years.
You can buy an iPhone there today, and Apple has agreements with China to hand over user data and has done so in the past.
0 replies
11h4m
Apple has a datacenter in Gui’an New Area, Guiyang, Guizhou, China (run by GCBD[1]).
[1] https://www.apple.com/legal/internet-services/icloud/en/gcbd...
0 replies
10h9m
You can't even install the play store in China... Google hasn't been accessible there since in 15 years.
You and GP are both correct. Most Google services are not accessible in China but Google the company still has a significant presence there.
2 replies
13h2m
Google employees had the courage to force Google to pretend to withdraw.
1 replies
11h4m
But rarely do they have the courage to quit their jobs or go on strike, when Google does the next anti privacy thing.
0 replies
6h11m
They tried it against Google's support of Israel and were immediately fired.
0 replies
8h59m
Google had zero courage and went fully under Putin and helped him to silence Russian opposition (Navalny) during the crucial pre-election time.
Telegram did the same, btw.
0 replies
13h20m
Apple leaving china does essentially nothing, the people there won’t get end to end encryption either way
0 replies
9h14m
This is why I can never take their current alleged passion for privacy fully seriously. Sure, I do appreciate some of the features they're coming out with, but I don't trust them to not eventually drop this marketing angle and pull rugs when it's no longer profitable
1 replies
18h2m
Piracy is simply Terrible, it's chopping the dear copyright holders off at the knees, they are frequently having to go on food stamps, and it's unclear how they'll continue on.
/s
Fighting online piracy: First world, or even zeroth world problem.
It's not loke the pirates are saying "hmm, should I pay exorbitant rates for this or should I pirate it?"
The real competition is alternatives: "should I bother pirating this or just go do some other activity."
Bottom line: In most cases it's actually free marketing, and has a net positive effect for the copyright holders. The continual attempts to aggressively clamp down really says a lot about the mentality of the Big Market Forces, *iaa, *aa, and now MS and Elgoog. Even when it's good fertilizer for their perpetual evergreen money tree, they still flip out.
0 replies
13h2m
It's all about profit protectionism of the moats around streaming to enforce the arbitrary extraction of gotcha capitalism subscription fees from as many people as possible for as much as possible.
0 replies
16h54m
It was not about standing up against IP juggernauts in the interest of users, but in the interest of themselves -- it was tech companies flexing their strength to show that cooperation with tech companies was required, and that they are open to cooperation in other ways too.
0 replies
2h51m
I think these firms are all compromised. Poisoning dns is such a bad idea.
0 replies
13h4m
Yep. Net neutrality, my left foot. MAANG are all about participating in PRISM, monopolizing access, and choosing who can and can't speak because they compromise a for-profit, oligopolic, technocratic cartel.
12 replies
17h55m
Hilarious how the article mentions the domain names at the end. It's like Google showing links of DMCA-striken lists, so you can easily find out the actual places to pirate.
3 replies
14h48m
But these names aren't resolvable (through compliant resolvers), while the transparency links would be.
1 replies
10h1m
They aren't resolvable with the listed in the article DNS providers, which makes it easy to find the other ones such as Quad9.
0 replies
7h55m
9.9.9.9
0 replies
12h14m
only in France
3 replies
17h22m
Will read the article now thank you
2 replies
9h42m
This kind of comment is best left on reddit to keep the signal-to-noise ratio on HN as high as possible.
Just hit that upvote button instead. :)
0 replies
5h59m
Where do comments calling something Reddit-tier go?
Please don't post comments saying that HN is turning into Reddit.
0 replies
3h49m
What if I'd want to warn users that the list really only encompasses sports related domains? Genuinely want to follow the etiquette here, but I like being useful.
1 replies
7h33m
It's like Google showing links of DMCA-striken lists
Used to be like that. Now they have renamed “Chilling Effects” to “Lumen Database” and require submitting an email address to view each individual complaint.
0 replies
3h14m
It still shows the domains for me, which is super useful, since I just go to the domain directly and then search again there
0 replies
7h56m
Yes, censorship by establishment makes public curious. Often it is best PR of those sites.
0 replies
16h30m
Streisand effect.
11 replies
16h57m
It is times like this that I recommend technically inclined people to try setting up your own dns resolver and see how minimal impact a few/handful of milliseconds on first access has on the internet experience. Practically all popular domains also uses some form of anycast network, so the benefit of a single large shared resolver that caches the dns answers has steadily decreased each year.
Just make sure its not configured to be a public resolver, and only allow local network or whitelisted addresses.
8 replies
16h51m
Setting up your own recursive DNS resolver to circumvent ISP blocks is pointless unless you do so on a VPS or something, because otherwise, your ISP will just hijack the recursive queries it makes. And DNSSEC doesn't help if the ISP just wants to block you from learning the real IP.
3 replies
14h9m
your ISP will just hijack the recursive queries it makes
This level of deep packet inspection and injection is not what ISPs commonly do in my experience. At this point, it is much easier to just block the service's IP addresses than deep-inspect DNS traffic and match the query identifier and stuff to inject a false response. Why spend that engineering time when people will just fix the DNS server and can access the site directly? Might as well force people to set up a full tunnel (such as a VPN) to bypass the block, if your ISP or court order shows this level of motivation anyway.
Insofar as I've experienced these things: fetching the mapping yourself, from a server not operated by your ISP, will circumvent DNS blocks your ISP was ordered to put in place.
Currently I've got live access to one such blocking mechanism:
$ dig +short thepiratebay.org
195.121.82.125
$ dig +short +trace thepiratebay.org | tail -1
A 162.159.137.6 from server 172.64.35.164 in 5 ms.
The first IP address is a block page (accessible from outside the network, if anyone wants to take a look), the second one of the real IP addresses
2 replies
13h49m
At this point, it is much easier to just block the service's IP addresses than deep-inspect DNS traffic and match the query identifier and stuff to inject a false response. Why spend that engineering time when people will just fix the DNS server and can access the site directly?
Because IP addresses can change frequently, and also because if a site is behind a CDN, that would cause a lot of collateral damage.
The first IP address is a block page (accessible from outside the network, if anyone wants to take a look), the second one of the real IP addresses
Okay, so your ISP's particular blocking mechanism doesn't hijack recursive queries. But others do.
1 replies
4h49m
Could you give a example of such ISP? I have seen ISP block all DNS traffic beyond to their own server, but those have been fairly locked networks like hotel wifi. It is much cheaper, safer, and less fragile to just block everything and force customers to the isp own servers. DPI and traffic injection carries risk of false positives and minor engineering mistakes can create large support costs, and would really only be beneficial if the intention is to hide the fact of the block.
0 replies
49m
It is much cheaper, safer, and less fragile to just block everything and force customers to the isp own servers.
Sure, that's common too. But that also precludes you from running your own recursive resolver to circumvent their blocks.
2 replies
16h42m
I’ve heard this before. Is there a way to reliably detect if this is occurring or case studies of where this has occurred?
Edit: I assume dns over https prevents this also, right?
0 replies
16h12m
Yes, DoH prevents that, unless the DoH provider is in on it too, which most of the major ones are now, as this article is about.
0 replies
16h35m
DNSSEC would reveal that it's happening straight away, but that doesn't get you the IP address.
Of course, as mentioned putting your recursive DNS server on a cheap VPS somewhere that doesn't hack your connection would.
0 replies
13h31m
DJB was right.
0 replies
16h50m
This was a big surprise for me when I set up a local DNS for work. Everything suddenly felt much snappier.
0 replies
11h6m
8 replies
17h45m
Is there some decentralized anti-censorship technology that can prevent this type of action, where ISPs and DNS providers and other points of centralization are forced to implement things on behalf of other parties (like Canal+ or a government)?
3 replies
17h14m
No.
No matter how decentralized something is, ultimately you need to have a server and cables connecting it to the internet located somewhere. That somewhere will be within some legal entity or sovereign's jurisdiction which you must answer to and comply with.
1 replies
16h2m
As long as the protocol is easy to detect and block.
If whatever technology that is being used is so intertwined into the base of all use cases (including totally legal) and legal vs. illegal is practically indistinguishable at scale, then decentralization cannot be blocked without physically blocking all the legal use cases too: sure they can "cut cables" but it will have much more greater consequences as they have just cut cables connecting all the legal activity too.
0 replies
12h35m
I mean, this is literally a case of killing off the general infrastructure to stop illegal activities.
DNS can be used for both legal and illegal purposes, and the French courts authorized dropping nukes on them to stop illegal activities with no damns given to the legal because the laws cited provided no such safeguards or reservations.
0 replies
11h9m
Have you ever used Tor?
2 replies
17h37m
Decentralized and global consensus are contradictory properties, in order to have an otherwise arbitrary ASCII string resolve to a particular machine EVERYWHERE, you need a central authority to say who's who.
If you just want to prevent other central authorities (e.g. France) from barging in on the existing central authorities your computer expects to get answers from (e.g. ICANN, Verisign etc) there are plenty of projects for semiuncensoring DNS in a distributed way. But nobody is stopping, say, the US from doing to ICANN or Verisign what France is doing to CloudFlare and Google.
1 replies
17h10m
Decentralized and global consensus are contradictory properties
That's literally what blockchain solves. ENS (Ethereum Naming Service) already does this.
0 replies
11h8m
The ethereum block chain is centralized - it may not have a geographical location, but there's still only one of it. In a global partition there become zero of it (only two incorrect fragments), not two of it.
Other people have even argued that blockchains are states - as in governments, not as in distributed state replication protocols.
0 replies
17h5m
Well there are a couple of ways one can do this!
1. Recursively lookup DNS, so domains will have to be blocked at the registrar level, since DNS is unencrypted, it can be blocked at ISP level as well.
2. Use a protocol alternative to DNS, a good mature example is GNS. It aims to replace DNS, with a built from group up, modernish protocol. Using a DHT and public-key cryptography.
3. There are "block chain" solutions to the whole domain problem, look at Handshake, ENS etc.
5 replies
9h20m
You know what would stop these judical overreaches? If rampant piracy stopped. Watching sports is not essential utility, this is not some moral dilemma "is it acceptable to steal bread to feed starving children", its more just "is it acceptable to steal champagne for partying"
2 replies
6h14m
Logical extensions of this principle:
* Domestic abuse is the victim's fault because they shouldn't have made their partner angry. * The Chinese GFW is the fault of the people who criticized the government. They shouldn't criticize the government. * Israel indiscriminately bombing Gaza is the fault of the Gazans who fought back the last time Israel did that. * The Holocaust is the Jews' fault for not fleeing the country sooner.
I don't think it's a good principle.
1 replies
2h49m
* Domestic abuse is the victim's fault because they shouldn't have made their partner angry. * The Chinese GFW is the fault of the people who criticized the government. They shouldn't criticize the government. * Israel indiscriminately bombing Gaza is the fault of the Gazans who fought back the last time Israel did that. * The Holocaust is the Jews' fault for not fleeing the country sooner.
Except in all those cases, you can vaguely make the case that the "victims" were in the right (eg. the right to be not physically assaulted). It's far more questionable to claim that people have the right to free live sports streaming.
0 replies
53m
Doesn't matter. Even if you have no right to be annoying, being annoying doesn't justify punching you in the face. Even if you have no right to kill 100 people, killing 100 people still doesn't justify killing 50000 people. Even if you have no right to watch sportsball, watching sportsball doesn't justify shutting down the Internet.
1 replies
8h53m
Rampant? Read the article before commenting, they are talking about 800 people in the whole of France.
It's clearly not about severity, but about control. They would try the overreach even if there is no damage to be found (like using ridiculous "this is the money we lost" calculations).
0 replies
2h52m
Rampant? Read the article before commenting, they are talking about 800 people in the whole of France.
800 is the figure given by google's attorney for people that would be affected by the block enforced by public DNS servers, not the total amount of "rampant piracy" that's going on.
5 replies
16h50m
https://www.mic.com/articles/85987/turkish-protesters-are-sp...
Repressive governments have a history of legal orders telling Google to block protestors from accessing twitter.com but Google always refuses to comply. So their new policy of complying isn't about legality. France is a big market. Perhaps it's about money.
3 replies
16h44m
Uh, there's nothing in your link about a government ordering Google to block Twitter? Since you say this is a common occurence, I'm guessing it'll be easy for you to find a source that actually supports your claim.
2 replies
15h56m
I think the main point is that it's trivial for people to circumvent the DNS level block by simply finding new DNS servers (in this case something other than local ISPs, Google, CF etc... still many out there) by asking others or simple googling here and there, and in extreme cases, at a physical level as in the article.
1 replies
14h47m
I don't understand where you got that "main point" from; nothing in the GP's comment is about that or anything tangential to that.
0 replies
12h39m
I think it's quite obvious but YMMV.
0 replies
13h50m
France is not a big market for Google.
The entire ad revenue market (desktop + mobile + social + ....) in France, in 2023, was 5.8 billion dollars (The spread in public sources data seems to be 5.0billion-6.2 billion, so i just took the high side)
1. Google made over $240 billion in ad revenue in 2023, so even if it had 100% of all ads revenue in France, France would only account for 2.5% of Google's revenue.
2. However, Google's share in France is nowhere close to 100%. Search + Display overall is currently sitting at 20-25% of the french ad revenue above (same sources). Let's assume Google has 100% market share in France in those areas.
Then France would account for about 1.25 billion dollars of revenue for google, or about 0.5 percent of Google's revenue. Which is not a lot.
But it's still something. Or it would be, except:
3. France has fined Google 224 million so far in 2024.
Google's margins are around 25%. So that 1.25 billion of revenue produces around 312.5 million of profit. Maybe less
Of which they've been fined 224 million :)
If Google gets fined in France again this year, it would probably be operating at a loss.
5 replies
18h6m
Total non-sense - just pushes people to use VPN or their own custom DNS which tunnels back to 1.1.1.1 or whatever.
4 replies
16h58m
Or just footybite.cc will become footybite1.cc, then footybite2.cc... so on. The people writing these laws are seemingly clueless about the internet. Or perhaps, the lawyers just don't care as they are getting paid.
3 replies
16h46m
How will users find the new domains? If they can reliability do so then dns is not needed in the first place. If not, then the laws are effective.
0 replies
8h3m
"Hey leloctai, what's the new URL for <torrent_site>?"
0 replies
1h2m
There are almost certainly aggregate sites that will share the new domains, messages boards, social media, instant messaging, etc. Word of the new domains will travel very quickly.
Hell, they could setup their own public DNS outside of France and suggest users use that. Users already switched from local/ISP DNS to Cloudflare / Google because of the previous law so that is not a big hurdle (ignoring the obvious security problem - many users won't care they just want to watch the game).
My point though is that these laws will be very easy to bypass just like most anti piracy laws before it. Note that The Pirate Bay is still up and running.
0 replies
16h40m
Twitter and Wikipedia as a source to locate the actual dns address worked for the pirate bay back in the day, I assume if nothing else piracy sites would not be afraid to just use raw ip addresses.
3 replies
6h54m
If you need to poison the DNS by court order. Can you also just poison the requestees DNS entries? E.g. Canal+ own websites?
1 replies
2h58m
Childishness aside, this is a dumb idea because it's going to piss off more users than appease. Most don't care about the struggle for internet freedom or whatever, and just want their sites to work. For them blocking legitimate sites a sign that their ISP is broken, especially when their friends/colleges report that it's working fine on their connections. Moreover blocking illegal streaming sites is court sanctioned whereas blocking the plaintiff's sites is not, and likely expose them to getting sued for tortious interference or similar.
0 replies
1h15m
You could just redirect it to the page they need to show for the bad sites :)
0 replies
6h33m
That is really good point. The court is basically giving them permission to do this, by asking them to not have net neutrality.
3 replies
12h19m
I wonder if it's possible to just use Yandex DNS. Russia won't comply obviously.
1 replies
12h8m
With this DNS provider, I would be equally if not more worried about what the Russian government forces Yandex to block or censor.
0 replies
12h3m
Just add 1.1.1.1 as the second dns server
0 replies
6h30m
Also, Yandex search is the best for certain search queries that google and American companies want/forced to remove.
3 replies
16h38m
I’ve always been curious why dns is a go-to for oppressing unwanted websites. Is it truly difficult to block at an IP level? There would be collateral damage in doing so, but it wouldn’t take long for most VPS providers to dump piracy sites if the alternate is their entire network block being dropped.
1 replies
16h17m
A good amount of these websites are proxied by Cloudflare, so you're connecting to CF and CF connects to the website.
And many websites use CF, so if you were to block a CF IP, you'd block a whole bunch of websites.
0 replies
6h42m
In that case, what makes Cloudflare immune to court ordered blocks?
0 replies
16h14m
You've identified exactly the problem. They'd be blocking thousands of unrelated innocent websites. Also, changing your IP address is really easy.
3 replies
9h34m
That's easy to circumvent.
A VPS host running DNS resolver and point your boxes to it.
You're welcome.
2 replies
9h33m
Unless France starts blocking DNS port 53/udp and 53/tcp and start whitelisting DNS servers ... :-/
1 replies
9h27m
This would be the point where DNS over HTTPS would save the day if it had more widespread adoption..
0 replies
4h16m
And ultimately DNS over TCP should it further devolves into.
3 replies
16h6m
Alternative title:
French courts order American DNS providers to block unlicensed sports streaming websites.
1 replies
2h42m
*American multinationals
Your claim would make sense if they had no operations in France, but I highly doubt that's the case. If you operate in those countries, you have to comply with their laws. The fact that your company is incorporated elsewhere is irrelevant.
0 replies
1h55m
I agree. It would be pretty wild for courts to issue an order for something outside french soil.
0 replies
15h5m
While refuting the fact that said unlicensed streaming websites are not hosted on American DNS servers.
3 replies
11h47m
So, with 1.1.1.1 and 8.8.8.8 being useless then, what DNS Server is recommended going forward?
1 replies
11h41m
Maybe opendns or nextdns?
0 replies
8h27m
Opendns is literally cisco umbrella with less features. Which is one of the companies in the title.
0 replies
8h0m
Personally I use quad9 (https://www.quad9.net)
2 replies
13h0m
It is funny how the article lists the blocked websites and what content could be found there. Barbara strikes again.
1 replies
12h59m
are you not aware of torrentfreak?
0 replies
12h36m
I'm, but it is still funny.
2 replies
16h58m
A great example of why you should be running your own validating recursor instead of relying on a third party
1 replies
16h16m
Can you elaborate on the validating part?
0 replies
15h7m
https://www.icann.org/resources/pages/dnssec-what-is-it-why-...
And how to enable it on `unbound` https://www.howtoforge.com/how-to-set-up-local-dns-with-unbo...
2 replies
15h58m
This looks like such a non issue to be honest. Government branches should have technical and legal capabilities to block domestic and foreign hosts. Legitimate foreign service providers, should either comply with local government, cease operations in that country, or be prepared for war.
1 replies
12h13m
Wouldn't China's GFW be considered a good thing by that argument?
0 replies
2h48m
Not a fan of categorizing stuff as good or bad.
But yes, countries should have control over their borders, both physical and digital.
2 replies
17h58m
I personally have zero interest in streaming soccer games, but the process involved here does leave me wondering just how resilient 1.1.1.1/9.9.9.9 (which I use with https-dns-proxy because I basically don't trust the business side of my local telco/cable monopolies as far as I can throw them) really are in practice. I'm starting to feel like someone should bring back ORSN and throw some (cryptocurrency-free, old-school cypherpunk) Merkle tree or DHT magic on top of it or something.
1 replies
16h30m
I mean, there are already issues with 1.1.1.1 where archive.is/.vn/etc sites don't work. I know this is due to that site's admin specifically blocking cloudflare, but it already happens. The real answer is to run your own recursive DNS resolver. It's not for the complete technical novice but it's the same amount of work as setting up pihole and requires the same amount of low-spec hardware. I don't think this is out of reach for anyone who is already using a non-default DNS, since with the reconfigured images available it really isn't too much of a lift.
0 replies
8h51m
Could you please share names/links?
1 replies
17h38m
One of the interesting technical questions is how these vendors will choose to reflect the forbidden DNS entries in protocols like DoH where they have a choice. For example a reasonable thing for a DoH server to say when asked a DNS question it has been forbidden to answer truthfully, is HTTP 451 Unavailable for Legal Reasons.
0 replies
14m
That would be a layer/protocol violation. The HTTP status codes used in DoH are used to discuss the semantics of the DNS query itself, unrelated to the DNS response. For example an NXDOMAIN response is still a 200, not a 404.
Edit: for what it’s worth, Google is doing this the “right” way in the DNS protocol itself, see: https://news.ycombinator.com/item?id=40698650
1 replies
10h51m
This is a great opportunity for a VPN provider to come up with an extra product being a paid DNS resolver.
0 replies
5h17m
Mullvad has it and it's not even paid, it's free.
1 replies
11h57m
So if you're using something like a pihole, and provided you're not using any of the mentioned companies, your go to go?
0 replies
2h47m
AFAIK pihole still relies on an external recursive resolver (at least by default), so you'd still be subject to whatever blocks your ISP/cloudflare/google imposes.
1 replies
17h11m
Couldn't Cloudflare route these DNS queries outside the country, and therefore not be subject to French laws?
0 replies
16h54m
They could, but it would be weird. They use anycast for their DNS, so it will land on the French server before they know what the query is. There isn't really a way to tell a client, "no go to another server with the same IP address". But also they still want all the other French traffic to go to the French servers for performance reasons, so they wouldn't want to send all French traffic outside the country.
0 replies
18h3m
If it is what public DNS providers do, then they should get a bad reputation and then people should not use them. People can make their own, and/or to just use IP addresses directly (or other methods) if they know what they are from other sources. You can also use the hosts file.
0 replies
10h24m
There are many such local laws limitations that big techs have to bow to (that smaller obscure companies choose not to). For example, Google won't offer its VPN service as part of Google One in India. Whereas, proton/mullvad works just fine.
0 replies
17h53m
Well that could be considered a pretty useful list
0 replies
17h57m
The only provider here who is stated to have said they will be complying is Google, right? So not only is singling out cloudflare incorrect, the title itself is incorrect. “French court orders Cloudflare, Google, and Cisco to poison DNS to stop piracy block circumvention” is the correct title for the article contents, possibly with an addendum of Google saying it will comply.
0 replies
12h31m
Wonder why they don't just go after the DNS registrars for these domains, or the DNS root servers.
0 replies
15h51m
rightsholders can demand “all proportionate measures likely to prevent or put an end to this infringement, against any person likely to contribute to remedying it.”
Rightsholder: "Let's see, life insurance payouts are €1M and we are losing at least €50M to these sites, so..."
0 replies
15h36m
I'm sure that will work.
(too bad HN can't load my sarcasm font)
0 replies
15h36m
I’d just add the IPs to my LMHOSTS file (Windows) if I really wanted to watch sports badly enough. I mean, I was doing that back in the day for local development anyway.
0 replies
4h2m
No mention in dns0.eu, which is what I use and also hosted in the EU.
0 replies
13h19m
Only in France?
0 replies
9h19m
In Italy we gave rights to a private company to tell all ISPs what sites should be blocked by ip. Eventually, other websites go down when some cloudflare ip gets blocked
0 replies
13h15m
A new law requires plant shops to stop selling poisonous plants. If people really want to grow these plants they will find a way. Nature still exists.
0 replies
1h3m
Technically, google did it right (using the "censored" error code: https://datatracker.ietf.org/doc/html/rfc8914#name-extended-...):
root@jack:~# dig footybite.cc @8.8.8.8
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> footybite.cc
@8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14528
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 16 (Censored): (The requested domain is on a court
ordered copyright piracy blocklist for FR (ISO country
code). To learn more about this specific removal, please
visit https://lumendatabase.org/notices/41606068.)
;; QUESTION SECTION:
;footybite.cc. IN A
;; Query time: 7 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Jun 16 19:24:29 CEST 2024
;; MSG SIZE rcvd: 2430 replies
16h2m
"A French court has ordered Google, Cloudflare, and Cisco to poison their DNS resolvers to prevent circumvention of blocking measures, targeting around 117 pirate sports streaming domains."
Most if not all of these domains probably use Cloudflare as their authoritative DNS servers because they are using Cloudflare CDN. Why not just ask Cloudflare to "poison" those RRs. No need to issue orders to a selection of cache operators.
Same concern here.
Also, the phrasing in both, but especially the HN title made me think Cloudflare chose to do something, but it turns out the French court is forcing all of them.
They could fight and choose not to. They could ignore this and choose not to. They deserve our judgement for that
They did fight it in court. They lost.
I'm surprised you're so keen on having big tech companies intentionally ignore court orders and just break the law. Like, it's obviously something none of us should want.
Why should we not want this when the law is bad? The government should face pushback from all sides when attempting something odious.
It's a democratic country. The voters decide if the laws their government passes are bad or not.
There is actually no evidence this is the case, and there is evidence it is the opposite - that the less voters support something, the more likely it is to pass.
This claim appears blatantly false.
If being unpopular makes a law more likely to pass, then surely the French government tars and feathers all French children every other week.
No, they don't, since the voters would prevent that by voting for a different government.
That law was never proposed. Only laws that are beneficial to the ruling class get proposed.
Obviously the claim exists within the space of bills that somebody actually wants. The premise is that things major industries or politically connected plutocrats want get passed over the interests of the general public for all of the usual reasons, not that things nobody wants get passed without explanation.
One answers is that this case isn't actually a bad law. This appears to be blatant organized piracy. What's odious about copyright laws? This also appears to be pretty much the gold standard of due process. It's not like somebody submitting automated DMCA requests on videos with silent audio tracks or something. It's a court order for these specific domains, which would have been carefully curated and has been quite literally litigated.
The other answer is that you really don't want big corporations to be ignoring laws they don't like, because odds are pretty good that your list of bad laws doesn't match theirs. Countries have sovereignty. If a company doesn't want to obey those laws, they should not operate in that country. If the law really were bad, the way you'd actually fix this is by the democratic process. That's up to the voters, not foreign corporations.
It's censoring DNS. That's a bad precedent. The technical capacity to do it shouldn't exist because otherwise it will be used for every other form of censorship, and deprive democratic countries of any moral or technical authority to object when authoritarian countries want to do it.
It will also be ineffective, leading for calls to make it effective, but the only way to do that is totalitarianism. There is no good that comes from setting out on that road.
Ignoring the law doesn't get them out of paying the penalty, but penalties are meant to be sane, not some Hollywood accounting nonsense where one person watching one illicit stream of a sporting event causes the event organizers six billion dollars in damages. Then if Cloudflare wants to say "yeah, we're not doing that" and just pay the $100,000 dollar fine, it's clear that they're standing on principle -- they're paying $100,000 in exchange for ostensibly nothing -- and there is nothing wrong with that. The purpose of the penalty is to deter the underlying wrongdoing, not to deter civil disobedience. Anyone should be able to say "I am going to suffer the consequences of this because my principles are worth more than the fine" without having some authoritarians ratchet up the penalty to infinity.
Democratic countries have checks and balances. One of the checks and balances is that if you pass a law people don't respect, they don't respect it. Then you have to choose between punishing not the evildoers, but the principled idealists -- or repealing the law.
France uses a sane legal system based on civil law, so precedents rarely matter. In this case the Sports Code says that piracy is bad and operators can be requested to block piracy websites if they're used and "harm" rights holders. That doesn't mean that tomorrow in a random case not related to sports piracy a judge can refer to that law and order censoring of other DNS entries.
Precedents aren't just in courts. People see something being done and then they want to do it too. If the law requires this then people who want to build systems that make it impossible would be in violation, which deters those systems from being built for the people who really need them.
There's a really bad equilibrium where every country (or at least every country big enough to have BigTech workers in their country) figures out they can globally censor the internet by using the assets and people of those companies as leverage. Then we would have Americans having their internet censored by every foreign power except China and Russia, where BigTech have largely left.
And it would all be done under the color of local law.
I see nothing in this article suggesting that the court order is for a global block, rather than a regional one. Do you have a source for that?
Does Cloudflare operate different 1.1.1.1s for each country?
It's not required that they do so in order to implement a France only block. They just geolocate the requesting IP, and give different answers based on that. Same as Netflix or any other provider geo blocking there content, with the same workarounds.
But also, in answer to your question, sort of, yes. 1.1.1.1 is any cast so that users will be routed to a server geographically near them. So then 1.1.1.1 a user gets in the US is quite literally a different one than a user in France will get.
The venn diagram of people who are technically savvy enough to be able to alter their dns records and people who can and will use a VPN to work around an ip geolocation block is almost a single circle.
There is other alternative, such as: get rid of their DNS service entirely, or make a petition for changing these laws.
Making a petition to change the laws sounds like a great way of achieving nothing. It will certainly not mean you get to ignore the court orders.
Shutting down public DNS in France would be an option (a garbage option that nobody would actually choose in this case and that'd solve nothing, but an option nonetheless). That's not what dmitrygr was asking for though. They want big tech companies to ignore legitimate court orders to protect some scummy football pirate sites.
What good would getting rid of their DNS service do?
Is a non-French company obligated to obey a French court order? I can probably name a few countries where most US companies won't enforce the court order from them
They have paying customers in France/they operate their business in France for a profit. Just because their headquarters aren’t there doesn’t make it a non-French related business.
The article is too thin to know what, if any fight was had.
I suspect France could find a way to make things very difficult for them all.
I suppose they could withdraw their service from the country in protest, but it's not obvious that would leave anyone better off.
It's a difficult call and I'm not prepared to harshly judge an organization for complying with a legal, enforceable injunction.
If you want to judge someone so badly, why not go after the politicians who are creating these despicable policies?
They're the most respected / most surprising?
Respected by who?
Respect might not be the right word, but during their meteoric rise to popularity in the past decade they have consistently shouted “we don’t moderate content, we’re just a dumb pipe, don’t take this up with us take it up with the publisher!”
In the past 3 years or so they have repeatedly proven that to be a lie; they weren’t able to have their cake and eat it too. But their old reputation still sticks around amongst people who don’t follow the space that closely.
Doubtful.
Fixed now, although leaving out the court order is also misleading.
If anyone wants to suggest an accurate, neutral title that gets it all under the 80 char limit, we can change it again.
Asked ChatGPT, it came up with this
Court Orders Google, Cloudflare & Cisco to Poison DNS to Stop Piracy
Not bad - I've consed "French" onto it and put it above.
Google, Cloudflare, and Cisco will poison DNS to Block Piracy as Ordered by Court
Also, the country (france) is ordering the "poisoning", these american companies just comply with local regulations.
Heavily biased article.
Remember that dns/ip systems are decentralized at the national precisely so that countries have sovereignity.
The editorial line would have us believe that france is committing a free speech crime or overturning internet infrastructure, while in actuality they are exherting their national rights.
This is literally just a framing issue. Note first that people generally believe in universal human rights, e.g. states shouldn't be allowed to do horrible things (e.g. genocide) just because they would be asserting their national rights.
Further the action of a single state often influences other states, as is especially true when it comes to the internet which is global by nature.
If you are comparing genocide with blocking pirating websites, I'm out
Probably because HN limits titles to 80 characters, so OP had to choose one to get under the limit.
No, it's editorialising. The original title "Google, Cloudflare & Cisco Will Poison DNS to Stop Piracy Block Circumvention" is 77 characters.
Google runs widely used public DNS server 8.8.8.8
Cloudflare runs widely used public DNS server 1.1.1.1
That's my guess why these two companies were singled out.