Comments on: Ineffective self-blocking by the National Enquirer http://www.lightbluetouchpaper.org/2010/03/17/ineffective-self-blocking-by-the-national-enquirer/ Security Research, Computer Laboratory, University of Cambridge Fri, 10 Feb 2012 17:31:40 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: FrancisT http://www.lightbluetouchpaper.org/2010/03/17/ineffective-self-blocking-by-the-national-enquirer/comment-page-1/#comment-53102 FrancisT Wed, 24 Mar 2010 09:12:13 +0000 http://www.lightbluetouchpaper.org/?p=1964#comment-53102 FWIW even if google and openDNS both anycast to geographically close servers this approach is pretty poor. Anyone who has a way to access a US based DNS will beat this block - for example people working in multinational companies where DNS requests are (generally) handled by a single central server even though access may be via local routers will discover that they can read the national enquirer. Companies and individuals who want to block UK access would do better to build a blocklist on the firewalls/loadbalancers in front of the DNS that contains all the UK assigned IP address ranges. This is kind of the reverse of what the BBC does for access to iPLayer (at least I think it is, haven't verified this). I'm sure there will be holes even so (e.g. companies with their own IP address ranges in multiple locations and access through VPN tunnels terminating in the US) but it would be hard to prove that access comes from the UK in such cases so Eady & co might not be able to defend a claim of jurisdiction. FWIW even if google and openDNS both anycast to geographically close servers this approach is pretty poor.

Anyone who has a way to access a US based DNS will beat this block – for example people working in multinational companies where DNS requests are (generally) handled by a single central server even though access may be via local routers will discover that they can read the national enquirer.

Companies and individuals who want to block UK access would do better to build a blocklist on the firewalls/loadbalancers in front of the DNS that contains all the UK assigned IP address ranges. This is kind of the reverse of what the BBC does for access to iPLayer (at least I think it is, haven’t verified this). I’m sure there will be holes even so (e.g. companies with their own IP address ranges in multiple locations and access through VPN tunnels terminating in the US) but it would be hard to prove that access comes from the UK in such cases so Eady & co might not be able to defend a claim of jurisdiction.

]]> By: Richard Clayton http://www.lightbluetouchpaper.org/2010/03/17/ineffective-self-blocking-by-the-national-enquirer/comment-page-1/#comment-52628 Richard Clayton Fri, 19 Mar 2010 14:15:10 +0000 http://www.lightbluetouchpaper.org/?p=1964#comment-52628 Update: Testing (rather than speculating) now suggests that OpenDNS will not be suitable for avoiding the National Enquirer block. They use an anycast system for accessing their servers and it looks as if the "nearest" instances are (for the locations I have tried) being given the censored version of the DNS. Update: Testing (rather than speculating) now suggests that OpenDNS will not be suitable for avoiding the National Enquirer block. They use an anycast system for accessing their servers and it looks as if the “nearest” instances are (for the locations I have tried) being given the censored version of the DNS.

]]> By: igb http://www.lightbluetouchpaper.org/2010/03/17/ineffective-self-blocking-by-the-national-enquirer/comment-page-1/#comment-52512 igb Thu, 18 Mar 2010 16:16:02 +0000 http://www.lightbluetouchpaper.org/?p=1964#comment-52512 I have a copy of the first edition of the Ladybird Book you reference. I keep trying to find a way to work a reference into something I write. I have a copy of the first edition of the Ladybird Book you reference. I keep trying to find a way to work a reference into something I write.

]]>