How can it possibly be, that an ISP, which I’m paying for gets to decid, which sites I’m allowed to have access to, and which not?
All the torrenting sites are restricted. I know, I can use VPN, and such… but I want to do it because of my privacy concerns and not because of some higher-up decided to bend over for the lobbying industry.
While on the other hand, if there’s a data breach of a legit big-corp website (looking at you FB), I’m still able to access it, they get fined with a fraction of their revenue, and I’m still left empty-handed. What a hipocracy!!
What comes next? Are they gonna restrict me from using lemmy too, bc some lobbyist doesn’t like the fact that it’s a decentralized system which they have no control over?
Rant, over!
I didn’t even know that my router was using my ISPs DNS, and that I can just ditch it, even though I’m running AdGuard (selfhosted)
…Just don’t use your ISP’s DNS.
Sadly doesn’t work for gov level blocks that look at the SNI rather than blocking at DNS level
Edit: correction from ESNI to SNI
You mean SNI, not ESNI. ESNI is the Encrypted Server Name Indication that gets around that, though the newer ECH (Encrypted Client Hello) is better in many ways. Not all sites support either though.
If I utilise a DNS provider who supports ECH (mullvad) with a browser that supports ECH (Librewolf) will I still not be able to access certain websites? I haven’t come across a website blocked by my ISP yet so don’t know
Bring free on cloudflare makes it widely adopted quickly likely.
It’s also going to break all the firewalls at work which will no longer be able to do dns and http filtering based on set categories like phishing, malware, gore, and porn. I wish I didn’t need to block these things, but users can’t be trusted and not everyone is happy seeing porn and gore on their co-workers screens!
The malware and other malicious site blocking though is me. At every turn users will click the google prompted ad sites, just like the keepass one this week.
Anyway all that’s likely to not work now! I guess all that’s left is to break encryption by adding true mitm with installing certificates on everyone’s machines and making it a proxy. Something I was loathe to do.
It’s still require DoH, right? Not sure what my ISP does, but DoH has very high latency and often timeout on my end, probably to discourage their customers to turn on DoH.
Yeah, even if they miss your DNS request, the ISP can still do a reverse lookup on the destination IP you’re attempting to connect to and just drop the traffic silently. That is pretty rare though, at least in US, mainly because It costs money to enforce restrictions like that at scale, which means blocking things isn’t profitable. However, slurping up your DNS requests can allow them to feed you false error pages, littered with profitable ads, all under the guies of enforcing copyright protections.
It’s pretty much the only way they enforce stuff here in Ukraine. Back in 2015 when the government blocked social media websites tied to Russian companies and in 2022 when .ru domains were blocked, changing your DNS provider didn’t help. I’m not sure about piracy sites, though, because everyone kinda doesn’t care about this stuff here, but I don’t think they would invent other mechanisms when they have a working one that doesn’t rely on DNS.
I don’t know where you’re from and therefore don’t know what laws affect you but unless the ISP is involved in the media game (i.e HBO & AT&T) they don’t care about restricting access. In fact, they’re against it in most scenarios because if a competitor that doesn’t restrict access to piracy related websites exists, that competitor is likely to siphon customers from ISPs who impose restrictions.
On top of that, most ISPs do the absolute bare minimum to restrict your access so that you can bypass it easily, the most common being the modification of DNS records which you can easily bypass by changing your resolver.
TL:DR blame your lawmakers not your isp
The DNS modification is slightly off. Some ISPs check UDP packets since they are insecure and will modify query results regardless of the DNS server you are sending to. Mediacom is known to do this for their billing and DMCA systems. They use DNS redirection to assist in MITMing the connection to load their own certificate to your browser. With that done, they can prepend their own Javascript to the response they receive from whatever web server you are trying to contact. That’s how they get their data usage and DMCA popups loaded when you load up whatever site.
Even if it is not being done for a malicious reason, it is still a malicious practice. Websites can help prevent this by adopting wildcard Subject Alternate Names in their certificates thereby making the redirection much less likely to succeed, but you shouldn’t have to view your own ISP as a threat actor.
They already do restrict you from using lemmy by charging full Internet price for it, and allowing special free data plans for Facebook.
Net neutrality matters.
My state of residence restricts access to certain sites. It’s all bullshit.
Anyway… The ISP is either a common carrier or a content provider. Pick a fucking lane. You can’t have half and half. Either you are responsible for ALL content provided or NONE.
If you choose none then you MUST NOT restrict access to any content.
If you chose ALL then you may restrict content based on what you are willing to take responsibility for. But in that case if someone does something illegal with content you provided you are liable.
No offense but if they can do that you have to blame your government not the ISP… as those are the ones allowing this to happen.
The government are the ones telling the ISPs to do it, not just allowing it.
The government is elected by people who care or don’t care about certain topics
