The blocking techniques of at least one major ISP has evolved in the last few months;
It used to be that citizens could simply switch to using a public DNS to get a correct response.
That stopped working a few months ago, and now they are responding with the IP of a government server that mentions the site is banned (i forget the details)…
Anyway, one fix to this man-in-the-middle attack is to use DNSCrypt, which prevents third parties from eavesdropping and/or hijacking your browser.
Encrypting DNS really should be considered best practices now, and it probably belongs in one of the guides somewhere.
No way! This provides a false sense of security when in reality all the other packets after DNS could be intercepted or monitored. What is really needed is a VPN. If ISPs wanted to, they could block/intercept sites on the IP-address/BGP level than through DNS anyway.
Yes, but that introduces a lot more load on the network and in particular on essential core or edge routers, so it’s not the preferred methods. They know people who really want to visit a site will get around it anyway, so DNS poisoning let’s them make a show of kowtowing to gov’t pressure without making a major change.
IIRC DNS poisoning is used by Telstra against The Pirate Bay. Loading the site via Tor is all it takes to bypass.
Exetel did a blog piece about it years ago. Apparently it is quite easy. They just redirect the IP address to the government/MITM IP and the core router sees it just like any other route, no overhead. The only problem is selective redirecting of shared hosts. For example, if they wanted to block just one page of Wikipedia instead of the entire thing, then they would need to redirect it to a Wikipedia mirror and have that filtering done server side, which would be impractical.
If possible, you could always switch to an OpenNIC DNS server which would bypass whatever your default server your ISP had, but in the long run your ISP will still be able to spot what IP addresses your computer is accessing, CDN networks are usually very accommodating to law enforcement requests for data access and VPN providers can be legally coerced into retaining logs and providing them to law enforcement on request if that is the domestic law in the jurisdiction in which they are operating.
The only way around this would be to shift completely onto some form of darknet with no external clearnet access, like I2P.
I would personally recommend going through the list of DNS servers on OpenNIC, they also have guides that make it a pretty easy process to change your DNS server.
Good point @Ben, I wasn’t really sure if @bug1 was actually asking the Party to do something because I’m not at all sure what that could look like.
On the DNS front, I would think DNSSEC + DANE and a browser update is probably the best tech around to help create much better trust chains for everyone.