Isn't the most common way to block "illegal websites" just to block it on the DNS owned by the ISP? (which is the one you will automatically use unless you configure something else). And just making their domain point to some website saying the site is blocked. Afaik this will still work. And the normal workaround of just changing to a different DNS should work aswell.
I don't know about other countries, but this never worked in Kazakhstan. They block whole IP ranges and your traffic silently gets dropped. I'm sure that having a single monopolistic ISP helps with implementing this.
I think that this change would mean that, by default, the DNS server used will be specified by Google/Chrome team. If the DNS server were still my router then there's no point to this really.
> the DNS server used will be specified by Google/Chrome team
I don't think that any oppressive regime is going to have any qualms about routing 8.8.8.8 to its own server, or just blocking it. So you use the national DNS or get nothing.
They have (had?) a requirement to block certain sites (e.g., CP), and their CEOs could be sent to jail if they didn't. So from their perspective, Mozilla was not doing a good thing as it was causing them grief in being able to follow the law:
> for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK
Blackhole routing. You setup a /dev/null router with BGP and advertise the IPs you want unreachable, and things get dropped at the network edge.
IMHO, DoH will simply have network operators go from having a light touch on the network with DNS filtering, to a much heavier hand with routing and inspection. Because the regimes and laws that are currently in place won't just magically go away. (Thanks Mozilla.)
The intent is that collateral damage from such actions is so enormous that they become unthinkable. "We'll just block all of Cloudflare's IPs" is like "We'll just ban all Chinese products". OK, so now your economy is in ruins, what next?
China's great firewall for example degrades access to some popular web sites, but it doesn't do a lot of IP blackholing because that hurts China more than they'd like.
They don't have to block all of Cloudflare's IPs. First they block 1.1.1.1 so that DoH doesn't work, then they look at" 'nown bad' domains and see to what they resolve to and start with those.
If there's collateral damage to some other sites, then depending on the 'importance' of that they want to block--oh well.
I doubt they would do blackhole routing, they risk blocking IPs from cloud providers like AWS, Azure and GCP.
Perhaps it's a little naive of me to think that ISP and government would consider that they might block and IP that's only going to do something "illegal" for a short while and the be recycled for something else.
In Turkey, It's DNS + IP blocking. There are rumours for slowing down certain connections, especially social media stuff when something sensational happens.
Correct. However, I believe it's not because the government mandated it. The same website could be blocked differently on different ISPs. For example, when Wikipedia was blocked it was not possible to access it without a VPN from Kablonet but a simple DNS provider change was enough on TurkNET.
The sophisticated one is distributed and also more resilient against workarounds, the powerful one is centralised yet has the ability to process most requests per unit time without visible degradation on connection speed and latency.
Is sniffing of traffic common in other countries?