[throw0101a]

Blackhole routing. You setup a /dev/null router with BGP and advertise the IPs you want unreachable, and things get dropped at the network edge.

IMHO, DoH will simply have network operators go from having a light touch on the network with DNS filtering, to a much heavier hand with routing and inspection. Because the regimes and laws that are currently in place won't just magically go away. (Thanks Mozilla.)

[tialaramex]

The intent is that collateral damage from such actions is so enormous that they become unthinkable. "We'll just block all of Cloudflare's IPs" is like "We'll just ban all Chinese products". OK, so now your economy is in ruins, what next?

China's great firewall for example degrades access to some popular web sites, but it doesn't do a lot of IP blackholing because that hurts China more than they'd like.

[throw0101a]

They don't have to block all of Cloudflare's IPs. First they block 1.1.1.1 so that DoH doesn't work, then they look at" 'nown bad' domains and see to what they resolve to and start with those.

If there's collateral damage to some other sites, then depending on the 'importance' of that they want to block--oh well.

[syshum]

The idea that authoritarian regimes will just say "ohhh know it is cloudflare" and then back down is extreme naive

More likely they will just force Cloudflare to do their censorship for them, which cloudflare has already been proven to be malleable toward

[mrweasel]

I doubt they would do blackhole routing, they risk blocking IPs from cloud providers like AWS, Azure and GCP.

Perhaps it's a little naive of me to think that ISP and government would consider that they might block and IP that's only going to do something "illegal" for a short while and the be recycled for something else.