|
|
|
|
|
|
by denton-scratch
893 days ago
|
|
|
Well, I didn't know they did that. They'd have to use a packet filter to do that; in the normal case, I send my UDP query to the authoritative server via its IP address, and if my ISP doesn't forward the query, then it's not providing internet service, it's simulating it. My resolver respects DNS signing, so I think I'd get errors rightaway if my ISP tried to substitute a forged answer. My (niche) ISP is rather benevolent; as far as I'm aware they don't block at all, and they brag about providing "real internet service". At any rate, I'm not aware that my recursive resolver has ever encountered an answer that was forged by my ISP. |
|
|
Indeed they would.
> My resolver respects DNS signing…
I’m not honestly certain how big of a hurdle this is. I would figure that if a site is to be blocked, then the ISP substitutes their own “authoritative” response, which would include cryptographic signing details (even pretending their public key is the official one.)
> My (niche) ISP is rather benevolent …
I think most are. In my market, even the big guys haven’t done this, though I have heard about it happening in larger markets when big ISPs are up to no good (like inserting ads or whatever.)