Comment by josephcsible
8 months ago
> At this point, it is much easier to just block the service's IP addresses than deep-inspect DNS traffic and match the query identifier and stuff to inject a false response. Why spend that engineering time when people will just fix the DNS server and can access the site directly?
Because IP addresses can change frequently, and also because if a site is behind a CDN, that would cause a lot of collateral damage.
> The first IP address is a block page (accessible from outside the network, if anyone wants to take a look), the second one of the real IP addresses
Okay, so your ISP's particular blocking mechanism doesn't hijack recursive queries. But others do.
Could you give a example of such ISP? I have seen ISP block all DNS traffic beyond to their own server, but those have been fairly locked networks like hotel wifi. It is much cheaper, safer, and less fragile to just block everything and force customers to the isp own servers. DPI and traffic injection carries risk of false positives and minor engineering mistakes can create large support costs, and would really only be beneficial if the intention is to hide the fact of the block.
> It is much cheaper, safer, and less fragile to just block everything and force customers to the isp own servers.
Sure, that's common too. But that also precludes you from running your own recursive resolver to circumvent their blocks.