2003-dornseif-government
findings extracted from this paper
-
The paper evaluates all major circumvention techniques available in 2003 and concludes that only application-layer proxies (HTTP, SOCKS, JAP, peek-a-booty) and IP tunneling can defeat all three blocking layers (IP filtering, DNS tampering, filtering proxies) simultaneously. Encryption alone cannot circumvent IP or DNS blocking; HTTPS hides URL paths but not the destination host; DNS-over-HTTPS/DNSSEC can detect but not defeat DNS tampering without a third-party resolver.
-
An empirical DNS survey of North Rhine-Westphalia providers (May 2003) found that kids.stormfront.org — not named in the blocking order — was returned with obscure errors by 56% of surveyed servers, while rotten.com (also not in the order) was erroneously blocked by 11% of providers. www.stormfront.org itself was blocked by 12 providers with 0% still accessible, demonstrating that real-world DNS-tampering deployments systematically over-block non-targeted names at high rates.
-
Survey of NRW provider DNS implementations revealed at least five distinct tampering strategies in the wild: name hijacking to a government redirect server, NXDOMAIN for entire zones, name astrayment to 127.0.0.1 (user's own machine) or to unallocated IPs such as 1.1.1.1, silence (no reply), and provoked SERVERFAIL. One provider (tops.net) additionally set tracking cookies on users redirected to its block-notification page, demonstrating that name hijacking creates a surveillance vector beyond the blocking itself.
-
DNS zone architecture prevents providers from blocking individual hostnames without also disrupting all other services (email, chat, file transfer) for every name in the same DNS zone. A provider blocking www.bad.example.com must create a synthetic zone for bad.example.com, requiring continuous re-synchronization with authoritative servers at 3–24 hour intervals; failing to replicate MX records blocks email to non-targeted addresses in the zone.
-
IP-level blocking causes severe over-blocking because more than 87% of all domains deploy name-based virtual hosting on shared IP addresses (per Edelman's 2003 survey of .com/.net/.org). A single blocked IP can deny access to thousands of unrelated sites; when xs4all.nl was blocked in 1996/1997, between 3,000 and 6,000 separate websites were collaterally blocked.