The End of DNS-based Site Blocking is near

Martin Brinkmann
Oct 7, 2023

For well over three decades, DNS-based site blocking has been used to block users from accessing certain sites on the Internet. Court rulings may commit Internet Service Providers to block their customers from accessing certain sites.

These sites may be so-called pirate sites, adult websites or any other site that the court has ruled against. DNS-based blocking is a simple form of blocking access to a site.

DNS is used to translate the domain name of a site, say, to its IP address. Computers use IP addresses for communication. The block prevents the lookup from happening. The result is that the site in question can't be opened on the user's device. Sometimes, another page is displayed that informs the user about the block.

DNS-based blocking has never been effective. Users may use different DNS providers on their devices to access sites in question. It takes just a few clicks in all modern operating systems to switch to a new provider. This can be done in any web browser or also system-wide. Third-party programs like QuickSet DNS may also be of use in this regard. VPNs and proxy servers may also be used.

There are valid reasons for changing DNS providers. One is performance, and a tool like Namebench may help users find the best performing provider by running benchmarks. Another is security. Some DNS providers may support security features that the default provider, often the ISP of the user, does not support.

DNS encryption has seen a push in recent years. DNS-over-HTTPS plays an important part, but it still leaked the domain name. This meant, that providers could still block access to sites on the DNS level or sell the information gathered.

The introduction of Encrypted Client Hello in browsers changes that. It hides the domain name during lookups, so that Internet Service Providers or network operators don't know what a user accesses on the Internet. It is a major push for privacy, as it prevents ISPs from recording and selling user data, or interacting with certain requests.

Mozilla introduced support for Encrypted Client Hello in Firefox 118, and Chromium also added support for the security feature recently. You can check your browser here to find out if it supports the feature.

A side-effect of improved user privacy is that DNS-based blocking becomes unusable. The ISP or network operator has no knowledge of the domain name the user tries to access anymore, as this is no longer provided in the clear. As such, websites that are blocked on the DNS level are no longer blocked, provided that the site in question supports Encrypted Client Hello.

Cloudflare has enabled support for Encrypted Client Hello for all of its managed sites this month. Millions of sites support Encrypted Client Hello as a consequence already and many more will follow in the future.

Results are a mixed bag currently, as reported by Torrentfreak. Sites that use Cloudflare for protection or have enabled Encrypted Client Hello on their servers are no longer blocked on the DNS level in countries in which they are blocked. Nothing changes for blocked sites that do not use Encrypted Client Hello, but it is likely that these will switch to using it in the future.

It is too early to say how this will affect local legislation and rulings to block access to websites. Courts may require that ISPs use different blocking techniques, for instance Deep Packet Inspection.

Now You: are websites blocked by court order in your country?

Article Name
The End of DNS-based Site Blocking is near
The introduction of the privacy technology Encrypted Client Hello has a side-effect: it makes DNS-based site blocking useless.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.