How can it possibly be, that an ISP, which I’m paying for gets to decid, which sites I’m allowed to have access to, and which not?

All the torrenting sites are restricted. I know, I can use VPN, and such… but I want to do it because of my privacy concerns and not because of some higher-up decided to bend over for the lobbying industry.

While on the other hand, if there’s a data breach of a legit big-corp website (looking at you FB), I’m still able to access it, they get fined with a fraction of their revenue, and I’m still left empty-handed. What a hipocracy!!

What comes next? Are they gonna restrict me from using lemmy too, bc some lobbyist doesn’t like the fact that it’s a decentralized system which they have no control over?

Rant, over!

I didn’t even know that my router was using my ISPs DNS, and that I can just ditch it, even though I’m running AdGuard (selfhosted)

    • 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.one
      link
      fedilink
      English
      arrow-up
      57
      arrow-down
      4
      ·
      edit-2
      1 year ago

      Sadly doesn’t work for gov level blocks that look at the SNI rather than blocking at DNS level

      Edit: correction from ESNI to SNI

      • Eufalconimorph@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        59
        arrow-down
        1
        ·
        1 year ago

        You mean SNI, not ESNI. ESNI is the Encrypted Server Name Indication that gets around that, though the newer ECH (Encrypted Client Hello) is better in many ways. Not all sites support either though.

        • MigratingtoLemmy@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          If I utilise a DNS provider who supports ECH (mullvad) with a browser that supports ECH (Librewolf) will I still not be able to access certain websites? I haven’t come across a website blocked by my ISP yet so don’t know

          • noride@lemm.ee
            link
            fedilink
            English
            arrow-up
            8
            ·
            1 year ago

            Most ISP blocking is pretty superficial, usually just at the DNS level, you should be fine in the vast majority of cases. While parsing for the SNI flag on the client hello is technically possible, it’s computationally expensive at scale, and generally avoided outside of enterprise networks.

            With that siad, When in doubt, VPN out. ;)

            • MigratingtoLemmy@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              They won’t be able to get to my SNI if I’m using ECH, yes? I just assumed ECH was secure enough but I don’t know much

              • noride@lemm.ee
                link
                fedilink
                English
                arrow-up
                5
                ·
                edit-2
                1 year ago

                You are absolutely correct, I should have lead with that. Encrypted client handshake means no one can see what certificate you are trying to request from the remote end of your connection, even your ISP.

                However, It’s worth noting though that if I am your ISP and I see you connecting to say public IP 8.8.8.8 over https (443) I don’t need to see the SNI flag to know you’re accessing something at Google.

                First, I have a list of IP addresses of known blocked sites, I will just drop any traffic destined to that address, no other magic needed.

                Second, if you target an IP that isn’t blocked outright, and I can’t see your SNI flag, I can still try to reverse lookup the IP myself and perform a block on your connection if the returned record matches a restricted pattern, say google.com.

                VPN gets around all of these problems, provided you egress somewhere less restrictive.

                Hope that helps clarify.

                • Darkassassin07@lemmy.ca
                  link
                  fedilink
                  English
                  arrow-up
                  4
                  ·
                  1 year ago

                  I can still try to reverse lookup the IP myself and perform a block on your connection if the returned record matches a restricted pattern

                  This is only effective when the host is the only one using that IP. Anything that uses Cloudflares WAF or similar services will just be a shared IP that responds for hundreds of hosts like one of Cloudflares Reverse Proxies.

                • MigratingtoLemmy@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  Ah, that clears it up! I feel silly that the idea of the ISP doing a reverse-lookup on my traffic didn’t occur to me, thanks.

        • Snowplow8861@lemmus.org
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          Bring free on cloudflare makes it widely adopted quickly likely.

          It’s also going to break all the firewalls at work which will no longer be able to do dns and http filtering based on set categories like phishing, malware, gore, and porn. I wish I didn’t need to block these things, but users can’t be trusted and not everyone is happy seeing porn and gore on their co-workers screens!

          The malware and other malicious site blocking though is me. At every turn users will click the google prompted ad sites, just like the keepass one this week.

          Anyway all that’s likely to not work now! I guess all that’s left is to break encryption by adding true mitm with installing certificates on everyone’s machines and making it a proxy. Something I was loathe to do.

        • 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.one
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Corrected, thanks!

          I’m looking forward to ECH, if i’m not mistaken that relies on DoH which has pretty widespread adoption in browsers at the mo

        • redcalcium@lemmy.institute
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          It’s still require DoH, right? Not sure what my ISP does, but DoH has very high latency and often timeout on my end, probably to discourage their customers to turn on DoH.

            • redcalcium@lemmy.institute
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Hmm, kinda doubt it’s the DoH provider’s fault (cloudflare). On the other hand, my ISP already transparently redirecting plain DNS requests to their own DNS server, so it’s not a stretch to think they found a way to degrade DoH experience (at least for well known endpoint like 1.1.1.1).

      • asudox@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 year ago

        You can try the new ECH feature, in the FF browser for example. It encrypts the SNI on compatible websites

    • moreeni@lemm.ee
      link
      fedilink
      English
      arrow-up
      23
      arrow-down
      1
      ·
      1 year ago

      Sometimes the block is on whole different level than a DNS

      • noride@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Yeah, even if they miss your DNS request, the ISP can still do a reverse lookup on the destination IP you’re attempting to connect to and just drop the traffic silently. That is pretty rare though, at least in US, mainly because It costs money to enforce restrictions like that at scale, which means blocking things isn’t profitable. However, slurping up your DNS requests can allow them to feed you false error pages, littered with profitable ads, all under the guies of enforcing copyright protections.

        • moreeni@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          It’s pretty much the only way they enforce stuff here in Ukraine. Back in 2015 when the government blocked social media websites tied to Russian companies and in 2022 when .ru domains were blocked, changing your DNS provider didn’t help. I’m not sure about piracy sites, though, because everyone kinda doesn’t care about this stuff here, but I don’t think they would invent other mechanisms when they have a working one that doesn’t rely on DNS.

          • noride@lemm.ee
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            That makes sense! Believe it or not it’s actually easier for an ISP to block a whole country than select websites and services. We actually null route all Russian public IP space where I work, that would absolutely be plausible on a national scale as well.

            It’s imperfect, you can get around it, but it catches 99% of normal users, which is the goal.

            • Case@lemmynsfw.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Not just ISPs, it can be blocked at the enterprise level in a few clicks.

              I was temping at a place during the pandemic when my hospitality based IT job shuttered. With their set up, I could just block a country in a couple clicks.

              I didn’t do the clicking, but we were getting hit with a DDoS from a nation we had no business in, and it was just blocked in a matter of minutes once the meetings and BS were attended to. Those took hours over days.