Its my understanding that since Akamai is based on DNS resolves if you where
to use the method of blocking it within the DNS system it would make no
difference. Although I'm no Akamai expert.
-Jim
Its my understanding that since Akamai is based on DNS resolves if you
where to use the method of blocking it within the DNS system it would
make no difference. Although I'm no Akamai expert.
The issue is really not Akamai or Digital Island or any other service someone might buy. The end user is completely unaware of the machinations behind the scene, they are just going to type "www.terrorist.com" into their browser.
If "terroris.com" is a Bad Domain and ISPs refuse to resolve anything in that domain, then nothing else can happen. The first step is the end user's machine going to the ISP's name server asking for the IP address of "www.terrorist.com". It does not matter if that hostname is CNAME'd to another company / host / whatever, the resolution will stop immediately and the user will be unable to see the web page.
Or they can just use a publicly available web proxy, in which case it will not matter if the domain is Akamaized or not. =)
This all strikes me as incorrect. The function of the domain name system is primarily to translate an IP number into a domain name, vice versa. If a user wishes to browse to <http://64.236.16.20> he/she will arrive also at <www.cnn.com>. The domain name is propagated and subsequently refreshed throughout the World. A browser request and reply may take each time hundreds of different routes through the Internet from end-to-end. If Spain would want to deploy blocking of the domain CNN.com (or in fact any other domain) it would have to factually block individual IP’s at the telco ‘in and out of Spain routes’ to accomplish that. This, by the way is currently e.g. done in the Peoples Republic of China, be it not really successful 
It is also so easy to set up secondary dns’s anywhere else on the globe with a ptr to some other IP no., that a dns block sec would never be a successful action. Blocking a /24 in Spain may be effective, but if the Spanish site would be hosted elsewhere, or would have a mirror hosted elsewhere, the elsewhere legislation would be the regulations the telco’s are confronted with, and looking at.
Ola !
Bert Fortrie
The Akamai gotcha is that if you block www.terrorist.com, where terrorist.com
points to an Akamai server, you *ALSO* break the 4,934 *other* websites that
happen to have content on that same server.
Not if you block the domain name terrorist.com from resolving at the caching name server, only if you block the IP address to which is resolves on your routers. (Which in many cases will be an Akamai server inside your network - if not, just ask.
Suppose they just make it a law that each ISP has to block "domain.com" in their caching name servers?
Sure, the user could telnet somewhere and find the IP address themselves, but it would stop 99.99% of the lusers out there.
http://a1016.g.akamai.net/f/1016/606/1d/(rest deleted)
So tell me again how you're going to filter a1016.g.akamai.net? And how you're
not going to piss off the OTHER sites on that server? (Yes, I know that the
virtualized hostname is down in the (rest deleted) part of the URL - is that
what you want to try to filter in a firewall? Especially when the name could
(and probably will) be % encoded or whatever?
Or are we simply assuming that all terrorists are dumb enough to not know
how to use a proxy? (Remember that we *are* worried they're smart enough to
use strong crypto...)
At 05:28 PM 11/14/2002, Patrick W. Gilmore most definitely admitted:
This all strikes me as incorrect. The function of the domain name system
is primarily to translate an IP number into a domain name, vice versa. If
a user wishes to browse to <http://64.236.16.20> he/she will arrive also
at <www.cnn.com>. The domain name is propagated and subsequently
refreshed throughout the World. A browser request and reply may take each
time hundreds of different routes through the Internet from end-to-end.
If Spain would want to deploy blocking of the domain CNN.com (or in fact
any other domain) it would have to factually block individual IP’s at the
telco ‘in and out of Spain routes’ to accomplish that. This, by the way
is currently e.g. done in the Peoples Republic of China, be it not really
successful
on the globe with a ptr to some other IP no., that a dns block sec would
never be a successful action. Blocking a /24 in Spain may be effective,
but if the Spanish site would be hosted elsewhere, or would have a mirror
hosted elsewhere, the elsewhere legislation would be the regulations the
telco’s are confronted with, and looking at.Suppose they just make it a law that each ISP has to block “domain.com” in their caching name servers?
Who is ‘they’, Patrick ? Suppose Spain introduces that law. Fine, but that doesn’t mean that other countries have to (or will ever) abide by that. Certainly in the U.S. you won’t find that many who would support even the idea.
Sure, the user could telnet somewhere and find the IP address themselves, but it would stop 99.99% of the lusers out there.
Thousands of non-Spanish dns servers (not under the Spanish restriction) would have cached the propagated terror.com url from Akamai. Any Spanish user really wanting to see terror.com will get it. To make it a more permanent experience the Spanish conquistador should install his own winooz 95 dns service (I believe it’s free), and peg it to a secondary dns outside his beautiful country.
Bert Fortrie
Once upon a time, Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu> said:
Not if you block the domain name terrorist.com from resolving at the
caching name server, only if you block the IP address to which is
resolves on your routers. (Which in many cases will be an Akamai
server inside your network - if not, just ask.http://a1016.g.akamai.net/f/1016/606/1d/(rest deleted)
So tell me again how you're going to filter a1016.g.akamai.net? And how
you're not going to piss off the OTHER sites on that server? (Yes, I know
that the virtualized hostname is down in the (rest deleted) part of the
URL - is that what you want to try to filter in a firewall? Especially
when the name could (and probably will) be % encoded or whatever?
Well, believe it or not, you can filter on aXXXX.
But more importantly, no user is ever going to type "aXXX.g.akamai.com/foo/bar/etc...". They are going to type "www.ticketmaster.com", which is a CNAME for aXXX. If the ISP's name server filters the "ticketmaster.com" domain, your random luser is not going to be able to get to www.ticketmaster.com.
Or are we simply assuming that all terrorists are dumb enough to not know
how to use a proxy? (Remember that we *are* worried they're smart enough
to use strong crypto...)
I did not think this is about stopping terrorists from getting to special sites. I thought this was about a government censoring its citizens from seeing "bad" web sites. Which is a Bad Idea IMHO, but I doubt the Spanish government cares what I think.
Besides, what's to stop Joe User from using a public proxy outside his country?
At 05:28 PM 11/14/2002, Patrick W. Gilmore most definitely admitted:
Suppose they just make it a law that each ISP has to block "domain.com"
in their caching name servers?Who is 'they', Patrick ? Suppose Spain introduces that law. Fine, but
that doesn't mean that other countries have to (or will ever) abide by
that. Certainly in the U.S. you won't find that many who would support
even the idea.
This thread was started 'cause the Spanish (?) government wanted to do blocking. So it would stop all the people in Spain. And I seriously doubt they care what the US government or its citizens do outside of Spain.
IOW: You are right, but that's not the point of this thread.
Sure, the user could telnet somewhere and find the IP address themselves,
but it would stop 99.99% of the lusers out there.Thousands of non-Spanish dns servers (not under the Spanish restriction)
would have cached the propagated terror.com url from Akamai. Any Spanish
user really wanting to see terror.com will get it. To make it a more
permanent experience the Spanish conquistador should install his own
winooz 95 dns service (I believe it's free), and peg it to a secondary
dns outside his beautiful country.
1) I submit over 99% of users would not even know what "dns service" is, more or less how to install it, or even that they CAN install it.
2) It is trivial to filter all port 53 and/or redirect all name service queries in your network to your name server.
3) We are discussing the government making a law about Internet technology. I am impressed they even know what a domain name is, and not surprised at all that their suggested "fix" is full holes.
IOW: You are right again, but that's still not the point of this thread. =)
Unfortunately, the politicians would actually believe that.
I am not so sure it is "unfortunate" politicians are ignorant of many things.
> Who is 'they', Patrick ? Suppose Spain introduces that law. Fine, but
> that doesn't mean that other countries have to (or will ever) abide by
> that. Certainly in the U.S. you won't find that many who would support
> even the idea.This thread was started 'cause the Spanish (?) government wanted to do
blocking. So it would stop all the people in Spain. And I seriously doubt
they care what the US government or its citizens do outside of Spain.
This is not correct. Such laws tend to cover whatever is shown to the
Spanish citizens, no matter by whom. One can be not really concerned about
it if one has good lawers. Otherwise one would end up in the position Google
and Yahoo ended up in Germany.
Alex