I disagree. Its not swisscoms role to censorship the internet. Even if the idea might be honorable, to keep the bad guys out, the machinery put in place is resulting in something which will be abused for political agendas. Given swisscom is state owned, the risk is even higher. Its a risk to democracy you should not under estimate. Maybe you are too young but you should read George Orwells 1984 to see where this is going. I have been an indirect victim of a blocking which costed me 10 years in court case and legal fees of half a million stacking up. You can not imagine what political blocking can do to your business. And here we have swisscom put a machinery in place that politicians can just ask for it by the clock of a button. Now dont tell me they will not use this powerful weapon one day agains someone they dont like their political views of. Totalitarian states do it already up to certain extent (Russia, Turkmenistan, US, Iran, middle east, Turkey...)
Am 23.04.2024 um 11:34 schrieb Daniel Stirnimann via swinog swinog@lists.swinog.ch:
Yes, I understand the technical issues. And yes it's ugly. But do you have a better solution?
Swisscom should stop tampering with DNS, as it does not work, and is no solution to the problem.
I disagree, Swisscom still misses a lot of phishing and malware websites. I would like them to be way more aggressive. Their support staff has to deal with calls from infected customers. They might as well try as good a possible to prevent it from happening in the first place. If you belong to the <0.1% of people who want unfiltered DNS, just run your recursive resolver.
Part of the problem is that the user doesn’t get an error message at all, and then mails us „hey, your website is down“.
Eventually, web browser will show better responses for none resolvable domain names e.g. by utilizing Extended DNS Errors (RFC 8914).
EDE has code points for filtered or blocked DNS responses. Until web browser care more about DNS, I advice to be as verbose as possible when you block something.
For example, make the DNS output more verbose so that at least administrators realize why a domain name is blocked. Swisscom could have used a CNAME in the answer section to blocked.swisscom.com and they could also add an additional section with a SOA indicating the origin of the blocking. The RNAME field could be their report false positive email address and so on.
Daniel
swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch