DNS piracy blocking orders: Google, Cloudflare, and OpenDNS respond differently
162 comments
·May 11, 2025mschuster91
idle_zealot
> And in the end I believe that courts need to be educated on how the Internet works
This is not an education issue. Rights holders want to use every tool in the box to add friction and barriers to piracy, courts offer pushback only when that would result in a marked loss in utility for ordinary users. They do not care about the sanctity of DNS or whatever engineer-brained ideals are being violated.
strken
The sanctity of TLS certificates is the backbone of internet banking and basic privacy for everyday users. It's surprising that you or the courts would see this as a problem that only affects engineers, when it weakens the guarantees that everyday people and businesses rely on to conduct their business safely.
ZoneZealot
The trust we have in the CAs who are embedded in our root stores is very important - yes.
Thankfully, in this case the issue at hand is entirely unrelated to TLS, rogue CAs etc. Or even DNS record manipulation (for now)...
Cloudflare put a 'You're blocked' page, on the web server that Cloudflare are already running for their customer. The customer being the website that Cloudflare is being ordered to block (for users in certain countries).
ZoneZealot
> The screenshot clearly shows a valid HTTPS certificate, so either they don't do DNS blocking but instead implement the block on their loadbalancer side or they mis-issue HTTPS certificates. The former is only possible when the target site is also served by Cloudflare (which leaves the question what Cloudflare does for domains that are targetted by a court order but not using Cloudflare loadbalancing), the latter would be a serious breach of how HTTPS certificates should be issued.
Cloudflare's statement in that screenshot:
> Given the extraterritorial effect as well as the different global approaches to DNS-based blocking, Cloudflare has pursued legal remedies before complying with requests to block access to domains or content through the 1.1.1.1 Public DNS Resolver or identified alternate mechanisms to comply with relevant court orders. To date, Cloudflare has not blocked content through the 1.1.1.1 Public DNS Resolver.
I interpret this part of what Cloudflare said to mean, that so far every domain they've been asked to block has either been appealed successfully or they were using Cloudflare's CDN, DDoS mitigation & WAF services therefore they could just selectively block the visitors with HTTP 451. If they were asked to block a domain that wasn't using Cloudflare, I'm sure that would be the first instance of them having to modify the DNS response - but they would have to, or stop doing business in that jurisdiction like what OpenDNS did.
Cloudflare is quite notorious about not policing the content being fronted by their service, and are quite popular with less than legal (but still clearnet) sites.
In the example cases, they already had TLS certificates issued and were using them for the legitimate traffic of that domain as it was fronted by Cloudflare.
HDThoreaun
> it's either tough luck (e.g. if the pirates are in Russia, China or other hostile nations)
This is not an acceptable outcome in the courts view
eddythompson80
Not really sure what you find scare about that. If you set cloudflare as your dns provider, they own the dns response they give you. If they get court ordered to redirect you to a site saying this is illegal. Is your preference for this to be over plaintext?
Cloudflare is a public CA. Your browser or OS trusts it implicitly. If you don’t trust Cloudflare, remove it from that list I guess.
ZoneZealot
>If you set cloudflare as your dns provider, they own the dns response they give you. If they get court ordered to redirect you to a site saying this is illegal. Is your preference for this to be over plaintext?
Very important distinction here, the people being 'impacted' by this court order are end-users who decide to use Cloudflare's recursive DNS resolver (1.1.1.1 / 1.0.0.1 etc).
There's also the topic of what authoritative nameserver a domain uses. And also if a domain uses Cloudflare's WAF/CDN services to front their website.
A website can use Cloudflare's WAF/CDN without using their authoritative nameserver, and vice versa.
In this case, every domain that's been ordered to be blocked was already using Cloudflare's WAF/CDN service. So Cloudflare did the block at that level, rather than changing how Cloudflare's recursive DNS resolver responds to DNS queries.
No additional TLS certificates were issued - they already had valid certs because they're fronting the domain.
Bender
A website can use Cloudflare's WAF/CDN without using their authoritative nameserver, and vice versa.
Is this true for the free accounts? My understanding was that only enterprise and possibly pro accounts permitted this. I thought that people using free accounts had to point their entire zone entirely to CF to be managed only by CF. I could be wrong.
lokar
They have a trusted CA root subject to strict policy rules that I’m pretty sure don’t allow this.
ycombinatrix
CAs are well known for being lazy & incompetent.
Look at how much bullshit we tolerate from just Entrust: https://wiki.mozilla.org/CA/Entrust_Issues
JumpCrisscross
> Not really sure what you find scare about that
For me it’s Cloudflare circumventing its transparency reporting. That’s lying. If they’re willing to lie about something like this, I wonder what else they found a technical workaround for.
ZoneZealot
Note that the CA's that Cloudflare uses have not mis-issued any certificates in this case, the certificate was legitimately issued for Cloudflare to front the site in question with their CDN/WAF services. It just happens that the court order will make Cloudflare front them with a HTTP 451 instead, for visitors from the relevant countries.
There is no bypassing of certificate transparency, as there was no additional TLS certificate issued, it was already in use.
If Cloudflare was demanded to block a different site that did not use Cloudflare's WAF service, they would have to do something else at the recursive DNS resolver level. So far that hasn't happened, because Cloudflare is incredibly popular, especially so for less-than-legal sites.
pests
> Cloudflare is a public CA.
Uhh no it’s not?
ycombinatrix
Cloudflare is a public CA. They can issue themselves a certificate for literally any domain, whether it is served by cloudflare or not.
ZoneZealot
Cloudflare are not a public CA (see bottom), they use public CAs just like the rest of us. I'm sure they have special enterprise arrangements with each of them.
Supported TLS certs via Cloudflare: https://developers.cloudflare.com/ssl/reference/certificate-...
Those public CAs have to verify domain ownership via the methods outlined in the CA/Browser Forum's baseline requirements. None of which Cloudflare would be able to follow (on behalf of these domains in question) if they did not use either of Cloudflare's authoritative nameservers or WAF/CDN.
Now, if Cloudflare were a public CA, they would still have to behave correctly and follow the baseline requirements otherwise they would be distrusted by clients.
Note that Cloudflare have a certificate authority called 'Origin CA' https://blog.cloudflare.com/cloudflare-ca-encryption-origin/, it is not publicly trusted though. It doesn't need to be, it's for website operators to install on their own web server, before it gets fronted by Cloudflare - rather than just running a self-signed cert or serving plaintext.
Trusted root certs:
Apple: https://support.apple.com/en-gb/121672
Mozilla: https://ccadb.my.salesforce-sites.com/mozilla/CAInformationR...
Microsoft: https://ccadb.my.salesforce-sites.com/microsoft/IncludedCACe...
Chrome: https://chromium.googlesource.com/chromium/src/+/main/net/da...
thayne
I'm pretty sure Cloudflare uses Let's Encrypt.
It doesn't look like they are a sponsor of Let's Encrypt though, so I doubt they have any kind of special arrangement with them.
ycombinatrix
Thanks for the explanation. Also, your username is very appropriate.
yubblegum
So they are the official man in the middle? If that is true then it is a complete mockery of the entire theater of https everywhere.
ZoneZealot
Cloudflare have only ever been able to do their job (on the reverse proxy CDN/WAF side), by doing full TLS interception. They see the session in plaintext.
The customer grants Cloudflare a TLS certificate for their site either by uploading a cert manually, or letting Cloudflare issue a cert via the ACME protocol. They use that to present the site to the world. Cloudflare connects back to the origin site, and the origin either uses HTTP (bad! but possible), HTTPS with a self signed cert, HTTPS with another publicly trusted cert, or a cert that Cloudflare issues with their own (not publicly trusted) CA called Origin CA.
As the visitor, you there's no big sign saying 'Cloudflare can read this content as well as the origin website'. They're trusted to not be malicious sure, but there's a massive risk with using any sort of service like this that you don't control.
One of those massive risks turned reality with Cloudbleed in 2016/2017: https://en.wikipedia.org/wiki/Cloudbleed
https://project-zero.issues.chromium.org/issues/42450151
https://blog.cloudflare.com/incident-report-on-memory-leak-c...
https://blog.cloudflare.com/quantifying-the-impact-of-cloudb...
ThePowerOfFuet
Now you get it.
mschuster91
> They can issue themselves a certificate for literally any domain, whether it is served by cloudflare or not.
They can but they're not allowed to, that's the entire point.
fowl2
Suprised no one has mentioned RFC 8914 Extended DNS Errors, specifically section 4.17[1]:
> 4.17. Extended DNS Error Code 16 - Censored
> The server is unable to respond to the request because the domain is on a blocklist due to an external requirement imposed by an entity other than the operator of the server resolving or forwarding the query. Note that how the imposed policy is applied is irrelevant (in-band DNS filtering, court order, etc.).
Which would be relevant for Google DNS's "Query refused" at least. Although I guess it's possible maybe they do support it but Windows/Chromium don't...
[1] https://www.rfc-editor.org/rfc/rfc8914.html#section-4.17
xeonmc
Question: why do courts hit DNS providers instead of domain registrars?
gruez
Easier to get jurisdiction over them. Google and Cloudflare has datacenters all over Europe. Meanwhile for the ivesoccer.sx domain, the registry is located in Sint Maarten and the registrar is a Danish company.
thenthenthen
The internet is really not that different from shipping companies. Maybe some insights there?
natebc
You're on to something here. They are fighting pirates too!
Bender
Question: why do courts hit DNS providers instead of domain registrars?
Most of the eggs are in one basket. Same as trying to get individual ISP's to censor something, reaching out to each of the hundreds of registrars is time consuming and prone to being ignored depending on the country. If on the other hand a government can get cooperation from even 3 of the biggest "free" resolvers then its a big win for them. It's also easier to monitor people when they choose to use corporate resolvers like Cloudflare, Google, OpenDNS, etc...
TZubiri
Interesting. But dns registrars don't operate in the importing country. E.g: the .com registry is operated by verisign is in US Jurisdiction. If I wanted to block a website in Argentina it wouldn't make sense to ask Verisign to delete a website, I would ask the court to order a dns block to local ISPs registered as local companies
zerof1l
Everyone should just start running their own authoritative DNS servers like Unbound. That will eliminate the issue. And why is it still the norm that all major OSes don't ship with authoritative DNS... Same with all consumer routers. It is not an option at all, or if you run OpenWRT, you'd have to manually set it up. Hopefully, there will be some change in that direction.
rayhaanj
I think you mean "running your own recursive resolver", an authoritative server is one which is authoritative for some zone (e.g. example.net), whilst a recursive resolver is one that goes and walks from the root of the DNS hierarchy to the leaf that you have queried.
It is probably quite a bit slower though needing to have roundtrips at each stage of the resolution, which is also likely a reason that these public resolvers get so much use (latency improvement via caching).
belorn
> It is probably quite a bit slower though needing to have roundtrips at each stage of the resolution
The average load time for a website is 2.5 seconds. The added load time from running your own recursive resolver, which is only added the first time the site is loaded, would be around 50ms, or 2% increase load time.
DNS resolving is not a major aspect of a typical websites load time. If you want to speed things up, run a local proxy which local cached version of all popular web frameworks and fonts, and have it be be constantly populated by a script running in the background. That will save you much more than 2% on first load.
rayhaanj
I just did some measurements and am impressed on both fronts: DNS recursive resolution is faster than I anticipated, but also page load times for well optimised sites are also very fast (sub 0.5s). Here's some data:
Recursively resolve bbc.com: 18ms https://pastebin.com/d94f1Z7P Recursively resolve ethz.ch: 17ms https://pastebin.com/x6jSHgDn Recursively resolve admin.ch: 39ms: https://pastebin.com/DUTg8Rit
Page load in Firefox: bbc.com DOMContentLoaded: ~40ms, page loaded: ~300ms reuters.com DOMContentLoaded: ~200ms, page loaded: ~300ms google.com DOMContentLoaded: ~160ms, page loaded: ~290ms
So it's quite reasonable to do full recursive resolution, and you'll still benefit from caching after the first time it's loaded. One other idea I had but never looked into it was instead of throwing out entries after TTL expiry to just refresh it and keep it cached, no idea if BIND/Unbound can do that but you can probably build something with https://github.com/hickory-dns/hickory-dns to achieve that.
Bender
It is probably quite a bit slower though needing to have roundtrips at each stage of the resolution
My experience does not align with this. My Unbound instances cache only what I am requesting and I have full control over that cache memory allocation, min-ttl, zero-ttl serving and re-fetching, cron jobs that look up my most common requests hourly, etc... I do not have to share memory with anyone outside of my home. Just about anything I request on a regular basis is in the micro-seconds always shows as 0 milliseconds in dig. I've run performance tests against Unbound and all the major DNS recursive providers and my setup always wins for anything I use more than a few times a month or more than a dozen times in a year.
For the cases where I am requesting a domain for the first time the delay is a tiny fraction of the overall page loading of the site as belorn mentioned. I keep query response logs and that also has the response time for every DNS server I have queried. I also use those query response logs to build a table of domains that I look up hourly NS and A records to build the infrastructure cache in addition to resource record cache.
Now where there would be latency is if I had to enable my local Unbound -> DoT over Tinc VPN -> rented server Unbound -> root servers. That would only occur if my ISP decided to block anyone talking to the root servers directly and my DoT setup would only be in place while my legal teams get ready to roast my ISP and I start putting up billboards. That would of course be a waste of time and money when I could just get the IP's of censored sites from a cron-job running on multiple VM's and shove them into my hosts file. This could even be a public contribution into a git repo and automated on everyone's machines.
copula4
There is life outside major population centers. I have pings in excess of 200 ms to many major websites; if every DNS lookup requires doing several queries with 100-300 ms of waiting for each one, the web becomes unusable. From reading HN, users from e.g. New Zealand run into similar issues.
kdmtctl
It will help with spoofing but will not protect from eavesdropping. Most of the times cloudflare is a least dangerous adversary.
alabastervlog
I would be shocked it they’re not taking money to let US TLAs back-door them.
kdmtctl
That will ruin the stocks. No need to use back doors, court order is pretty easy to get especially if the site in question is true malicious.
cesarb
> Everyone should just start running their own authoritative DNS servers like Unbound.
I used to do that, but it caused some odd issues at my former ISP, which I suspect were due to connection tracking state table exhaustion on their CGNAT box; running your own recursive server means a lot of UDP connections, and unlike with TCP, there's no well-defined point at which the connection tracking state can be released, which can lead to it accumulating. Making unbound use DoT to cloudflare made things much more stable (since DoT uses TCP, the connection tracking state can be released immediately when each connection is closed).
ratatoskrt
If I set up my own authoritative DNS servers, can I still use DNS over TLS or DNS over HTTPS?
kdmtctl
If you set your own authoritative DNS, you could use it only for your zones. To use DoH, etc for the whole traffic, you need a recursive server. Unbound is a recursive server with some rudimentary authoritative extensions.
Aachen
Sure you can run TLS/HTTPS to your own server or to localhost if you want to keep private from the intervening systems that you are querying for a certain domain
NoahKAndrews
OPNsense defaults to Unbound
znpy
I do run my bind in my lan (and in my vpn, serving a private zone) and i’m only occasionally reminded about dns blocking issues by articles like this.
Needless to say, the bar is way lower. Anybody willing to pirate stuff can easily change their dns to any public dns service and access any website. You don’t even need a vpn.
VoodooJuJu
[dead]
cesarb
> Google’s response also appears to go against the advice of the Belgian court, which required the DNS providers to redirect users to a dedicated page, presumably to provide further detail.
That advice made sense in the plain-text HTTP era, but it's not longer viable; attempting to do that nowadays would only lead to an "invalid certificate" error page. The only ones which can make that work are the site itself, or a CDN in front of it (which, as others have noted, often means cloudflare can do that, but not other DNS providers like google).
codedokode
I read that using pirated sites is ok if you do it for learning. Why do courts block them if they have legal uses?
gruez
>I read that using pirated sites is ok if you do it for learning
1. I don't think anyone has been prosecuted for accessing/using pirated materials. The people who have been prosecuted for torrenting were liable because torrent clients also upload, thereby making them go beyond merely accessing/using.
2. Claiming that those sites (ie. live soccer streams) is "learning" is a stretch. Moreover no such "learning" exemption exists, at least in the US. The closest you have is fair use, which has a 4 part test. "Learning" is one of the tests, but isn't a sole determinant. Photocopying textbooks wholesale is obviously illegal, even if it's for "learning".
AnthonyMouse
> The people who have been prosecuted for torrenting were liable because torrent clients also upload, thereby making them go beyond merely accessing/using.
It's not clear why this would be a relevant distinction. If the use in question is fair use then copying is permitted. Why wouldn't this be the case for the person uploading the data as well as the person downloading it? Suppose you have a physical copy of a book and your friend wants a copy of a page for a use which is indisputably fair use, so you make a copy for them and give it to them for that purpose. How is that any different?
> Claiming that those sites (ie. live soccer streams) is "learning" is a stretch.
Wouldn't that depend on what the user is actually doing with it? If you're just watching the game with your friends, presumably not. If you're doing scientific research on sporting events and you need to run the video of every sporting event in the last 10 years through a computer for your study, maybe it is.
madeofpalk
What fair use argument can be made for just having GameOfThrones.mp4 on my web server for people to download?
rolph
default settings on most BT clients allow uploads, however that can be changed. the biggest reason for infringment notice nowadays, seems to be IP monitoring of pirate sites, trackers and swarm/DHT for "obvious" behaviour.
of course, IP is recycled across many users, and connecting to these BT resources is not proof of piracy, the very practice of monitoring, is undeniable proof,that connectivity, != undeniable proof of piracy, so you have to offer fake BT pieces, then request download to confirm data is being moved, and argue this is indication of intent.
meanwhile you have to argue that buffer content of a video player, is not downloaded, and there is no right to access those memory ranges on your own system.
yard2010
Aaron Swartz is gone for less :'(
subscribed
Nb: open source torrent clients can be patched so they will never ever upload even a single bit of data.
I know it flies in the face of how the bittorrent protocol should operate, but there's a technical possibility.
Another is using so called "seedbox" in the safe country, or torrenting only via vpn.
codedokode
> Claiming that those sites (ie. live soccer streams) is "learning" is a stretch.
Maybe I want to be better at soccer and learn by observation.
exiguus
Wao. Thanks for the research on this. This is one reason, beside some others, to run your own recursor.
alabastervlog
What’s the DNS equivalent of using Yandex for search?
subscribed
Quad9, OpenDNS. I can recommend both.
Take a look here for a good start: https://www.techradar.com/news/best-dns-server
mqus
regarding OpenDNS (from the article):
> When OpenDNS was first ordered to block pirate sites in France, the company made a simple but drastic decision to leave the country entirely, effectively affecting all French users. Last week, it repeated this response in Belgium following a similar court order.
ycombinatrix
How exactly do they "leave the country"? Do they start blocking French & Belgian IPs?
devwastaken
which means opendns is a non solution and should not be used.
LargoLasskhyfv
Disagree, because of: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
tmtvl
What about LibreDNS? They see pretty cool.
baery
[dead]
miyuru
I think you are looking might be https://dns.yandex.com/
tux1968
That's brilliant. Thanks for the link.
LargoLasskhyfv
Hrm. Depending on your location, needs, and preferences, this might shine and sparkle even more brightly:
AnthonyMouse
Get a VPS in a jurisdiction that doesn't do this, install a recursive DNS server and a VPN on it and use it as your DNS server. Or use any service providing the equivalent thing; many VPN services also provide a DNS server.
kdmtctl
Using Yandex for DNS. You will get the same filters.
somat
Run your own recursive server that directly gets it's data from the authoritative servers.
.... On second thought that is a bad analogy, that is more like running your own search engine. The dns equivalent to yandex would be 77.88.8.8
https://gist.github.com/mutin-sa/5dcbd35ee436eb629db78725810...
encom
$ kdig +tls +short @anycast.uncensoreddns.org streameast.app A
104.21.84.29
172.67.185.97rustcleaner
Maybe we'll get smart and just install Hyphanet (Freenet). Only thing it needs done to be perfect (imo) is to duplicate the opennet code, make it all TCP only, and swap every IP address field for a .onion address field, and call this new opennet onionnet. He who has the key gets the file anonymously!
16V47uF
Spain laughs at those countries and just orders the ISPs to do SNI censoring.
Dwedit
A screenshot shows an "Error 451" page, but how can that even happen? It's https. Unless Cloudflare is also the web host, they can't change a page like that without the client seeing a certificate error.
Andoryuuta
In order to function, CDNs have to act essentially as giant opt-in MITM services. When you setup a CDN in front of your site, you will either need to give them your cert, or let them issue a cert (e.g. via let's encrypt).
If they can serve your site with https normally, they can serve any content they want under it.
jsheard
This is about CFs public DNS resolver though, and not every domain they're ordered to stop resolving will also happen to be served though their own CDN. In this case it was, which explains how they're able to serve a 451 error over HTTPS, but that won't always be the case as the article implies.
In some other cases I suppose they could downgrade the connection to HTTP in order to show their 451 page, but if the domain is HSTS'ed then that wouldn't work either. That'd have to just black-hole the query like Google does.
gruez
It is.
Non-authoritative answer:
ivesoccer.sx nameserver = lou.ns.cloudflare.com
ivesoccer.sx nameserver = venus.ns.cloudflare.comnull
oskapt
It’s DNS so they just have to accept the query and redirect it to a local server that answers for anything and returns the 451 error. However, it’s also worth noting that Cloudflare is a giant MitM proxy who already decrypts everything and retransmits it. No communication with any domain fronted by Cloudflare is secure.
belter
Yes...Oh the good times...
"Cloudflare Reverse Proxies Are Dumping Uninitialized Memory" - https://news.ycombinator.com/item?id=13718752
johnklos
Cloudflare hosts ivesoccer.sx.
null
> When OpenDNS was first ordered to block pirate sites in France, the company made a simple but drastic decision to leave the country entirely, effectively affecting all French users. Last week, it repeated this response in Belgium following a similar court order.
Who would have thought that Cisco would be on the side of the good guys for once?!
As for Cloudflare, what they do is scary. The screenshot clearly shows a valid HTTPS certificate, so either they don't do DNS blocking but instead implement the block on their loadbalancer side or they mis-issue HTTPS certificates. The former is only possible when the target site is also served by Cloudflare (which leaves the question what Cloudflare does for domains that are targetted by a court order but not using Cloudflare loadbalancing), the latter would be a serious breach of how HTTPS certificates should be issued.
And in the end I believe that courts need to be educated on how the Internet works. Companies should not be allowed to target DNS, they should be forced to target the actual entities doing the infringement - and if the target isn't in the scope of Western jurisdictions (that have various legal-assistance treaties), it's either tough luck (e.g. if the pirates are in Russia, China or other hostile nations) or they should get their respective government involved to use diplomatic means.