DNS piracy blocking orders: Google, Cloudflare, and OpenDNS respond differently

Original Article ↗ Hacker News Discussion ↗

Why Target DNS Resolvers Instead of Registrars?

  • Courts go after big public DNS resolvers (Google, Cloudflare, OpenDNS) because they’re few, visible, and under local or allied jurisdiction, unlike scattered registrars and offshore registries.
  • Hitting resolvers gives wide coverage and also keeps users on centralized, monitorable infrastructure instead of pushing them to harder‑to‑track setups.
  • Some argue that for local blocking (e.g. in Argentina) it’s more logical to order local ISPs and resolvers than distant registries like Verisign.

Censorship, Borders, and Fundamental Rights

  • One side: states have the right to regulate activities inside their borders via courts; blocking pirate sites via due process is analogous to other injunctions.
  • Other side: information control is qualitatively different; censorship infrastructures historically expand from “piracy / CSAM / drugs” to political and social control.
  • Debate over whether there “should” be a right to private encrypted communication, even if no law currently enshrines it.
  • Some insist the internet should be borderless; others say that free‑internet exceptionalism already failed in places like China.

Piracy, ‘Learning’, and Fair Use

  • Accessing pirated material is rarely prosecuted; uploading/redistribution (e.g. via BitTorrent) is the legal hook.
  • Claiming sports streams are “for learning” is widely seen as untenable; no broad “learning exception” exists, only narrow fair‑use tests.
  • Some argue that if a work can ever be fairly used, intermediaries hosting it shouldn’t automatically be liable, drawing analogies to libraries.

How Blocking is Implemented and Circumvented

  • Most ordinary users use ISP or browser‑default DNS; a small minority run self‑hosted recursive resolvers or VPNs, which easily bypass basic DNS blocking.
  • In the highlighted Belgian case, Cloudflare both resolves DNS and fronts the site as a CDN, so it can serve an HTTPS 451 page directly. Where Cloudflare only runs the resolver and not the CDN, it would need different tactics (e.g. refusing or black‑holing queries).
  • OpenDNS’s approach is to stop serving users in countries that demand blocking, effectively “leaving” those jurisdictions.

Is DNS ‘Broken’? Alternatives and Protocol Details

  • Some argue that any resolver obeying political/legal blocks is “not fit for purpose”; others respond that DNS itself is fine and the issue is centralization and corporate reliance.
  • Suggested mitigations: self‑hosted recursive resolvers (Unbound, BIND), many small resolvers, VPNs, Tor, alternative networks (Freenet/Hyphanet), or decentralized naming (Namecoin/ENS), though these raise scalability and blockability questions.
  • RFC 8914’s “Censored” extended DNS error (code 16) is noted as a standardized way to signal legally imposed blocking.