A German ISP changed their DNS to block my website

Original Article ↗ Hacker News Discussion ↗

Technical countermeasures and the protocol “arms race”

  • Commenters list existing tools against DNS tampering: DNSSEC, DoT/DoH/ODoH, QUIC, ECH, Tor, I2P, VPNs, self‑hosted recursive resolvers (e.g. Unbound), and alternative networks (I2P, Yggdrasil, Freenet, mesh ideas).
  • Disagreement on effectiveness:
    • DNSSEC mainly detects tampering; without local validation or widespread signing, it’s limited.
    • DoH/DoT can bypass ISP DNS blocks but just move trust to large resolvers (Cloudflare, Google) or to EU’s DNS4EU, which some fear will itself become a censorship tool.
    • Once DNS is encrypted, ISPs can escalate to SNI and IP-based blocking; ECH and unique IP certs may push them further toward blunt IP blocks.
  • Some argue that, in the end, whoever controls the physical layer can always censor; technical measures only raise the cost and buy time.

Real‑world ISP blocking: Spain and Germany

  • Multiple reports from Spain: ISPs (Movistar/Telefónica, O2, Vodafone, others) periodically blackhole ranges of Cloudflare IPs during football matches under LaLiga-driven court orders, disrupting many unrelated sites.
  • Blocking is inconsistent (some piracy sites blocked, others not), often only on weekends, and sometimes apparently denied by operators.
  • In Germany, the CUII originally allowed ISPs and rightsholders to agree DNS blocks for “structural copyright infringement” without court orders or transparency.
  • After criticism and regulatory pressure, CUII now claims to only coordinate court‑ordered blocks, but existing entries remain and users see a growing culture of DNS/IP blocking (piracy, porn, political sites like RT).

Censorship vs. propaganda: RT and beyond

  • Large subthread on blocking RT.com:
    • Supporters see it as justified wartime/hybrid‑warfare defense against a hostile state propaganda arm.
    • Opponents argue any state deciding what is “propaganda” is incompatible with free speech, creates a slippery slope, and mirrors authoritarian justifications elsewhere.
  • Debate touches on:
    • Whether populations are too vulnerable to manipulation to leave everything uncensored.
    • Paradox of tolerance and historical analogies (Weimar, Nazis, modern populism).
    • Inconsistency: state TV, social media, and domestic misinformation largely untouched while one foreign outlet is banned.
    • Distinction between blocking content vs. prosecuting specific illegal acts (defamation, hate speech, child abuse material).

German legal and civil‑liberties concerns

  • Some see Germany as increasingly heavy‑handed: strong hate‑speech laws, police raids over mild online insults, and restrictions on filming police.
  • Others respond that:
    • There are FOI and press laws (though fragmented); privacy protections also limit casual public filming.
    • Illegally obtained video can still be used as evidence; the bigger problem is independent oversight of police, not camera legality alone.
  • Broader worry: normalization of “for your own good” censorship and opaque public‑private blocking bodies.

User strategies and trust trade‑offs

  • Widely shared advice: don’t use ISP DNS; instead:
    • Run a local recursive resolver (e.g. Unbound).
    • Use third‑party encrypted DNS (Quad9, Cloudflare, DNS4EU) or VPNs.
  • Counter‑concern: shifting visibility from ISPs to big DNS or VPN providers; some prefer protocols (like dnscrypt) that avoid PKI and large CAs.
  • Several note that technical workarounds help power users, but most citizens will remain subject to whatever their ISP and regulators decide. Political solutions and institutional safeguards are seen as ultimately necessary.