How to avoid the problem
Posted: Thu Feb 13, 2025 4:31 am
Roskomnadzor does not recommend using this method of blocking, but does not require using any specific method. The Internet provider chooses, and the agency only gives recommendations on possible methods. Therefore, from a legal point of view, providers can continue to block resources by IP address.
There are many blocked resources, and they can be freely purchased and used for selfish purposes, compromising the system of legal restrictions on prohibited sites.
There are two ways to solve this problem:
A telecom operator or Internet provider must block not by IP address, but by URL for http traffic or by domain name of the node for https traffic, extracted from the SNI (Server Name Indication) extension during the initiation of an SSL session. This is possible by using deep packet inspection (DPI) equipment on the telecom operator's network, which can extract this information. Not all DPI manufacturers support this feature, in particular, the popular Cisco SCE platform cannot do this, and for many others it does not work reliably enough.
Use the method of blocking recommended by Roskomnadzor on the side of the provider's DNS server, when for prohibited resources the DNS server should issue the address of the provider's host with a stub page, rather than the prohibited host. This method does not require purchasing DPI equipment, but it also needs to be combined with blocking by IP of those addresses specified in the registry. This scheme is easier to implement, but it does not provide sufficient reliability and is easy to bypass. Nevertheless, its use at the current stage is sufficient to meet the requirements of Roskomnadzor.
Roskomnadzor, for its part, has made efforts to try to south africa whatsapp data the damage caused by "thrifty" providers. It excluded from the registry some hosts that were managed by hooligans, created a white list of hosts that cannot be blocked, and temporarily allowed some providers with a "crooked" blocking system not to determine IP addresses from DNS, but to block only by IP from the registry.
New technologies
To avoid the problem, it is necessary to use a modern method of automatic blocking. Some DPI systems available on the market allow automatic filtering of prohibited sites. If the Internet resource uses the http protocol, then filtering is carried out exclusively by URL, not by IP address. If the connection is encrypted and the https protocol is used, then the resource name is extracted from Server Name Indication (SNI) or Common Name certificates.
There are many blocked resources, and they can be freely purchased and used for selfish purposes, compromising the system of legal restrictions on prohibited sites.
There are two ways to solve this problem:
A telecom operator or Internet provider must block not by IP address, but by URL for http traffic or by domain name of the node for https traffic, extracted from the SNI (Server Name Indication) extension during the initiation of an SSL session. This is possible by using deep packet inspection (DPI) equipment on the telecom operator's network, which can extract this information. Not all DPI manufacturers support this feature, in particular, the popular Cisco SCE platform cannot do this, and for many others it does not work reliably enough.
Use the method of blocking recommended by Roskomnadzor on the side of the provider's DNS server, when for prohibited resources the DNS server should issue the address of the provider's host with a stub page, rather than the prohibited host. This method does not require purchasing DPI equipment, but it also needs to be combined with blocking by IP of those addresses specified in the registry. This scheme is easier to implement, but it does not provide sufficient reliability and is easy to bypass. Nevertheless, its use at the current stage is sufficient to meet the requirements of Roskomnadzor.
Roskomnadzor, for its part, has made efforts to try to south africa whatsapp data the damage caused by "thrifty" providers. It excluded from the registry some hosts that were managed by hooligans, created a white list of hosts that cannot be blocked, and temporarily allowed some providers with a "crooked" blocking system not to determine IP addresses from DNS, but to block only by IP from the registry.
New technologies
To avoid the problem, it is necessary to use a modern method of automatic blocking. Some DPI systems available on the market allow automatic filtering of prohibited sites. If the Internet resource uses the http protocol, then filtering is carried out exclusively by URL, not by IP address. If the connection is encrypted and the https protocol is used, then the resource name is extracted from Server Name Indication (SNI) or Common Name certificates.