Hacker Neue

Preferences
Semaphor parent
For those wondering: it's DNS blocks, so only affecting those using ISP DNS.
progbits
Regardless of censorship, I don't recommend anyone to use ISP DNS servers. They are often slow, flaky and don't respect record TTLs.

Quad 1/8/9 isn't optimal alternative (too much centralization if everyone uses those by default) but running your own is easy.

SoftTalker
some ISPs make it difficult to use other DNS servers
yrand
There's DNS over HTTPS they can't viably block, so thankfully they get the short end of the stick here.

edit: Thinking of it, anyone knows if it's possible to use that for OS-wide DNS resolves, not just for the browser?

gmac
Yes, on both macOS and Windows 11. On Mac you have to create/use a simple .mobileconfig profile. On Windows you have to separately provide both IPv4 and IPv6 addresses.
snvzz
Or set up a forwarder such as unbound(8) in the LAN and set up the network to use it as the DNS server.
Reason077
Interesting. UK ISPs have had a similar block/filter list for many years (mostly covering copyright-infringing torrent websites and the like). But it’s more robust than a simple DNS block. A VPN can bypass the block, but changing DNS providers will not.
hsbauauvhabzb
What / how do they do it then? SNI inspection?
lategloriousgnu
The ISP's blackhole the IP for some blocked domains. So changing your DNS to 8.8.8.8 will resolve the domain, but the IP won't work. A VPN avoids this, since the traffic goes via the VPN IP.
nebezb
Wow that’s intense.

I remember hearing someone complain on HN of their site getting blocked because it shared an IP with an illegal soccer livestream. I can’t imagine they’re doing this to IP blocks owned by CDNs like Fastly, CloudFlare, or CloudFront though. Or are they? Does this regularly break most of the internet for UK customers?

xuki
Spain ISPs block CloudFlare IPs during La Liga matches.
4 More Comments →
hsbauauvhabzb
How would that work with cloudflare and similar though?
lategloriousgnu
Cloudflare works with the UK government to facilitate blocks within their infra, I assume in exchange for being allowed to access UK network infrastructure.

In the case that a blocked site resolved to a Cloudflare IP, it would likely be kicked off of Cloudflare, or geo-blocked for UK users (by Cloudflare).

https://www.ispreview.co.uk/index.php/2025/07/cloudflare-blo...

hsbauauvhabzb
Ironically that url is forbidden for me, I was under the impression that CF were fairly anti censorship, or at least they inferred that they should not be the one calling the shots (in reference to kiwifarms)
flir
I've never hit one. Flipping DNS works for (for example) Anna's Archive. Have you got an example?
ollybee
In that case it like someone controlling the DNS records for a banned site could cause some mischief
Aldipower
Transparent DNS proxies on ISP side. Easy thing for them.
hsbauauvhabzb
DNS over HTTP is a thing also, though.
drnick1
If this is the case, someone running their own recursive DNS server (like Bind9 or Unbound) can trivially bypass these restrictions. Doing this is a sensible step towards more privacy, regardless of censorship.
layer8
They don’t need to run their own DNS server, just configure a DNS server other than the ISP-provided one, like Quad9 or Google.
hdgvhicv
Using Google - one of the largest data mining companies out there - rather than my trusted ISP doesn’t sound d like a step towards privacy
password4321
Maybe this is a good place to ask: what is the easiest way to use my own DNS entirely in user mode (not a server when I can't change which DNS is pointed to, since not an admin), a SOCKSv5 proxy?

It looks like this is possible with Chrome-based browsers using a command line flag (--host-resolver-rules) or in Firefox settings. Is there a better way?

pabs3
If you are on Linux, install unbound and set your DNS server to localhost, done.
subscribed
"private DNS". Configure your own (with ad blocking) on nextdns.
wrboyce
Worth mentioning NextDNS and ControlD under this! I migrated from the former to the latter about six months ago, but both are a solid choice.
mctt
Free trial then $20USD per year for ControlD. Is that what you use? If so, why do you use this over another service?
silisili
Not OP but I also use ControlD. I admittedly like NextDNS interface better, but honestly, I rarely need to login anyways.

So why ControlD? Because I don't want to run my own piHole, basically. They maintain ad block lists that you can edit as you see fit to add things or relax things that may cause issues(which you can't do easily with public ad blocking dns servers).

Why ControlD then and not NextDNS? First, because their support was awesome when I had an issue. AFAICT it was the founder actually emailing me back and forth, and it ended up being my ISP's fault, but I only knew that based on research provided to me by support. Secondly, I got a good deal on a 5-year subscription at one point.

Happy to answer any questions, not affiliated but a fan of the service.

cyberpunk
Not GP, but I just run my own dns inside the network (unbound on a little openbsd sbc) with a cronjob that pipes oisd.nl into it every night, works great..
maxloh
I am curious why SNI-based block isn't used.
trinix912
Shhh, don’t give them ideas
ronsor
It won't be relevant in a couple years when 90% of sites will be using ECH, meaning the SNI will be encrypted as well.
hypeatei
Just enabling ECH doesn't stop this, firewalls can see it and mangle the data to force a downgrade because most servers need to support older protocols. It's more accurate to say that once sites only support ECH, then they'll be forced to stop downgrading or deal with angry users.
ronsor
TLS 1.3, including the ECH extension, does not permit downgrading, unless your implementation is broken.

Trying to downgrade or strip extensions from any TLS 1.3 connection will simply break the connection.

6 More Comments →
hsbauauvhabzb
Is there even a push for ECH? I don’t imagine big tech and other powerful players particularly want it.
2 More Comments →
JohnLocke4
As a reward for freeing yourself from the de facto government DNS, you will now be gifted free movies for eternity
peter_d_sherman (dead)

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal