這是一張有關標題為 Taiwan's DNS RPZ Network: Blocking and Unblocking Strategies 的圖片

Taiwan's DNS RPZ Network: Blocking and Unblocking Strategies

The internet itself is free. Implementing internet censorship or surveillance is no different from countries that restrict freedom of speech.

Introduction

The scandal involving entertainer Huang Zijiao has recently led to widespread news about the closure of “創意私房” Driven by curiosity, people who try to browse this content will find that the URL is hijacked to TWNIC’s blocking page.

Internet Freedom

The internet itself is free, meaning you can connect to any URL. However, due to regulatory restrictions, governments may control or prohibit access to certain websites. Common examples include China’s blockage of Google, YouTube, Facebook, Wikipedia, and others.

Internet freedom does not imply tolerance or encouragement of activities such as pornography, gambling, or piracy, especially when these activities are based on the suffering of others or infringe on others’ rights. These behaviors should not be encouraged or allowed. Worse still, if someone commits a crime or engages in illegal activities due to watching such videos, it creates even bigger problems.

In Taiwan, as early as 2013, the Intellectual Property Office proposed that ISPs block websites providing infringing content via DNS or IP blocking, but this ultimately went nowhere.

With the recent media coverage, clicking on Creative Private Room redirects to a blocking page. In fact, on 2020-03-30, TWNIC (Taiwan Network Information Center) held the first DNS RPZ meeting, and network blocking via DNS has continued since then.

Blocked page by TWNIC

DNS RPZ

What is DNS RPZ

Domain Name System Response Policy Zone (DNS RPZ) is a technology developed by the Internet Systems Consortium that provides a mechanism for URL filtering at the DNS server level.

RPZ allows network administrators to add special response policy zones to DNS servers. When a query for a domain name that needs to be filtered is received, the DNS server returns a specified IP address or error message from this special zone, thereby redirecting or blocking the user from connecting to the site. This effectively prevents access to malicious websites, phishing sites, or politically incorrect content.

For example, if a computer wants to browse NSFW.com, which has a correct IP of 1.2.3.4, and the DNS server used by the computer is from Chunghwa Telecom (168.95.1.1) and NSFW.com is on the filtering list, the DNS server will return NXDOMAIN (or be redirected to a specific IP), making it impossible to connect and obtain the original webpage content.

If the DNS server is changed to a public DNS service not participating in RPZ filtering, such as CloudFlare’s 1.1.1.1, the resolution of NSFW.com will not be affected by the filtering list, allowing normal access to the original content.

How DNS RPZ works

Who Uses TWNIC’s RPZ?

As of April 2024, based on TWNIC (link now inactive), members include: Ministry of Education, Chunghwa Telecom, Taiwan Fixed Network, Taiwan Broadband Communications, TFN Media, Taichung Cable TV, TWT Digital, Junglien Digital, Taiwan Mobile, New Century InfoComm Tech, Far EasTone, Asia Pacific Telecom, Taiwan Star, Top Three Cable TV, Public Television Service, and Uni-Info.

This means that if you use networks from Chunghwa Telecom, Taiwan Mobile, Far EasTone, etc., the default DNS servers will be filtered through RPZ.

Is RPZ Safe?

The purpose of domain name resolution is to convert URLs into IP addresses. When we pass a URL to the DNS servers of the aforementioned organizations, they will only know that someone wants to access a domain name, not the webpage content or incoming information (e.g., passwords, personal data), and will return a filtered, safe IP to the user.

For example, if we want to visit NSFW.com and the domain is hijacked, returning 150.242.101.120, the browser will compare the certificate. If the certificate does not match the URL or the URL protocol is HTTP, a security warning will be triggered. Ignoring the warning and continuing to visit the site will redirect to TWNIC’s blocking page.

Additionally, if the computer’s Trusted Root Certificate is tampered with, even if the domain is hijacked and a suspicious certificate is trusted, the browser will not issue a warning. Since the certificate is trusted, an attacker can perform a man-in-the-middle attack (MITM), intercepting all web content and implementing more precise blocking. Therefore, do not log in when using public computers. Most users do not check security certificates carefully, and if DNS servers and security certificates are specially configured, it is easier to be attacked.

Mismatched certificate warning

Hijacked by TWNIC

For related applications, you can set up your own DNS server to filter ads, viruses, pornography, and phishing sites, effectively acting as an RPZ. Solutions like the free NextDNS or self-hosted open-source AdGuardHome are available.

How to Avoid Network Blocking

To browse websites normally, simply avoid using the default DNS servers provided by these organizations. Newer systems can set DNS over HTTPs (DoH), ensuring attackers cannot forge DNS content. From a network administrator’s perspective, DoH traffic appears the same as other HTTPS traffic, making it harder to track the webpages you visit.

Browser

Step 1: Open browser settings

Open browser settings

Step 2: Search for DNS, enter the DoH URL, and your web browsing will resolve normally.

Enter DNS and change DoH settings

Mobile

Most newer mobile systems support DoH. For example, on iPhone, install the mobileconfig profile. Once installed, all traffic will go through the selected DNS server.

  1. Click the link, select allow profile.
  2. Go to SettingsGeneralVPN & Device Management.
  3. In Downloaded Profile, find Cloudflare DNS over HTTPS, and click Install in the upper right corner.
  4. Select DNS → switch from Automatic to Cloudflare DNS over HTTPS.

Congratulations, your mobile now uses DoH for domain name queries, avoiding DNS hijacking and enhancing privacy.

Conclusion

Internet censorship is a complex issue, an ongoing battle between governments, companies, and users.

Consider the users in mainland China who risk breaking the law by using VPNs (unapproved VPN use is illegal there) and employing different encryption protocols (Shadowsocks, V2ray, Trojan, Hysteria, Juicity, WireGuard, Snell) to bypass censorship. In Taiwan, numerous VPNs on the market allow users to bypass similar restrictions after subscription. Ultimately, this enriches VPN providers, relay operators, and VPS server suppliers.

Moreover, if a piracy site like NSFW.com is blocked, it could easily reappear as NSFW.ai or NSFW.io, making it difficult for the government to block promptly.

Furthermore, sharing and selling content via private groups on Telegram, Line, Facebook, and cloud services makes enforcement even more challenging. People are forgetful; these sites will resurface and continue to operate in new forms.

Initially, I didn’t know about the “Creative Private Room” closure until the media highlighted it, leading many to learn about the site.

Regarding the adult content industry, its existence and circulation raise significant ethical and legal issues. But if those who want to watch are willing to spend significant sums, the industry will continue to thrive. The real solution involves high rewards to identify the culprits, such as the producers and fraudulent advertisers, and enforce strict penalties. Non-compliant platforms like Facebook and YouTube should face complete bans.

However, would the global adult industry collapse? Determined viewers will always find ways, often willing to pay higher sums to access content. Even Apple’s 2021 proposal for CSAM Detection ultimately failed due to precision issues. Protecting children from pornography remains a major future challenge.

Ultimately, I hope no one is coerced into making undesirable videos, and that harmful scam ads diminish. May the world become a better place.

References

  1. 中華人民共和國被封鎖網站列表 - 維基百科
  2. 全球最大最知名 .tw 網站一指被封 – T.H. Schee
  3. 公共域名解析服務 - 維基百科
  4. 什麼是 DNS – DNS 簡介
  5. DNS Firewall : Response Policy Zone – SecurityZones
  6. 什麼是 DNS 快取記憶體中毒? | DNS 詐騙
  7. 封網站:台灣絕不能仿效中國建立防火長城
  8. 經濟部智慧財產局研擬封鎖境外侵權網站事件 - 維基百科
  9. 「封鎖網站」才是侵權、違憲!仿建中國式 GFW 只為掩飾政府的懶惰與無能
  10. CSAM Detection Technical Summary
  11. 創意私房 - 維基百科
Theme Stack designed by Jimmy