Introduction

The scandal involving entertainer Mickey Huang has recently led to widespread news about the closure of “創意私房” Driven by curiosity, people who try to browse this content will find that the URL is hijacked to TWNIC’s blocking page.

The Taiwan Network Information Center (TWNIC) is the organization responsible for managing Taiwan’s domain names (.tw and .台灣) and IP addresses. It oversees the allocation of internet resources, promotes technical education, fosters international cooperation, and advances network security development.

Internet Freedom

The internet itself is free, meaning you can connect to any URL. However, due to regulatory restrictions, governments may control or prohibit access to certain websites. Common examples include China’s blockage of Google, YouTube, Facebook, Wikipedia, and others.

Internet freedom does not imply tolerance or encouragement of activities such as pornography, gambling, or piracy, especially when these activities are based on the suffering of others or infringe on others’ rights. These behaviors should not be encouraged or allowed. Worse still, if someone commits a crime or engages in illegal activities due to watching such videos, it creates even bigger problems.

In Taiwan, as early as 2013, the Intellectual Property Office proposed that ISPs block websites providing infringing content via DNS or IP blocking, but this ultimately went nowhere.

With the recent media coverage, clicking on Creative Private Room redirects to a blocking page. In fact, on 2020-03-30, TWNIC (Taiwan Network Information Center) held the first DNS RPZ meeting, and network blocking via DNS has continued since then.

DNS RPZ

What is DNS RPZ

Domain Name System Response Policy Zone (DNS RPZ) is a technology developed by the Internet Systems Consortium that provides a mechanism for URL filtering at the DNS server level.

RPZ allows network administrators to add special response policy zones to DNS servers. When a query for a domain name that needs to be filtered is received, the DNS server returns a specified IP address or error message from this special zone, thereby redirecting or blocking the user from connecting to the site. This effectively prevents access to malicious websites, phishing sites, or politically incorrect content.

For example, if a computer wants to browse NSFW.com, which has a correct IP of 1.2.3.4, and the DNS server used by the computer is from Chunghwa Telecom (168.95.1.1) and NSFW.com is on the filtering list, the DNS server will return NXDOMAIN (or be redirected to a specific IP), making it impossible to connect and obtain the original webpage content.

If the DNS server is changed to a public DNS service not participating in RPZ filtering, such as CloudFlare’s 1.1.1.1, the resolution of NSFW.com will not be affected by the filtering list, allowing normal access to the original content.

Who Uses TWNIC’s RPZ?

As of April 2024, based on TWNIC (link now inactive), members include:

1. Ministry of Education Republic of China
2. Chunghwa Telecom
3. So-net Taiwan
4. SaveCom International
5. KBT
6. VeeTIME Corp.
7. TWT Digital Communication Corporation
8. Yulon IT Solutions
9. Taiwan Fixed Network
10. New Century InfoComm Tech (NCIC)
11. Asia Pacific Telecom (APT)
12. Taiwan Star Telecom (T Star)
13. SAN DA CATV (SDTV)
14. Public Television Service (PTS)
15. President Information

This means that if you use networks from Chunghwa Telecom, Taiwan Mobile, Far EasTone, etc., the default DNS servers will be filtered through RPZ.

Is RPZ Secure?

The core function of domain name resolution is to convert URLs into their corresponding IP addresses. When a URL is submitted to a DNS server, that server only records the domain name requested by the user, without accessing the webpage content or transmitting sensitive information (e.g., passwords, personal data). The DNS server then returns a filtered or verified safe IP address to ensure that users can connect securely.

For example, when a user attempts to visit NSFW.com, if its domain name is hijacked and returns 150.242.101.120, the browser will compare the connection certificate. If the certificate does not match the expected domain or the connection uses the HTTP protocol, an insecure warning will be displayed. Should the user choose to ignore the warning, they will ultimately be redirected to the blocking page set up by TWNIC.

Furthermore, if a computer’s “trusted root certificates” are compromised, even if the domain name is hijacked and a suspicious certificate is trusted, the browser may fail to issue an effective warning. This could allow attackers to execute a man-in-the-middle attack (MITM), further intercepting and analyzing all transmitted web content to implement more precise blocking. Therefore, when using public computers, it is advised to avoid logging in to sensitive accounts to reduce security risks.

Related Applications

For related applications, users can set up their own DNS servers to filter out unwanted content such as ads, viruses, pornography, and phishing websites. A self-hosted DNS server functions similarly to RPZ. There are ready-made solutions available on the market, such as the free NextDNS or the open-source tool AdGuardHome that can be self-deployed.

How to Avoid Network Blocking

As explained above, what is essentially applied in DNS resolution is just an additional layer of RPZ. To browse websites normally, it is recommended not to use the DNS servers provided by these organizations by default. Newer systems can prevent attackers from forging DNS messages by configuring DNS over HTTPS (DoH). From the perspective of network administrators, DoH traffic appears the same as other HTTPS traffic, making it more difficult for them to track the websites visited by users.

Browser

Step 1: Open browser settings

Step 2: Search for DNS, enter the DoH URL, and your web browsing will resolve normally.

Mobile Devices

On mobile devices, most modern systems support DNS over HTTPS (DoH). For example, on an iPhone, this feature can be enabled by installing a mobileconfig configuration file. Once installed, all traffic on the phone will be resolved through the specified DNS server, allowing you to choose recognized providers such as Google, Cloudflare, or Quad9.

• Cloudflare 1.1.1.1
• Cloudflare 1.1.1.1 Security
• Google Public DNS
• Quad9

1. Click the link above and choose to allow the installation of the configuration profile.
2. Navigate to “Settings” → “General” → “VPN & Device Management” in the system.
3. In “Downloaded Profiles”, locate the Cloudflare DNS over HTTPS profile and tap “Install” in the upper right corner.
4. Enter the “DNS” settings and switch from “Automatic” to “Cloudflare DNS over HTTPS”.

After completing the above steps, your phone will use DoH to resolve domain names, effectively preventing DNS hijacking and enhancing user privacy.

Note: Please note that DNS over HTTPS (DoH) is solely a technology for encrypting DNS queries and is not equivalent to a Virtual Private Network (VPN).

Conclusion

Internet censorship is an extremely complex issue that involves ongoing confrontations among governments, corporations, and users. For example, in Mainland China, users risk breaking the law by using VPNs and combine various encryption protocols (such as Shadowsocks, V2ray, Trojan, Hysteria, Juicity, WireGuard, Snell) to bypass restrictions; whereas in Taiwan, the market is flooded with various VPN services that allow users to bypass restrictions through paid subscriptions, ultimately benefiting only the VPN providers, relay operators, and VPS suppliers.

Moreover, once a piracy website like NSFW.com is blocked, the operator can simply switch to NSFW.ai or NSFW.io, making timely government intervention nearly impossible. Content is even shared and sold via Telegram, Line, Facebook, and various private groups, rendering blocking measures ineffective. As the media sensationalizes the “Chuangyi Private House has been closed” message, it inadvertently increases public awareness of the website.

The adult content industry encompasses a wide range of ethical and legal issues, yet as long as market demand persists, even massive financial investments cannot completely dismantle the industry. The true solution lies in offering substantial rewards to apprehend the masterminds behind the scenes (such as content creators or fraudulent advertisement distributors), along with enforcing strict legal penalties; for repeat offenders, comprehensive blocking measures should be adopted.

However, whether the pornography industry can be truly eradicated remains doubtful—those determined to view such content will always find a way, even if it means paying a higher price. It is also worth noting that in 2021, Apple proposed a Child Sexual Abuse Material (CSAM) detection system, which aimed to identify such material by comparing users’ iCloud photos with known CSAM image hashes provided by child protection organizations; ultimately, the plan was shelved due to controversies and concerns over accuracy.

We hope that more effective measures can be implemented in the future to reduce the production of non-consensual illicit videos and the proliferation of worthless, nutritionally void scam advertisements, ultimately making the world a better place.

References

1. 中華人民共和國被封鎖網站列表 - 維基百科
2. 全球最大最知名 .tw 網站一指被封 – T.H. Schee
3. 公共域名解析服務 - 維基百科
4. 什麼是 DNS – DNS 簡介
5. DNS Firewall : Response Policy Zone – SecurityZones
6. 什麼是 DNS 快取記憶體中毒？ | DNS 詐騙
7. 封網站：台灣絕不能仿效中國建立防火長城
8. 經濟部智慧財產局研擬封鎖境外侵權網站事件 - 維基百科
9. 「封鎖網站」才是侵權、違憲！仿建中國式 GFW 只為掩飾政府的懶惰與無能
10. CSAM Detection Technical Summary
11. 創意私房 - 維基百科