Hi colleagues, the SSAC has published SAC127.   ### SSAC has published SAC127: DNS Blocking Revisited:   What Is DNS and DNS Blocking? ·         The Domain Name System (DNS) translates human-readable domain names (e.g., example.com) into IP addresses that computers use to communicate. ·         DNS blocking is a technique to restrict access to online content by interfering with DNS queries. This can involve: o   Pretending a domain doesn't exist. o   Providing false IP addresses. Why DNS Blocking Is Used ·         Often implemented because it’s technically simple and low-cost. ·         Commonly used by governments and organizations for: o   Public safety (e.g., blocking illegal content). o   Censorship or regulation of online resources. How DNS Blocking Works ·         By altering the behavior of recursive resolvers (DNS servers that respond to user queries). ·         DNS blocking modifies the translation of a domain name into an IP address, effectively preventing access via DNS. Effectiveness and Limitations ·         Blocking only works if users rely on the DNS infrastructure where the block is applied. ·         It can be bypassed through: o   Alternative DNS resolvers. o   VPNs or other routing methods. ·         Important: DNS blocking does not remove the content—only access through DNS is affected. Potential Side Effects ·         Collateral damage: Can impact unrelated services or domains. ·         Cross-border effects: May unintentionally affect users outside the blocking jurisdiction. ·         User confusion: May appear as a technical error, leading to risky behavior. ·         Legal ambiguity: Laws vary; determining whether DNS blocking is lawful or constitutes censorship depends on local context. SSAC Recommendations Recommendation 1 ·         Any entity implementing DNS blocking should fully understand its technical and policy implications. Recommendation 2 ·         Entities implementing DNS blocking (governments, ISPs, organizations) should follow these principles: o   A. Clear Objectives: Ensure DNS blocking aligns with intended goals. o   B. Defined Policy: Maintain transparent, reviewed processes for deciding what to block. o   C. Minimize Damage: Use methods that avoid overblocking or harming unrelated users. o   D. Respect Boundaries: Do not affect users or networks outside your administrative control. Recommendation 3 ·         Recursive DNS server operators should use Extended DNS Error (EDE) codes to inform users when DNS blocking is active and aid troubleshooting. This report updates previous SSAC advisories (SAC050 and SAC056 from 2011–2012) to reflect changes in technology and growing use cases for DNS blocking. Link to the report: https://itp.cdn.icann.org/en/files/security-and-stability-advisory-committee....   Have a nice day! Best, Matthias ______________________________ Ing. Mag. Matthias M. Hudobnik FIP • CIPP/E • CIPT • DPO • CIS LA matthias@hudobnik.at http://www.hudobnik.at @mhudobnik