@ilyaigpetrov, @darkk and I are thinking about DNSBL-alike server, to use it as a censorship list storage, which returns predefined DNS reply if the domain or IP address is blocked and another reply if not.
It could be used from Proxy Auto-Configuration file using
A query for
A query for
Side note: while using private ranges like
127.0.0.0/8may seem to be more appropriate, some DNS resolvers could filter responses with these ranges. For example, such filter is available in dnsmasq and could be enabled in OpenWRT.
- Does not require additional software on client
- Allows instant list updates without redownloading it on client
- Requires a very small stub PAC file
- Could be combined with other PAC file content, to decrease DNSBL load
- Could be used to circumvent 1 MB PAC file size limit and various memory limits in browsers
- Harder to block due to its unusual nature (uses only DNS), likely to work even if blocked by changing DNS server
- Could be cached on recursive resolvers for a predefined time period.
- DNSBL server must be stable, fast and always available. Unavailable DNSBL server which does not reply will result in several second freezes in browser at least, totally broken web at most.
- DNSBL server load will be high if implemented without any filtering. Every domain, blocked and not blocked, would be sent to the server.
- DNS cache is not as effective as many may think, especially for lots and lots random “subdomains” of a single domain.