Below we will discuss why permitted sites are blocked and what measures providers and telecom operators should take to avoid this.
Why are allowed sites blocked?
Each domain owner has access to configure their DNS records, including if this domain is on the Roskomnadzor list and is blocked by all telecom operators.
The owner of a blocked resource can register IP addresses or CNAME names of any permitted sites in their DNS, after which they will also be automatically blocked by all Internet providers that use the IP blocking mechanism, since when using this type of filtering, the provider is forced to independently receive a list of IP addresses for prohibited resources from the DNS server. It is difficult for the provider to determine whether the IP address it received belongs to an intruder or a legitimate resource. The same principle applies to the "Auditor" verification system, which is responsible for monitoring the implementation of blocking by providers and transmits information to the territorial office of Roskomnadzor.
Roskomnadzor does not recommend using this method of blocking, but does not require using any specific method. The Internet provider chooses, and the agency only gives recommendations on possible methods. Therefore, from a legal point of view, providers can continue to block resources by IP address.
There are many blocked resources, and they can be freely purchased and used for selfish purposes, compromising the system of legal restrictions on prohibited sites.
There are two ways to solve this problem:
A telecom operator or Internet provider must block nepal mobile database by IP address, but by URL for http traffic or by domain name of the node for https traffic, extracted from the SNI (Server Name Indication) extension during the initiation of an SSL session. This is possible by using deep packet inspection (DPI) equipment on the telecom operator's network, which can extract this information. Not all DPI manufacturers support this feature, in particular, the popular Cisco SCE platform cannot do this, and for many others it does not work reliably enough.
Use the method of blocking recommended by Roskomnadzor on the side of the provider's DNS server, when for prohibited resources the DNS server should issue the address of the provider's host with a stub page, rather than the prohibited host. This method does not require purchasing DPI equipment, but it also needs to be combined with blocking by IP of those addresses specified in the registry. This scheme is easier to implement, but it does not provide sufficient reliability and is easy to bypass. Nevertheless, its use at the current stage is sufficient to meet the requirements of Roskomnadzor.