DNS Piracy Blocking Orders: Google, Cloudflare, and OpenDNS Respond Differently - 8.8.8.8 refuses queries, 1.1.1.1 returns status 451, and OpenDNS geoblocks European IPs

Link (Archive)

The frontline of online piracy liability keeps moving, and core internet infrastructure providers are increasingly finding themselves in the crosshairs.

For rightsholders, site blocking remains the go-to response in many cases. Until recently, the majority of blockades were implemented by consumer ISPs, but expanded legal efforts are now targeting standalone DNS resolvers.

Over the past year, courts in France, Italy, and Belgium have ordered OpenDNS, Cloudflare, and Google to alter their responses to certain DNS queries. Instead of leading visitors to the domains of pirate sites, the companies are required to intercept queries and redirect them elsewhere.

The main rationale for targeting public DNS resolvers is their growing use for bypassing blocking measures rolled out by Internet providers. However, the American tech companies now being targeted are not happy with the role of ‘Internet police’ and appeals of these orders are still pending.

OpenDNS Says Farewell​

While these legal battles play out in court, the DNS resolvers still have to comply one way or another. This has resulted in different responses, with Cisco’s OpenDNS taking by far the most drastic action.

When OpenDNS was first ordered to block pirate sites in France, the company made a simple but drastic decision to leave the country entirely, effectively affecting all French users. Last week, it repeated this response in Belgium following a similar court order.

Instead of blocking access to more than 100 sports piracy sites, as the Belgian order requires, OpenDNS announced its departure; at least temporarily.

“Due to a court order in Belgium requiring the implementation of blocking measures to prevent access within Belgium to certain domains, the OpenDNS service is not currently available to users in Belgium,” the company said.

Cloudflare Complies Using ‘Alternate Mechanisms’​

Not all DNS resolvers take such drastic measures. Cloudflare chooses to comply with court orders in its own way. Cloudflare DNS (1.1.1.1) users who try to access the targeted domains in countries where blocking orders are issued, see the following notice instead.

Interestingly, Cloudflare maintains in its transparency report that it is not blocking content through its public DNS resolver. Instead, it points out that it uses “alternate mechanisms”.

“Given the extraterritorial effect as well as the different global approaches to DNS-based blocking, Cloudflare […] identified alternate mechanisms to comply with relevant court orders. To date, Cloudflare has not blocked content through the 1.1.1.1 Public DNS Resolver,” the company writes.

The result for Cloudflare DNS users appears to be the same, however. Those who try to access the blocked domains in the applicable countries will be redirected to the HTTP 451 error.

The good news is that affected users are informed about the reason for this technical blockade via the Lumen Database. That doesn’t appear to be the case with Google.

Google’s DNS Blackout​

After running tests in both Belgium and France, using various blocked domains, it’s clear that the targeted websites are no longer accessible through Google’s public DNS resolver (8.8.8.. However, unlike Cloudflare, there is no notification whatsoever.

Instead, Google appears to simply refuse the DNS query, which means that the domain lookup is not linked to any IP address.

While this is effective in the sense that the pirate sites are no longer available, it’s not very transparent. Users who try to access the domains will simply see a browser error, which could be caused by various DNS issues.

Google’s basic response is not limited to the recent Belgian court order. We observed the same query refusal for domain names that were included in French blocking orders over the past several months.

Transparency is Paramount​

While the different responses from DNS resolvers are interesting, Google’s approach doesn’t make blocking efforts more transparent. These orders are still relatively new, so it’s possible that the company is working on offering more transparency in the future, but currently it only adds to the confusion.

Google’s response also appears to go against the advice of the Belgian court, which required the DNS providers to redirect users to a dedicated page, presumably to provide further detail.

If these blocking orders are upheld by various courts, a more streamlined approach will be welcome. Interfering with DNS is a big step that can’t be taken lightly, so transparency is paramount. That’s relevant for the United States too, where a new site-blocking bill also proposes public DNS resolver blockades.

—

For context, a copy of the recent Belgian court order shared by Cloudflare is available here (pdf)

@Null this may be of interest to you.

 

[Snekposter]

And the ice cream is dill pickle flavored.

Well, Uncle Joe is as boomer as they come given his shilling for the notoriously horrid Norton, so that was probably the fashion in his day, same time they tied onions to their belt.

 

[The Mass Shooter Ron Soye]

TorrentFreak: Belgium’s Latest Pirate Site-Blocking Order Spares DNS Providers (archive) (mega)

December 5, 2025 08:36:19 UTC by Ernesto Van der Sar

The Brussels Business Court has issued a new site-blocking order, targeting popular pirate sites including 1337x and Soap2day. Surprisingly, this latest order only requires major ISPs to take action. This is a notable change, as the initial blocking order under this regime also required DNS resolvers to take action. Whether this is a formal retreat or merely a pause has yet to be seen.

Over the past few months, Belgium has issued several site-blocking orders targeting hundreds of piracy-linked domain names.

These blockades follow a newly instated two-step process. A local court first issues a blocking order, after which a special government body determines how it will be implemented. This process aims to prevent errors and overblocking.

Pirate DNS Blocking​

While site blocking is common in Europe, these new Belgian blockades go beyond the typical ISP blockade. Similar to France and Italy , the orders were also directed at third-party public DNS resolvers.

The first implementation order, issued by the Belgian Department for Combating Online Infringement in April, required both ISPs and DNS resolvers to restrict access to pirate sites. Specifically, Cloudflare, Google, and Cisco’s OpenDNS were ordered to stop resolving over 100 pirate sites or face fines of €100,000 euros per day.

This order prompted significant pushback, most notably from Cisco, which ceased operating its OpenDNS service in Belgium soon after the order was announced.

In July, another order by the Belgian authority ordered blockades of shadow library websites, including Libgen, Zlibrary, and Anna’s Archive. This sweeping court order required ISPs to take action and also involved other intermediaries, such as hosting providers, search engines, and DNS services.

The underlying court order also called for a broad blockade of the Internet Archive’s Open Library service. While that was ultimately prevented, the involvement of a broad range of intermediaries caused concern about the escalating scope of the blocking orders.

New ‘Limited’ Piracy Blocking Order​

On November 26, the Belgian Department for Combating Online Infringement published a new blocking implementation order. While this effectively adds dozens of new domains to the Belgian blocklist, the scope of this order is surprisingly limited.

Instead of casting a wide net, the order strictly targets Belgium’s five major Internet Service Providers: Proximus, Telenet, Orange Belgium, DIGI Communications Belgium, and Mobile Vikings.

From the order

​

The list of “addressees” no longer includes the DNS resolvers, Google, Cloudflare, and Cisco, which were central targets in the April blocking order. There is no mention of hosting services, advertisers, or other intermediaries either.

The official implementation order does not mention the rightsholder(s) who requested the blocking measures, nor does it mention the targeted sites. However, the blocked domains are published in a separate spreadsheet showing that 1337x, Fmovies, Soap2Day, and Sflix branded domains are among the key targets.

From the blocking spreadsheet

​

Since these pirate targets often switch domain names to evade enforcement, rightsholders can submit a new list of mirror sites or proxies once per week, capped at 50 new domains per week. When these are approved by the Belgian Department, ISPs have five working days to update the blocklist.

Retreat or a Pause?​

The decision to exclude DNS resolvers from this latest order is likely not a coincidence. It might very well be a direct consequence of the legal pushback Cisco initiated earlier this year, when it appealed the April blocking order at the Brussels Business Court.

This appeal was not without result, as the court suspended enforcement of that blocking order against Cisco in July, after which OpenDNS became available again in Belgium.

“The OpenDNS service has been reactivated in Belgium following a decision by the Brussels court to suspend enforcement of the order requiring Cisco to implement DNS blocking measures. The suspension of the order is pending a final ruling in the legal proceedings which remain ongoing,” a Cisco representative wrote in a community update.

To find out more about the suspended blocking measures, we reached out to the Belgian Department for Combating Online Infringement, which did not respond to our inquiry. Without further details, we don’t know whether the suspension also applies to other DNS resolvers. Confusingly, the official transparency portal makes no mention of an appeal at all.

It is likely, however, that since the legality of the blocking orders against third-party DNS resolvers is still being litigated, rightsholders have chosen to limit their blocking requests to ISPs. This would suggest that it’s a pause, not a formal retreat.

---

A copy of the latest blocking implementation order, published by the Department for Combating Infringements of Copyright and Related Rights Committed Online and the Illegal Exploitation of Online Games of Chance on the 26th of November, 2025, is available here (pdf).

The full blocking spreadsheet, last updated November 26, is available at the Belgian government website.

 

[Jamal McGucci]

Can't you just get by it with unbound?

 

[Ebonic Tutor]

Guessing this is why yts.mx been down for a week or two?

 

[Male Idiot]

So what's the best piracy search engine?

 

[DickMain]

If you weren't already using a VPN for piracy, then what the fuck are you even doing?

Telling my ISP to come to my house and suck a fart out of my ass. If they hate it so much then they can be men and come to my doorstep. Until then I shall continue to ignore them under my government name.

 

[SCV]

I run a local DNS but it never occurred to me to actually go to a root. I've always just thought of local DNS as more of a DNS cache and used public DNS servers as forwarding. Fuck I'm retarded. Do I just remove forwarding servers and my local server will have no choice but to go to root servers?

I'm going on the assumption that you're running Pi-Hole here, but you can't just remove the forwarding. My Pi Hole forwards to 127.0.0.1 (localhost), but I have Unbound (an actual DNS server, not a filter) running on that interface and it's set to ignore anything that doesn't come from Pi-Hole (which is good for security). Being a proper DNS server, Unbound will always go to a root server when an address isn't in the cache.

Mr. Nose is doing well for himself but both of you should understand that standard DNS on port 53 is not encrypted. Using unbound does get around any kind of censorship but your ISP (and everyone else in the chain) can read the DNS queries. I'm using dnscrypt-proxy which allows you to basically pick and choose any DNS servers (with any protocol).

I also use the DHCP server built into Pi-Hole since it gives me a bit more control than the shitty options my router has. And since Pi-Hole is handing out IP addresses, anything that connects to my network automatically has its DNS settings pointed to Pi Hole.

A lot of the worst devices like smart shit (i.e. the shit you really don't want bypassing your filtering) will ignore your DHCP settings and use hardcoded IPs for their DNS. You need to block and redirect this in your router. I would put together your own router. Basically you need a PC, wireless AP, and unmanaged switch.

PC can be whatever as long as it has 2 ethernet ports. Minipc, trashpc, whatever. Install pfsense or opnsense.
Wirelss AP needs wifi obviously. Either a router you can put ddwrt/tomato/librecmc on or an actual AP if you trust whoever made it (lol, lmao).
Unmanaged switch for more ports. If the PC can be expanded to have enough ports then this isnt needed.

 

[The Connected Nose]

Using unbound does get around any kind of censorship but your ISP (and everyone else in the chain) can read the DNS queries.

My current ISP doesn't do any censorship, and even when I was on Comcast, none of the retards there cared to look at DNS queries en-route. Hell the sysadmin for my ISP is probably a Farmer, lol.

A lot of the worst devices like smart shit (i.e. the shit you really don't want bypassing your filtering) will ignore your DHCP settings and use hardcoded IPs for their DNS. You need to block and redirect this in your router. I would put together your own router. Basically you need a PC, wireless AP, and unmanaged switch.

Only "smart" device I have is an older TV. But the DHCP server on Pi Hole is specifically instructed to deny it an address, and the router is set to ignore anything not on a specific IP block, along with the MAC address of the TV also being completely blocked.

 

[SCV]

My current ISP doesn't do any censorship, and even when I was on Comcast, none of the retards there cared to look at DNS queries en-route. Hell the sysadmin for my ISP is probably a Farmer, lol.

I'm not talking about them blocking your DNS queries, I am talking about them building a profile of all websites you visit.

 

[The Connected Nose]

I'm not talking about them blocking your DNS queries, I am talking about them building a profile of all websites you visit.

Right, just saying that I know for a fact my ISP doesn't block anything at the DNS level that I'm aware of. But they also make their money on subscription fees (hence they're higher than Comcast) rather than profiling and ad-tailoring, so I'm not terribly worried about them building some sort of profile on me, either.

And hell, ISPs have their own DNS servers, so if they really wanted to spy on you, they could just cross-reference the IPs you visit with their own lookups, no need to actually spy on your queries.

 

[Zoobles]

usenet master race

 

[SCV]

Right, just saying that I know for a fact my ISP doesn't block anything at the DNS level that I'm aware of. But they also make their money on subscription fees (hence they're higher than Comcast) rather than profiling and ad-tailoring, so I'm not terribly worried about them building some sort of profile on me, either.

They surely make money on subscriptions but they are also making a profile and selling it, even if they aren't using that profile to advertise to you directly. They are effectively making a profile of you for google, the NSA, etc. Even if it's not in your face you should want to stop this.

And hell, ISPs have their own DNS servers, so if they really wanted to spy on you, they could just cross-reference the IPs you visit with their own lookups, no need to actually spy on your queries.

This is true to an extent, however, a lot of services are behind various proxies and caching layers even on the clear net (look at the recent collateral damage with blocking footie on cloudflare). Encrypted DNS does degrade their ability to gather data.

It's not perfect but privacy is not a binary either "ISP knows everything I do" or "ISP can't see anything". For a neat example you might look at verizon adding that tracking header to all HTTP traffic. It also helps if you do have any VPN traffic but accidentally leak DNS requests. Point being a strategy for privacy is going to be multi-layered (DID basically) and an encrypted DNS is both easy and effective.

Sidenote: for DoH and DoT (tcp requests basically) you can actually proxy them over tor so even your DNS server doesn't know who's requesting what. Honestly wondering why there's no onion service DNS yet.

Edit: apparently there are. Cloudflare runs one which is pretty funny. Up there with facebook having an onion site.

 

[gampboonerisms]

Mullvad provides a free adblocking DNS. I use that with proton VPN {free and paid}. I wonder what[ effect that would have, having a DNS provider from out of the u.s.

 

[moocow]

Blocking DNS-over-HTTPS is a pain in the ass but you can (and absolutely should) block outbound port 53 (cleartext DNS) from internal clients and either intercept and reply from your DNS server or just drop the traffic to force the client to honor the network's DHCP settings or fuck off.

Thankfully none of the "smart appliance" shit ever bothers with DoH anyway and those devices can/should be tightly locked down at the router anyway.