One of our customer's located in Kazakhstan contacted us recently saying they could no longer access our website as it was classified as a "Drug Cultivation" website. What was going on?! They advised that a recent court order had forced local Kazakhstan telecommunication companies to block a variety of drug cultivation and drug paraphernalia websites. A copy of the court order is below (and obviously in Russian). The offending website is listed on the bottom right.
Well it didn't take long to figure out the problem. The offending website was also being served out of CloudFlare's CDN! Taking a look at the Name Server
(NS) records it's clear that both sites DNS are delegated to CloudFlare:
offendingwebsite.com. 86400 IN NS pam.ns.cloudflare.com.
dig NS firedaemon.com
;; ANSWER SECTION:
firedaemon.com. 86400 IN NS logan.ns.cloudflare.com.
firedaemon.com. 86400 IN NS jessica.ns.cloudflare.com.
Then checking the CloudFlare served address (IN A) records for both websites:
dig www.offendingwebsite.com;; QUESTION SECTION:
;www.offendingwebsite.com. IN A
www.offendingwebsite.com. 300 IN A 126.96.36.199
www.offendingwebsite.com. 300 IN A 188.8.131.52
;; QUESTION SECTION:
;www.firedaemon.com. IN A
www.firedaemon.com. 300 IN A 184.108.40.206
www.firedaemon.com. 300 IN A 220.127.116.11
As you can see the address records are identical. Clearly the blocking/filtering methodology by KazTelecomleaves a lot to be desired but the ramifications are obvious:
- If you are using a CDN and if your website accidentally shares IP addresses with a banned website and the content filtering not only includes domain name but serving IP addresses then your site it going to get blocked
- The blocking in this case is not at a company level but at a telco/nation wide level. This has the ramifications in terms of loss of business as potential
customers can no longer access your site
- There's the possibility of implicit association between our business and an illicit drug cultivation site leading to potential loss of reputation
- If other bans are in place using similar filtering methodologies then you and your business might never know about it and see a drop in traffic. We
only found out about this by virtue of the customer advising us.
We have contacted CloudFlare about the issue but have had no feedback yet. In the interim we have disabled CloudFlare across the firedaemon.com domain and deployed an alternate CDN technology. The main implication is that whilst Content Delivery Networks are highly beneficial they obviously have a side effect that they may penalise your website unduly by content accelerating not only your web site but other other less desirable websites leading to your website being mis-classified and blocked too.