Oh wait, there is!

https://find-and-update.compan...

aka

; DROP TABLE "COMPANIES";-- LTD

"Basic" measures would be filtering using prefix-lists derived from IRR data. ...and far too many ASs don't even implement that.

Mozilla lets you choose which DoH resolver you use. For that reason I set one up at the ISP I run: http://faelix.link/pdns

Mozilla is soliciting other trusted recursive resolver partners than Cloudflare, and I'm fully intending to speak to them about that.

Some privacy-minded ISPs have done exactly this — made open DoH resolvers: http://faelix.link/pdns

(disclosure: I'm root at the linked ISP)

Plenty of us who run ISPs have quite the opposite desire. If we're able to gather the data, we're easily served a "technical capability notice" to send that data off somewhere else. If we don't gather the data already then the cost of that is passed back to the body asking us to build that capability.

Pretty sure the lawyers I've spoken to who are specialists on this subject in the UK have said that if the ISP follows the order and blocks DNS on their resolvers, then the fact their customer might be using a VPN or DoH or similar privacy technology is *not* the ISP's fault.

Why not deploy Matrix? Other governments have been looking at it or are even deploying it: https://matrix.org/blog/2018/0...

One
Real
Ass-hole
Called
Larry
Ellison

The dprive (DNS PRIVate Exchange) working group formed — https://datatracker.ietf.org/w...

Thanks to that initiative, we've ended up with several different possible implementations: DNScrypt, DNS-over-TLS, and DNS-over-HTTPS.

DoH seems to have gained traction in browsers — with built-in support in Firefox — but also potentially could centralise DNS resolution in the hands of a few large cloud providers (like Mozilla's partnership with Cloudflare) https://developers.cloudflare....

One neo-right knobber in the UK got banned from Twitter — https://www.theguardian.com/te...

And then complained that this is the reason why he didn't win a seat in the recent elections — https://metro.co.uk/2019/05/27...

Hey, Jack! It's almost like banning hate speech from Twitter works! =)

From TFA: "The claim that GCHQ make is that existing protocols do not support the necessary “scale and usability requirements”" ...just like Dual_EC_DRBG does not support the necessary "security" for a cryptographically secure pseudorandom number generator.

No, they don't. Oversimplified: long haul stretches of fibre are "single mode" to prevent the signal dispersion blurring the edges of 0 and 1 transitions. https://en.wikipedia.org/wiki/...

and I wanted to moderate this story down for its appalling failure to call W3C "W3C" two times out of three.

ip6tables is a doddle to use, and assuming you have a new enough kernel pretty much all you'll need will be a variation upon:

ip6tables -A FORWARD -i lo -j ACCEPT
ip6tables -A FORWARD -i $lan_if -o $upstream_if -j ACCEPT
ip6tables -A FORWRRD -i $upstream_if -o $lan_if -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -P FORWARD DROP
sysctl net.ipv6.conf.all.forwarding=1

(NB: you probably want more than that, but assuming your $lan_if and $upstream_if have appropriate IPv6 subnets on, and everything is routing correctly, then you get "the same behaviour you used to" when you had your IPv4 NAT... only now you have "real" end-to-end connectivity)

Scan your network topology from anywhere in the world?

See also: stateful firewall. NAT is not a firewall.