The ones who want to do dodgy stuff on the internet and horny teenagers are more likely to be in the 1% than in the 99.
Of course, but > 99% of people won’t know that.
Isn’t that trivial to circumvent? Even if all Italian ISP’s DNS servers are “hiding” a particular domain, I could simply configure the connection to use 8.8.8.8 or any other DNS server. And if they somehow inspect packets and prevent DNS resolution that way, I can configure the address locally if I really want.
Peter wrote:
Well, a court order to an ISP to block DNS resolution if it yields an IP within a given range (which I assume is what you describe)
No, blocking by DNS typically is block DNS resolution of a domain or hostname. This is done easily by configuration of the DNS resolver. “Just” configure that domain to resolve internally rather than interrogate the official DNS servers hierarchy.
AFAIK Russia does block telegram, though probably not wholly successfully.
I was assuming that there is a court order saying make sure that your customers cannot access the file served at URL http://blah/the_judges_mum.mpeg. The ISP would then simply configure his DNS forwarder to use his own resolver for blah (a one liner) which in turn would serve a dummy IP address. Job done, no need to touch it ever again. Performance penalty almost none. Clients will cache DNS data for hours so serverload is low.
Filtering on IP level is much more expensive. Of course the equipment can do it but it requires a lookup in an ever growing filter list for every IP packet to be routed (millions per second).
Peter wrote:
How does Russia block Telegram?
It doesn’t. They’ve tried to block many IP ranges, blocked access to government sites as a result, then stopped doing it completely.
Well, a court order to an ISP to block DNS resolution if it yields an IP within a given range (which I assume is what you describe) still needs that ISP to install some code to do that, which is not much different to a court order to an ISP to block delivery of traffic from a given IP range.
It is known that ISP routers have a “monitoring port” (a friend who used to work at Cisco told me they used to do this) which is accessible 24/7 to the security services, but that is for surveillance only; it can’t do remote config. Well not as far as is known 
How does Russia block Telegram?
DNS censoring is relatively widespread because it is easily implemented and doesn’t require any changes in the network infrastructure. Usually it can be circumvented by just not using the ISP’s DNS resolver. The collateral damage is of course high because it makes a whole host name unusable and not just one service or even one specific URL. Politicians usually don’t care about that. Ursula von der Leyen went haywire when she tried to censor the internet in Germany and the experts asked her how she thinks blocking single web pages or images shall be implemented.
I have not read it properly but someone mentioned that it was implemented by messing with DNS, not by blocking internet packets in IP ranges.
I don’t know how you could do this because the DNS mapping is ultimately controlled by, ahem, the domain owner, and whatever IP etc the owner enters in his DNS control panel gets distributed around the various DNS servers around the world (within an hour or so, usually).
Perhaps Italy passed a law forcing Italian ISPs to not respond to DNS requests within specified IP ranges. Normally, AIUI, say your PC goes to euroga.org, it sends a DNS request (UDP, port 53) to the default gateway IP, which your router typically has on 192.168.1.1, and the router then sends that to your ISP, which looks up euroga.org on its DNS server. There will be some caching also. That DNS server contains a copy of all domains on the whole internet and their IPs (well, it used to, when a friend used to run one some years ago). With a court order it is perfectly feasible for the Italian govt to force that ISP to not respond to that DNS request. But you could still get euroga.org by going direct to its IP, in this case the Cloudflare one of 188.114.97.7.
Or use a VPN terminating outside Italy, or a DNS server located outside Italy.
What could go wrong? It’s already happened
There are some nefarious outfits hiding behind Cloudflare, and if you set one up and you do it right (the original server IP was never online) then in theory nobody can find out your server IP, geo location, etc. That is of course essential for Cloudflare to operate as intended to block DOS attacks, otherwise the attacker would just go direct to the real server IP. Big organisations pay big money to CF for this protection. For example mumsnet.com is habitually attacked so they use CF.
