Roskomnadzor recommends filtering traffic using DPI

After the recent scandal with the erroneous blocking of Google.ru, Roskomnadzor has updated the recommendations for telecom operators to restrict access to prohibited information on the Internet. In particular, clauses 8.1-8.3 on technical conditions of filtering were updated ( pdf of the new version of the document).

Now it is recommended for providers to filter not by IP addresses, but directly by packet contents:

It is recommended to filter the traffic using ready-made DPI hardware-software complexes, freely distributed software systems for analyzing and filtering network traffic, as well as by purchasing services to receive filtered traffic from a higher-level telecom operator.

The DPI (Deep Packet Inspection) system allows for in-depth analysis of traffic packets, and then filtering it for the presence of page pointers to specific sites or domains.
')
If the provider uses its DPI complex, then it is recommended that he independently perform a resolving of an information resource, access to which should be restricted. Thus, Roskomnadzor hopes to avoid “unlawful restriction of access to information resources absent in the unloading of Roskomnadzor”.

It is recommended that providers that do not use DPI restrict access to the domain name by filtering requests to all DNS servers.

If the provider receives already filtered traffic from a higher-level operator, then he is not threatened with being held accountable for failing to block illegal information, as provided by law. In this case, decisions on the imposition of fines "will be made subject to the terms of contracts concluded between such telecom operators."

In addition, telecom operators are encouraged to receive and process unloading at least twice a day.

Recall that Roskomnadzor recognized the presence of a hole in the lock system, which allows you to block a resource that is not officially listed on the black list. To do this, you must enter the address of the resource of the victim (which you want to block) in the DNS record of the domain that has already been blacklisted. Alexander Zharov said that the solution to this problem could be "a bill giving the authorities the right to independently determine the order of blocking resources." Until then, anything can be blocked in the Russian Federation in a completely arbitrary manner.