DNS zone architecture prevents providers from blocking individual hostnames without also disrupting all other services (email, chat, file transfer) for every name in the same DNS zone. A provider blocking www.bad.example.com must create a synthetic zone for bad.example.com, requiring continuous re-synchronization with authoritative servers at 3–24 hour intervals; failing to replicate MX records blocks email to non-targeted addresses in the zone.
From 2003-dornseif-government — Government mandated blocking of foreign Web content
· §2.2.3
· 2003
· DFN-Arbeitstagung über Kommunikationsnetze
Implications
Register circumvention endpoints in their own isolated DNS zones with no collateral services, so DNS-tampering by a censor cannot be argued to cause acceptable collateral damage that limits enforcement pressure
Avoid co-locating a proxy's domain with other services under the same parent zone that would create collateral harm giving censors political cover to block the whole zone