NIC.CZ censorship

are there automatic censorship rules implemented on TURRIS devices or surrounding systems in relation with disinformation censorship, implemented by NIC.CZ?

The only steps (so far) are removing 8 names from the .cz zone.

That is what I firmly believe, but note that I’m not in Turris team and I certainly can’t make any official statements.

1 Like

Well generally, now it looks like as TURRIS project as project of NIC.CZ is in fact under control of czech government and secret services. I would be really interested, how it is protected, that all Turris SW runing on Turris is used only by user and NIC.CZ itself, not by government.


I certainly don’t perceive cz.nic as de-facto under government control, but it’s bound by CZ law anyway. Still, I’m openly from cz.nic, so why would you believe me in this? As for secret services, I really doubt you could confidently find out on a public forum, unless they’re really incompetent.


I know, of course, its just open question, how Turris project guarantees, that devices and SW around is not shared with government and secret agencies. And it becomes from current reality, NIC.CZ started to make censorship. If good or bad, i do not argue, but NIC.CZ started officially censorship, based on demand from government. So i have just logic question, where else NIC.CZ is cooperating with (any) government, for example related to Turris project. Of course i do not expect real answer, but opens really doubts to have such sofisticated device like Turris from government cooperating group, like NIC.CZ, covering officially censorship methods. From this point of view looks Turris project completely different, then secure device for secure myself.
And again, its just open question, i am just thinking, what does it really mean. NIC.CZ cooperating with government on censorship. Its the fact.


From my point of view it’s in principle similar to taking down names used for command&control by botnets. Or maybe even the dynamic firewall on Turris – blocking what’s evaluated as a security threat. But sure, it can be very subjective what’s a threat, etc. There are very fiery discussions around this case, e.g. on

Even the discussion shows, that it was very controversial decision. Comparing these sites to c&c botnets is intellectually dishonest; they contained speech. We may not agree with it, but in the democratic society, it is necessary for the speaker to be able to speak. You are not forced to listen; and you can freely say that you disagree (and why), but you cannot prevent others to speak.

Censorship goes against this basic principle; Rubicon was crossed. Congratulation, you joined ranks with Erdogan and Uganda, when they censored social networks. Enjoy the company.


I couldn’t make informed decision on vaccines, because Google been applying strong censorship on vaccines(although after 2years they softened a little bit now).

As mentioned above some others blocked even Wikipedia.

Reaching information is a fundamental right and can’t be blocked.


That s why I don’t trust single party dns providers and run my resolvers on dnscrypt with multiple sources enabled

yes, making informed decision on vaccines should not depend on google, should require proper medicine background, education etc.
Perhaps we should not try to solve these issues on this forum…

To be clear, this “censorship” is not about resolvers at all. The records were taken out of the .cz zone (authoritative servers), i.e. no resolvers will resolve them. At least unless they’d specifically re-add those particular records on their side, but that would seem… quite extreme. I rather think the media will move elsewhere (.com or wherever).

And in case of Turris, I even encourage non-forwarding mode, i.e. using zero resolver sources (not multiple ones). It’s just one click in reForis. And I’d encourage DNSSEC; that allows you to locally verify that get records issued by their owner.


Back to the original question: Turris OS is built on top of OpenWRT. CZ.NIC has no power over OpenWRT (except for being able to provide pull requests). CZ.NIC develops a bunch of additional software you can find on their gitlab. If you’re paranoid, you can build the whole OS yourself and enable just the CZ.NIC parts you need.

Regarding the distributed firewall, if I have it correctly, it doesn’t post anywhere exact requests you have made (or somebody has made to your router), but it just sends some pseudonymized statistical data (yes, containing IP addresses and probably more). If you do not trust it, you can turn this functionality off.

Last, if you switch update mode to updates with confirmation and never issue the confirmation, CZ.NIC has no other way of getting into your router and changing anything inside it.

So it is possible to have the Turris router almost CZ.NIC-independent, although I think in such a crippled mode, it’s better to buy an off-the-shelf netgear…


NIC.CZ and Turris team is really funny, nobody is discussing about OpenWRT or paranoic stuff, what i am talking is, that NIC.CZ is officially covering government censhorship methods, same NIC.CZ, covering Turris project. Thats it, nothing more, nothing less. You can put it to your PROMO documents, for sure, lot of people will be glad to buy secured network device from the group cooperating with government on censorship.
I hope you will put it to your official documents of Turris devices as great refference, how secured Turris device is.
Its not even funny.

1 Like

Disclaimer: I’m not with CZ.NIC and have never been. I’m just an owner of a few routers.

And I’m still not sure where you’re heading. Each government has its rules. In Czech republic, we have rules that some online hazard sites have to be blocked by ISPs. Would you call that censorship? And we also have laws saying that certain state offices can put other websites on a blacklist for various reasons, including spread of blatant and harmful lies. CZ.NIC just follows the rules.

1 Like

You evidently dont know czech law, but it doesnt matter. All i am saying is, that NIC.CZ, who covers officially government censorship methods, is same NIC.CZ, who develops secure network devices in Turris project. Nothing more and nothing less. It is like that, every Turris network device is developed by group, cooperating with government on censorship. Has nothing to do with what you are telling.

1 Like

My subject wasn’t “vaccine” but it was “censorship”. So I m not going to reply your argument, otherwise it will create another fierce discussion.

Last 2 years we have been living in a strong censorship era where govs took decision on behalf of others and silenced INTERNET, Media and even Medical Community.

How internet part is done? Mostly by controlling DNS.

Back to the original topic, I havent checked what was blocked but if it was war propaganda then it is normal to block.


Although agree with you I still think it is way better than closed source Chinese routers.

I also checked the source of Dynamic Firewall and related stuff. Seems OK.
And we can install pure OpenWrt if not happy.

Only one mystery is knot-resolver(which I didn’t have time to check source) and why it is not optional? Is there any Linux distribution which has it in its repos?

1 Like

Not all Turris users use it. But non-standard setups like that aren’t supported by the team, meaning that you’re on your own with setup and issues from the choice (or community; you can find threads here).

I’m not sure how other distribution repos are related, but see e.g. knot-resolver package versions - Repology


And you make it more difficult than necessary.

In the past, I tried to run Omnia with dnsmasq, exactly the way upstream OpenWrt does, and to keep it running is not something a normal user would be capable of doing. See also: Howto purge kresd and enable dnsmasq properly? - #2 by neheb

What’s so difficult on keeping kresd / resolver disabled after update, if it was disabled before update?

Nonetheless, we are getting off topic here.

1 Like