"Countries such as the UK place great store on surveilling users' DNS queries. In the context of Google and Mozilla's DoH proposals, the most useful tool available to state agencies is the ability to order domestic DNS server operators to sinkhole certain results, such as those leading to child abuse material. This is how the Internet Watch Foundation's blacklist operates."
DNS blacklisting is NOT how the IWF blacklist operates... or to be more precise, they don't specify how it's implemented - they just provide the lists. However, in their "recommended practices" (https://www.iwf.org.uk/become-a-member/services-for-members/url-list/url-blocking-good-practice) they say a page should be blocked by URL, not by domain.
Besides, blocking by IP would block many legitimate cloudflare sites too!
I know that talk-talk (at least) blocks pirate sites by chosen hostname, not by IP (try your own DNS, or even hardcode the IP, it still fails. Also, try a legitimate site on the same IP as a banned site, and it will work).
I can't see why they'd use a different and more inferior method for IWF lists.
See the example below. The working connection successfully hits cloudflares proxy:
% host www.thepiratebay.org
www.thepiratebay.org has address 162.159.138.79
www.thepiratebay.org has address 162.159.137.79
www.thepiratebay.org has IPv6 address 2606:4700:7::a29f:8a4f
www.thepiratebay.org has IPv6 address 2606:4700:7::a29f:894f
Now, using the following 4 commands, "fib 1" is routed through a different ISP,
and "fib 0" is routed through talk-talk:
setfib 1 curl -4vH 'Host: www.thepiratebay.org' http://162.159.138.79
setfib 0 curl -4vH 'Host: www.thepiratebay.org' http://162.159.138.79
setfib 0 curl -4vH 'Host: www.someothersite.org' http://162.159.138.79
setfib 0 curl -4vH 'Host: www.theregister.co.uk' http://162.159.138.79
% setfib 1 curl -4vH 'Host: www.thepiratebay.org' http://162.159.138.79
* Trying 162.159.138.79...
* TCP_NODELAY set
* Connected to 162.159.138.79 (162.159.138.79) port 80 (#0)
> GET / HTTP/1.1
> Host: www.thepiratebay.org
> User-Agent: curl/7.63.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Wed, 30 Oct 2019 15:27:52 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Wed, 30 Oct 2019 16:27:52 GMT
< Location: https://www.thepiratebay.org/
< Server: cloudflare
< CF-RAY: 52de6a6eace02c04-AMS
<
* Connection #0 to host 162.159.138.79 left intact
% setfib 0 curl -4vH 'Host: www.thepiratebay.org' http://162.159.138.79
* Trying 162.159.138.79...
* TCP_NODELAY set
* Connected to 162.159.138.79 (162.159.138.79) port 80 (#0)
> GET / HTTP/1.1
> Host: www.thepiratebay.org
> User-Agent: curl/7.63.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Connection: close
< Content-Type: text/html
< Content-Length: 2771
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><base href="http://www.talktalk.co.uk/" />
<title>Page Blocked</title>
[ ... ]
* Closing connection 0
% setfib 0 curl -4vH 'Host: www.someothersite.org' http://162.159.138.79
* Trying 162.159.138.79...
* TCP_NODELAY set
* Connected to 162.159.138.79 (162.159.138.79) port 80 (#0)
> GET / HTTP/1.1
> Host: www.someothersite.org
> User-Agent: curl/7.63.0
> Accept: */*
>
< HTTP/1.1 409 Conflict
< Date: Wed, 30 Oct 2019 15:39:07 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: close
< Set-Cookie: __cfduid=d9bc5fb36891ab0557e9ee35af62a71751572449947; expires=Thu, 29-Oct-20 15:39:07 GMT; path=/; domain=.www.someothersite.org; HttpOnly
< Cache-Control: max-age=6
< Expires: Wed, 30 Oct 2019 15:39:13 GMT
< X-Frame-Options: SAMEORIGIN
< Server: cloudflare
< CF-RAY: 52de7aeddee3ce2f-LHR
<
<!DOCTYPE html>
[ ... ]
<p>You've requested a page on a website (www.someothersite.org) that is on the <a data-orig-proto="https" data-orig-ref="www.cloudflare.com/5xx-error-landing?utm_source=error_100x" target="_blank">Cloudflare</a> network. Cloudflare is currently unable to resolve your requested domain (www.someothersite.org). There are two potential causes of this:</p>
[ ... ]
* Closing connection 0
% setfib 0 curl -4vH 'Host: www.theregister.co.uk' http://162.159.138.79
* Trying 162.159.138.79...
* TCP_NODELAY set
* Connected to 162.159.138.79 (162.159.138.79) port 80 (#0)
> GET / HTTP/1.1
> Host: www.theregister.co.uk
> User-Agent: curl/7.63.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 30 Oct 2019 15:47:56 GMT
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 301
< Connection: keep-alive
< Set-Cookie: __cfduid=dacbba95aadea54f4288092dd9bc00e1f1572450476; expires=Thu, 29-Oct-20 15:47:56 GMT; path=/; domain=.theregister.co.uk; HttpOnly
< Cache-Control: max-age=0
< Cf-Railgun: 5376a2ced7 stream 0.000000 0230 57da
< Expires: Wed, 30 Oct 2019 15:47:56 GMT
< Location: https://www.theregister.co.uk/
< X-Clacks-Overhead: GNU Terry Pratchett, Lester Haines
< X-Reg-Bofh: pfy04
< CF-Cache-Status: DYNAMIC
< Server: cloudflare
< CF-RAY: 52de87d3ab67bc00-LHR
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.theregister.co.uk/">here</a>.</p>
<hr>
<address>Apache/2.4.10 (Debian) Server at www.theregister.co.uk Port 80</address>
</body></html>
* Connection #0 to host 162.159.138.79 left intact