About this blog…

I am employed by Netnod as head of engineering, research and development and am among other things chair of the Security and Stability Advisory Committee at ICANN. You can find CV and photos of me at this page.

As I wear so many hats, I find it being necessary to somewhere express my personal view on things. This is the location where that happens. Postings on this blog, or at Facebook, Twitter etc, falls under this policy.

The views expressed on this post are mine and do not necessarily reflect the views of Netnod or any other of the organisations I have connections to.

Blocking access with DNS is not effective

Using DNS as a tool to prevent access to resources does not work. In reality, any blocking, at any layer in the Internet Architecture, will always be a combination of not be effective and hurt more than what is the intention. And because of that the effectiveness varies.

Two examples:

  1. A domain name is blocked in the resolver(s)
    • This will block not only the content on a specific URL, but all URLs that share the same domain name
    • This will not block access if other resolver(s) are in use, for example a resolver the user run themselves
  2. An IP address is blocked in the routing system
    • This will block not only the content on a specific IP address, but everything using that IP address (including all virtual hosts)
    • This will not block the same content on other IP addresses and changing IP address is easy (keep same domain name)

But blocking in the DNS is specifically bad now when DNSSEC is introduced. The signatures in DNSSEC are designed in such a way that they indicate both existence and non-existence of a domain name. Blocking is a third category, and is simply not part of the DNSSEC architecture. Unknown things will happen if the applications that use DNSSEC. I might create such problems with non-existence responses that people will not turn on DNSSEC, which imply the collateral damage by use of blocking can be considerable.

Instead, before starting working on real technical mechanisms, I think the following is needed:

  • Whoever want blocking of any kind must understand any blocking is just making is harder for people to access information. Can never ever make it impossible to access it. And people that absolutely want to share the information will do it anyway. For example, the blocking of Child Pornography in Sweden and other countries is in reality only to making new recruitment harder, not make it impossible for people really interested to exchange the data, which might be good enough.
  • Specifically, if there is considerable interest in the information itself (such as Wikileaks) the information will spread so fast that blocking in reality have absolutely no impact what so ever — if it does not happen on “day zero” (which set some interesting requirements on modern police work — see below).
  • Blocking is something that, as have been discussed at various meetings, have large impact on everything related to Freedom of Speech. Both in the constitution in many countries, and in the UN Declaration of Human Rights. Because of this, even though the blocking is not a very effective tool (see above), it is important that the process that say what is to be blocked is extremely robust, and because of that transparent, effective and trustworthy. With transparency I now do not say the URLs or hostnames should be public, because maybe they should not be (due to be part of a criminal investigation), but people under NDA should be able to see the list — before the list end up in some Google index or Wikileaks… ;-)
  • It must be clear A. who makes the rules, B. who makes the decisions and C. who executes the blocking. And with “who”, I really talk about a definition both from a legal point of view and practical.

When now all of these things are fulfilled. We can start to discuss what can be done “as effective as possible, with as little secondary damage as possible“. Because of course ISPs (for example) already have some technical mechanisms installed to handle for example ddos attacks etc.

But it will never make it impossible to access the information in question. If information is to be taken down, the computer is to be found where the information is, the responsible person dragged to court etc. I.e. normal police work.

And of course we can discuss what (new) tools (if any) law enforcement agencies need to do this work. Part from changing the methods they use today. New tools should not be created just because someone is lazy, or still living in the previous millennium, but I am pretty sure new tools are needed (data retention of some kind, accessible under some circumstances etc).