About this blog…

I am employed by Netnod as head of engineering, research and development and am among other things chair of the Security and Stability Advisory Committee at ICANN. You can find CV and photos of me at this page.

As I wear so many hats, I find it being necessary to somewhere express my personal view on things. This is the location where that happens. Postings on this blog, or at Facebook, Twitter etc, falls under this policy.

The views expressed on this post are mine and do not necessarily reflect the views of Netnod or any other of the organisations I have connections to.

Blocking access with DNS is not effective

Using DNS as a tool to prevent access to resources does not work. In reality, any blocking, at any layer in the Internet Architecture, will always be a combination of not be effective and hurt more than what is the intention. And because of that the effectiveness varies.

Two examples:

  1. A domain name is blocked in the resolver(s)
    • This will block not only the content on a specific URL, but all URLs that share the same domain name
    • This will not block access if other resolver(s) are in use, for example a resolver the user run themselves
  2. An IP address is blocked in the routing system
    • This will block not only the content on a specific IP address, but everything using that IP address (including all virtual hosts)
    • This will not block the same content on other IP addresses and changing IP address is easy (keep same domain name)

But blocking in the DNS is specifically bad now when DNSSEC is introduced. The signatures in DNSSEC are designed in such a way that they indicate both existence and non-existence of a domain name. Blocking is a third category, and is simply not part of the DNSSEC architecture. Unknown things will happen if the applications that use DNSSEC. I might create such problems with non-existence responses that people will not turn on DNSSEC, which imply the collateral damage by use of blocking can be considerable.

Instead, before starting working on real technical mechanisms, I think the following is needed:

  • Whoever want blocking of any kind must understand any blocking is just making is harder for people to access information. Can never ever make it impossible to access it. And people that absolutely want to share the information will do it anyway. For example, the blocking of Child Pornography in Sweden and other countries is in reality only to making new recruitment harder, not make it impossible for people really interested to exchange the data, which might be good enough.
  • Specifically, if there is considerable interest in the information itself (such as Wikileaks) the information will spread so fast that blocking in reality have absolutely no impact what so ever — if it does not happen on “day zero” (which set some interesting requirements on modern police work — see below).
  • Blocking is something that, as have been discussed at various meetings, have large impact on everything related to Freedom of Speech. Both in the constitution in many countries, and in the UN Declaration of Human Rights. Because of this, even though the blocking is not a very effective tool (see above), it is important that the process that say what is to be blocked is extremely robust, and because of that transparent, effective and trustworthy. With transparency I now do not say the URLs or hostnames should be public, because maybe they should not be (due to be part of a criminal investigation), but people under NDA should be able to see the list — before the list end up in some Google index or Wikileaks… ;-)
  • It must be clear A. who makes the rules, B. who makes the decisions and C. who executes the blocking. And with “who”, I really talk about a definition both from a legal point of view and practical.

When now all of these things are fulfilled. We can start to discuss what can be done “as effective as possible, with as little secondary damage as possible“. Because of course ISPs (for example) already have some technical mechanisms installed to handle for example ddos attacks etc.

But it will never make it impossible to access the information in question. If information is to be taken down, the computer is to be found where the information is, the responsible person dragged to court etc. I.e. normal police work.

And of course we can discuss what (new) tools (if any) law enforcement agencies need to do this work. Part from changing the methods they use today. New tools should not be created just because someone is lazy, or still living in the previous millennium, but I am pretty sure new tools are needed (data retention of some kind, accessible under some circumstances etc).

4 comments to Blocking access with DNS is not effective

  • Whoever want blocking of any kind must understand any blocking is just making is harder for people to access information. Can never ever make it impossible to access it.

    Indeed, but the problem is that most authorities (1) think it’s useful to make it harder even if you can’t make it impossible (gun-control laws, for example, make it harder to obtain guns, but not impossible) and (2) have to be seen as “doing something”, even if what they’re doing is only partially or even marginally effective.

    It’s worth reminding people of the harm that these attempts at blocking will do. But, sadly, that won’t stop the blocking.

    • paf

      Barry, you are absolutely correct in that sometimes the goal is not to block, but “just” to make it harder to access the content in question. For example, that was the explicit goal we had in the investigation related to child pornography in Sweden. The problem is though that some people claim the mechanism is blocking, and some people knowing even less want to extend the use of the technologies (that is not blocking) for blocking purposes.

  • Joakim Aronius

    There is also an interesting side effect when doing DNS blocking compared to IP filtering. As web-browsers resolve all links on a web page when it is parsed, not when you click on the link, you will get a huge number of false positives in the DNS blocking filter. I.e. by just viewing a web page which _contains_a_link_to_ a child-porn site will trigger the filter. And as these sites tend to contain lots of links I imagine that a fairly high percentage of all porn sites contain at least one link to a site in the DNS blocking filter (my speculation).

    So if ‘success’ is defined as a high number of filter hits, then they probably feel that they have succeeded.. The number 50.000 hits per day has been mentioned in the press.

  • Scary Devil Monastery

    The ECPAT filter’s infamous “50000 hits per day” is so much smoke and mirrors. I’m quietly assuming that i’ve generated a few thousand hits against that filter myself, just by running DNS benchmarking software. Aside from that the DNS “hit” generated by simple linking or the DNS queries regularly run by IT-interested NGO’s, government agencies, private business and private citizens will ensure that anything registered under a DNS name at all will be generating hits.

    It may be possible to avoid generating DNS hits by simply not indexing the site and ensuring that no one ever visits it or has an html-tag directing to it…but i’m sceptical.

    That aside, blocking is, at most, a one-time speed bump. Change DNS providers once and once only and you’ve just circumvented any filter your ISP provides. Set up your own DNS server for the more advanced class and you never will be blocked on that level again.

    DNS blocking isn’t having any impact at all on any criminal activity what so ever already – pedophiles, for instance, have conducted their “trade” through proxies for a long time and it’s almost unthinkable any new “recruit” looking for such material would do it on any type of connection which wasn’t already by default circumventing most DNS block lists.

    No, the powers that be have apparently listened to the experts and decided the only real way to effectively block is by seizing domains, creating redirects. Which sadly in turn has ensured that ICANN’s role in DNS root administration most likely ends within the next few years as decentralization of the DNS system becomes a new status quo.

    You are quite right. Blocking is completely useless at any level you care to name, and someone needs to tell our elected “leaders” this in a louder voice and, demonstrably, in very very simple words.