Jul 282011
 

There’s a debate going on right now in governmental and technical circles on how best to combat copyright and patent infringement online. A bill called the PROTECT IP Act would allow the government to secure a court order and then force an ISP to stop resolving the offending domain name to its corresponding I.P. address. Here’s Ars Technica with a really good overview article.

Image courtesy of the report "Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill"

This is commonly referred to as “DNS Filtering,” and is a fundamental change to how the DNS operates. DNS ideally seeks to return the exact same IP address everytime for any URL requested anywhere around the world. To oversimplify just a little, this provision of PROTECT IP is a state sanctioned “man in the middle” attack. Unlike a criminal attack where the intent is to deceive, users would be presented with information informing of them of why they were being blocked from the content they requested.

The debate around this approach has been fierce, even if confined to tech and policy arenas. It can get pretty techie, but basically boils down to two related but distinct issues — will this approach work, and is it the right approach?

Will It Work?

Paul Vixie is Chairman of the Internet Systems Consortium and has played a big role in how the Internet operates today. In the mid 1990s he introduced the publication of “black lists” that network operators could share and use to refuse email traffic from known spammers. In 2010, he proposed something similar for DNS filtering, called DNS Response Policy Zones to perform much the same function for DNS queries. Here’s his full description via a CircleID essay last year.

But Vixie says this won’t work as part of PROTECT IP. As I understand it, he feels his approach only will work when network operators (ISPs) and end users agree on what kind of content needs to be filtered — spam, malware, phishing attacks etc. If users are blocked from content they truly want, there are many ways to bypass DNS filtering. Here’s another CircleID post where he explains his position.

Is This the Right Approach?

In May Vixie and four other DNS experts authored a report raising security and technical objections to the filtering provisions in PROTECT IP. Their concerns are numerous, but focus mainly on conflicts with DNSSEC and the fragmentation of the current DNS addressing system, potentially leading to (somewhat paradoxically) a more dangerous and crime filled cyberspace.

Not so fast, says George Ou of HighTech Forum. Here’s a long post in which he debunks the positions of the report’s authors, even though he acknowledges that users will be able to bypass the filtering. And last week he participated in a debate in which he claims report author Steve Crocker refused to answer questions about how filtering interferes with DNSSEC.

It’s impossible to capture all the points in one blog post — I hope all the links above give any reader who wants more info lots of options. One thing I haven’t read from any expert is the danger of government abuse of DNS filtering. Once the practice is sanctioned, isn’t it possible this could happen without a court order?

You don’t need to dabble in conspiracy theories to think so. Just a few years ago there were massive wiretaps conducted illegally by the government in the aftermath of 9/11. A process called FISA was in place for court ordered surveillance, but the government simply chose to ignore it. Under intense pressure, every ISP and telco except Qwest caved and handed over the information.

Once a technical work around is established, more uses will be found for it. A very smart guy who has been involved in Internet infrastructure issues for decades warned me about this back when Internationalized Domain Names (IDNs) were first implemented back in the early 2000’s. Once the redirect genie was out of the bottle, there was no way to put it back in.

I’ve worked on DNS issues for a long time, but I’m not an engineer. Nor am I a fan of copyright and patent violations in cyberspace. I don’t think people have a “right” to whatever they want or can find online.

I do believe that the more visibility this debate has the better. A public and transparent debate gives us the best chance of finding a compromise that is good public policy and  good for the Internet at large.

  One Response to “Should Uncle Sam Mess with the DNS?”

  1. This is very interesting topic and very useful.. thanks for providing this topic..
    ————
    Stevehalen

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)