High Tech Forums Thoughts from the Technology Trenches

DNS Filtering is Essential to the Internet

June 24th, 2011 by | 15 Comments »

Executive Summary

A group of Internet Engineers sent a letter to the US Senate opposing the DNS filtering aspect of the Protect IP Act on technical grounds.  They argued that DNS filtering technology is ineffective, dangerous to the security of the Internet, and would devalue the global DNS system, but these technical concerns are meritless once the issues are examined.

Those engineers argue that the protection of Intellectual Property is important but DNS filtering is ineffective, despite the fact that their ranks include Paul Vixie who is the inventor of DNS filtering.  Paul Vixie has even gone on record saying that DNS filtering would in fact be effective at combating piracy but Vixie felt that combating piracy was not worthy of his technology.

The assertion that DNS filtering will endanger a secure implementation of DNS called DNSSEC is very alarming to Internet security professionals, but this assertion is quickly debunked once we realize that the engineers only assert that filtered sites deemed illegal by the courts would no longer work securely.  But the entire point of the court ordered filtering is to ensure those sites don’t work at all, secure or otherwise.  There was never a claim that DNS filtering would pose a general risk to DNSSEC.

The charge that DNS filtering would devalue and fragment the official DNS system of the Internet is inconsistent with reality.  Two of the main pirate DNS alternatives that have sprung up to combat government seizure of pirate and counterfeit websites opted not to replace the official DNS system because that would have been very costly for the pirates and problematic for their users.  There is no evidence of DNS fragmentation.

Introduction

The United States Senate is considering the Protect IP Act of 2011 which is designed to protect Intellectual Property (IP) on the Internet.  Protect IP would empower the courts to filter websites primarily engaged in the act of distributing or pirating content or counterfeit goods.  Protect IP would involve the use of Domain Name System (DNS) filtering.  DNS acts as the primary global address book of the Internet.  It translates human friendly domain names like Microsoft.com to a machine-readable Internet Protocol (IP) address like 65.55.12.249.  If a hypothetical website like counterfeit-goods.com was deemed an illegal website by the courts, Internet Service Providers (ISPs) would filter the DNS resolution of counterfeit-goods.com, so that it would no longer point to its valid IP address and would instead be redirected to a court-ordered shutdown notice.

A group of Internet engineers have filed a letter opposing the use of DNS filtering in the Protect IP Act and they provided the expert testimony cited by editorials from the Los Angeles Times to the New York Times opposing the Protect IP Act.  The engineers argue that while the protection of intellectual property is important, DNS filtering is grossly ineffective and dangerous on an engineering level.  Specifically they charge that:

  • DNS filtering is ineffective because it is easily bypassed
  • DNS filtering disrupts DNS Security Extensions (DNSSEC) which would endanger the cyber-security of the nation
  • DNS filtering encourages DNS fragmentation pirates and counterfeiters will create an alternative DNS

This paper will examine the technical merits of these arguments against the use of DNS filtering and show that these fears are unfounded.

Background on Internet IP and DNS Filtering

Filtering technology is in widespread use on the Internet because it is crucial to the fight against malicious actors flooding the Internet.  Internet email servers almost universally employ some form of spam filter which involves DNS filtering, among other things.  Internet search engines like Google employ website filters to protect consumers from visiting malicious websites that attempt to infect visiting computers with malicious software (malware).

In order to be effective, DNS filtering goes beyond the filtering of individual domain names because bad actors buy domain names by the thousands and migrate to new domain names as old ones become ineffective.  To combat this rapid migration of malicious domain names, Paul Vixie invented the Mail Abuse Prevention System (MAPS) which maintains a DNS blacklist of IP address.  This was done because it is easy for bad actors to buy thousands of Internet domain names per year but far more difficult to move IP addresses.  Without Mr. Vixie’s invention, our email inboxes would be inundated with far more spam.

IP Addresses are far More Scarce than Domain Names

Domain name registrars make a profit selling a virtually endless supply domain names, but network providers who host Internet servers have a very limited supply of IP addresses.  IP address blacklisting greatly reduces the leasing value of those scarce IP addresses so network operators are wary of leasing their IP addresses to bad actors.  It doesn’t matter how many cheap domain names the bad actors have, because their supply of IP addresses are far more constricted and any new domain name hosted on the same block of tainted IP addresses will automatically get blacklisted.  Websites like MXToolBox.com even allow Internet hosting customers to check if an IP block they’re leasing or about to lease is in a blacklist ghetto or not.

DNS Filtering is an Imperfect Necessity on the Internet

Because malicious actors on the Internet are moving targets and are difficult to combat, filtering technologies are an inexact science — they are neither completely effective nor completely ineffective.  Because of this inexact nature of filtering, the filters can’t completely filter out the bad websites and domains while sparing the good websites and domains sharing the same IP addresses.  When I ran the server operations at the non-profit think tank DigitalSociety.org, I found out the hard way that our IP addresses we were tainted by previous customers when many of our organization’s emails were being bounced by other Internet domains.  There was no practical way to completely remove our IP address block from every blacklist on the Internet so we had to move to a new block of clean IP addresses.

Despite being less than 100% effective and despite all the undesirable side effects of IP and DNS filtering, there is no easy way to combat determined criminals on the Internet.  Without these filtering technologies, we have no chance of combating email spam and malicious websites.  With these technologies, we at least make the Internet a more habitable environment with some tradeoffs in limited collateral damage.  Like medical science, the best we can do with Internet filters is to minimize the threats while minimizing collateral damage.

Extending the IP Blacklists From Email to DNS

In 2010, Paul Vixie began to extend the concept of IP blacklisting from spam to DNS by proposing the DNS RPZ system to combat Internet scammers who “phish” for new victims by soliciting them with fake emails to steal their Internet login credentials or money.  Vixie began his proposal with some poignant observations:

Paul Vixie: “Most new domain names are malicious.  I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators.”

The crux of the DNS RPZ proposal is that if IP filtering is effective in blocking spam from a malicious domain, then the same concept can be applied to the malicious websites.  If an IP address has a track record for hosting malicious webpages and domains, there is a high probability that new domains popping up at the same IP address is also malicious.

Paul Vixie’s Contradiction on the Protect IP Act

Extending the concept of DNS RPZ further, new domains popping up at an IP addresses known to host domains selling counterfeit goods or pirated music probably will engage in the same behavior.  But how does the creator of DNS RPZ feel about using his technology to combat piracy and counterfeit goods on the Internet?  Vixie answered this question in his article “COICA and Secure DNS”.

Paul Vixie: “I’ve been asked by several people whether ISC’s Response Policy Zone technology (referenced above) can be used to implement government mandated DNS blocking, for example to protect Hollywood against intellectual property theft or to protect children against abuse by the distribution and viewing of Child Abuse Materials or to protect a society against content deemed dangerous by its government. Sadly my answer to this is a qualified “yes.”  I say “qualified” because while I can agree that it’s worth perturbing the whole Internet ecosystem to wipe out a domain that’s being used for the distribution of Child Abuse Materials I simply cannot agree that this level of perturbation is warranted for the protection of intellectual property.”

Simply put, Paul Vixie believes that the protection of Intellectual Property is not worth the collateral damage associated with his filtering technology but blocking spam, scams, or child abuse material is.  Mr. Vixie is certainly entitled to his views and has a right to influence government like any other citizen, but his article contradicts his endorsement of the Internet engineers’ letter opposing the Protect IP Act.

The thesis of the letter opposing the Protect IP Act is that protecting Intellectual Property is important but DNS filters are ineffective and dangerous.  Yet Paul Vixie is the inventor of DNS filters, so it is self-evident that he does not think his invention is ineffective.  Vixie simply believes that protecting Intellectual Property is not important enough to deserve the protection of his technology.

DNS Filtering Does not Endanger DNSSEC

Another key assertion made by the engineers opposing the Protect IP act is that it endangers the cyber-security of the nation by compromising DNS Security Extensions (DNSSEC).  DNSSEC is a superior replacement for the currently flawed X.509 Public Key Infrastructure (PKI) system used to facilitate Secure Socket Layer (SSL) communications for sensitive activities like online payment processing or password authentication.  DNSSEC could offer a more secure and scalable alternative to X.509 for more secure SSL communications.  As a Certified Information Systems Security Professional (CISSP) and a proponent of DNSSEC, I was very concerned about the merits of DNS filtering.  But once I examined the accusation in detail, it became obvious that the alleged danger of DNS filtering to DNSSEC was meritless.

The engineers opposing the Protect IP Act merely assert that websites blocked by court orders would be inaccessible through secure mechanisms facilitated by DNSSEC.  But secure access to an illegal site is moot because the purpose of the Protect IP court ordered filters is to prevent any access to that illegal site.  These opponents of DNS filtering never make the claim that DNS filtering will compromise DNSSEC in the general case for websites that aren’t blacklisted with a court order.  DNS filtering is not a threat to legal websites implementing DNSSEC.

Those engineers also argue that DNS filtering can be misused by hackers to downgrade DNSSEC to insecure DNS, but criminals can misuse DNS filtering regardless of whether the Protect IP Act passes or not.  Furthermore, security downgrades are a problem inherent to weakly designed applications that allow end users to opt out of secure operation.  Security downgrades are not caused by a fundamental weakness in DNSSEC and the problem is merely exposed by DNS filtering.  Web browsers, for example, are notoriously weak in security because they allow end users to opt out of security while applications like email or corporate remote access software are designed to refuse a downgrade to insecure operation.

DNS Filtering Does not Encourage DNS Fragmentation

The final charge made by the engineers opposing the Protect IP Act is that DNS filtering will encourage the fragmentation of DNS and devalue the validity of the Internet’s officially sanctioned DNS system operated by the Internet Assigned Numbers Authority (IANA).  Paul Vixie even argued that domain name seizures will result in an alternative Pirate DNS system at a cost of $20,000 to $1 million that will pull people (seeking pirate content) away from the official IANA DNS system.  But this charge is also meritless because real world evidence suggests that the IANA DNS system has thrived in parallel with other DNS alternatives.

In response to the domain name seizures in 2010, content pirates proposed a workaround that would create a new .P2P name space that complements rather than replaces the official IANA system.  The system would be free to operate because it uses peer-to-peer (P2P) distribution and the system would still have its users use IANA for official top level domains like .COM.  It’s also noteworthy that there are hundreds of thousands of private “Intranet” business DNS domains that complement the IANA DNS system.  A pirate DNS system will not endanger the IANA DNS system anymore than the hundreds of thousands of Intranet DNS systems operated by businesses.

Another solution implemented by pirates is the web browser plug-in called MAFIAAFire Redirector for Mozilla Firefox and Google Chrome.  The plug-in maintains a database of government seized Internet domains so that users can still access those seized domains.  Like the .P2P workaround, MAFIAAFire does not bypass the official IANA DNS system.  Both real world pirate DNS alternatives avoid Vixie’s nightmare scenario of the official IANA DNS system being supplanted.  The theory of DNS fragmentation is simply unfounded.

Related
ShareThis

Reader Comments

  1. As an aside, today I received notice that IEEE-USA is looking for volunteers to help develop a position statement on cyber-security. Anyone with knowledge on this and who is aligned with industry should consider participating to increase the chances the statement is somewhat grounded in reality. Otherwise, I expect the statement will have a somewhat typical anti-industry tone.

  2. In stating that “there is no evidence of DNS fragmentation” and then use that as a justification to debunk the charge that DNS filtering would contribute to the fragmentation of the official DNS system, I respectfully submit that Mr. Ou fails on both empirical and procedural grounds.

    There has been evidence of fragmentation of the DNS dating back to the late 1990s when New.Net attempted to promulgate a browser plugin and operating system tweaks to support an entire parallel DNS ecosystem.

    More to the point, people responsible for developing and implementing changes to critical infrastructure systems (and the Internet, in the event that one doesn’t consider it critical infrastructure) have time horizons longer than “now.” Even if there was no evidence that such filtering could contribute to DNS fragmentation in the instant case, it would not invalidate such an assessment by someone concerned with emergent effects over the course of a decade or more.

    When things become easy to use, it is easy to miss the groundwork, planning and deployment phases that may have taken a long time to execute. Work on IPv6 has been going on for 15 years, for good reason: It’s important to think about second-order consequences of one’s designs, be they in policy or protocol stacks.

    • You are trying to equate the mere existence of parallel DNS schemes (since the 1990s) to fragmentation. This is wrong because those parallel DNS schemes supplement rather than overlap or displace the IANA DNS system. There is no displacement going on so there is no fragmentation. The engineers opposing DNS Filtering are merely speculating that displacement might occur but the evidence proves contrary.

      The official IANA DNS system has lived in parallel and harmony to the hundreds of thousands of private “Intranet” DNS schemes out there. The two examples of pirate DNS schemes out there are merely two additional private DNS schemes. All of these private DNS schemes cover functionality not provided by the IANA DNS system.

    • You’re also trying to make me prove a negative, that DNS Filtering would not promote DNS fragmentation. Everyone knows that it isn’t possible to prove a negative. All we can do is look at the evidence and history and see that the IANA DNS system is robust against any efforts to usurp it and that there is no motive to create an alternative scheme. There are motives to create supplementary DNS schemes for legal or criminal activities but that does not put the IANA DNS system at risk.

  3. What I think is missing in this discussion is the definition of ‘defragmentation’ and an answer to the question ‘What is so bad about defragmentation ?’.

    Defragmentation can be understood as not having all Internet users in one DNS system; and I believe that this is what engineers behind the discussed White Paper had in mind. Taking this definition on board; yes, there is DNS fragmentation, and yes, the Protect IP Act is most likely going to cause (not encourage, that’s an inappropriate term) further fragmentation.

    Having said that, what is the actual problem with defragmentation? An average citizen reading the White Paper might think ‘oh no, all the online resources I’m using are going to be in various places, there will be a mess, etc.’ This is clearly wrong, for I agree here with the author of this article; the legit websites are going to stay in IANA.

    The problem is that those alternative, ‘complimentary’ DNS systems might not be regulated at all. Sure, it might be just a couple of guys who wanted to have their own DNS ‘for the sake of it’. But it might also be pedophiles or dedicated copyright infringers wishing to have an alternative DNS system to continue their activity without having to worry about governments’ influence. And that is a troublesome matter.

    In the end, I fully agree with the above article: Protect IP Act shouldn’t be criticized on the basis of DNS fragmentation. The alternative DNS systems have to be addressed one way or another, but giving up on the Act is not going to solve this issue.

  4. Nice job trying to deflect opposition to the bill.

    Putting a Chinese-style internet censorship regime into place in the US, and giving the MPAA and RIAA access to the levers, is not ok.

  5. MPAA and RIAA aren’t out to put “Chinese-style Internet censorship” in place, Michael. China is perfectly happy for its citizens to pirate Hollywood and Nashville content all day long.