With various Governments looking at the Domain Name Service (DNS) as a tool to implement national policy (for example the USA’s SOPA and PIPA proposals) Rod Rasmussen’s talk at the FIRST conference was a timely reminder of the possible problems with this approach.
DNS is a critical part of the Internet, providing the conversion between the names (e.g. www.ja.net) that humans use to refer to Internet services and the numeric addresses (126.96.36.199 or 2001:630:1:107:1::65) that computers actually use to communicate with each other. DNS is often explained as a distributed database – to find out the address of www.ja.net you have to ask Janet’s (ja.net) part of the database, to find where that ja.net database is you need to ask the authoritative source for .net, and so on. It’s rare for individual PCs to do those lookups – normally they ask for help from a resolver provided by their organisation or Internet Access Provider.
Of course the resolver doesn’t *have* to ask other servers before it sends an answer to the requesting client. Many resolvers will answer immediately if they have recently been asked the same question by another client (known as caching). Or, if its policy requires, a resolver can give an incorrect answer – either saying that a site does not exist or returning a different numeric address. This can be used, for example, when users look up a domain that has been reported as a phishing site to either deny that the site exists, or to send the user instead to an education page.
Modifying DNS responses is a very blunt instrument that needs to be used with care, however, since it will affect all information and all services provided from the affected domain. All web pages in the domain – both legitimate and non-legitimate – will become invisible, e-mail may well be impossible to send or receive, and any subdomains are also likely to be affected. If users want to access the blocked information, it is very easy for them to choose an alternative resolver that does not implement the block. Indeed a number of services now offer alternative resolvers specifically to allow users to subscribe to a subset of the Internet that has been filtered to exclude particular types of content. Using DNS filtering against the wishes of users is likely to be ineffective, and may indeed place users at greater risk if it gives them an incentive to move to an alternative resolver that may misuse their personal data: a DNS resolver will see a complete list of the domains you access, and a malicious one may be able to harvest sensitive information such as passwords and credit card numbers. Finally, one of the major current efforts in Internet security is to improve the security of DNS itself by having replies signed to prove that they are valid (known as DNSSEC). Using DNS filtering to return incorrect results will result in DNSSEC validation errors: at best this means that re-direction pages will be invisible, at worst it could make users think that DNSSEC errors are normal and should be ignored (as most users now ignore certificate validation errors). OFCOM considered this risk too high to recommend DNS filtering as anything more than a short-term measure for blocking access, despite its apparently attractive simplicity.
DNS filtering can be a valuable tool when it is done for reasons that align with users’ wishes, and where the content to be filtered has its own domain. At present phishing sites and some malware command and control systems are most likely to meet these requirements. Attempting to use it to enforce a policy on unwilling users will not work, and is likely to expose users and the Internet to even greater risks.