DNS Filtering is Essential to the Internet

post_logo

Executive Summary

A group of Internet Engineers sent a letter to the US Senate opposing the DNS filtering aspect of the Protect IP Act on technical grounds.  They argued that DNS filtering technology is ineffective, dangerous to the security of the Internet, and would devalue the global DNS system, but these technical concerns are meritless once the issues are examined.

Those engineers argue that the protection of Intellectual Property is important but DNS filtering is ineffective, despite the fact that their ranks include Paul Vixie who is the inventor of DNS filtering.  Paul Vixie has even gone on record saying that DNS filtering would in fact be effective at combating piracy but Vixie felt that combating piracy was not worthy of his technology.

The assertion that DNS filtering will endanger a secure implementation of DNS called DNSSEC is very alarming to Internet security professionals, but this assertion is quickly debunked once we realize that the engineers only assert that filtered sites deemed illegal by the courts would no longer work securely.  But the entire point of the court ordered filtering is to ensure those sites don’t work at all, secure or otherwise.  There was never a claim that DNS filtering would pose a general risk to DNSSEC.

The charge that DNS filtering would devalue and fragment the official DNS system of the Internet is inconsistent with reality.  Two of the main pirate DNS alternatives that have sprung up to combat government seizure of pirate and counterfeit websites opted not to replace the official DNS system because that would have been very costly for the pirates and problematic for their users.  There is no evidence of DNS fragmentation.

Introduction

The United States Senate is considering the Protect IP Act of 2011 which is designed to protect Intellectual Property (IP) on the Internet.  Protect IP would empower the courts to filter websites primarily engaged in the act of distributing or pirating content or counterfeit goods.  Protect IP would involve the use of Domain Name System (DNS) filtering.  DNS acts as the primary global address book of the Internet.  It translates human friendly domain names like Microsoft.com to a machine-readable Internet Protocol (IP) address like 65.55.12.249.  If a hypothetical website like counterfeit-goods.com was deemed an illegal website by the courts, Internet Service Providers (ISPs) would filter the DNS resolution of counterfeit-goods.com, so that it would no longer point to its valid IP address and would instead be redirected to a court-ordered shutdown notice.

A group of Internet engineers have filed a letter opposing the use of DNS filtering in the Protect IP Act and they provided the expert testimony cited by editorials from the Los Angeles Times to the New York Times opposing the Protect IP Act.  The engineers argue that while the protection of intellectual property is important, DNS filtering is grossly ineffective and dangerous on an engineering level.  Specifically they charge that:

  • DNS filtering is ineffective because it is easily bypassed
  • DNS filtering disrupts DNS Security Extensions (DNSSEC) which would endanger the cyber-security of the nation
  • DNS filtering encourages DNS fragmentation pirates and counterfeiters will create an alternative DNS

This paper will examine the technical merits of these arguments against the use of DNS filtering and show that these fears are unfounded.

Background on Internet IP and DNS Filtering

Filtering technology is in widespread use on the Internet because it is crucial to the fight against malicious actors flooding the Internet.  Internet email servers almost universally employ some form of spam filter which involves DNS filtering, among other things.  Internet search engines like Google employ website filters to protect consumers from visiting malicious websites that attempt to infect visiting computers with malicious software (malware).

In order to be effective, DNS filtering goes beyond the filtering of individual domain names because bad actors buy domain names by the thousands and migrate to new domain names as old ones become ineffective.  To combat this rapid migration of malicious domain names, Paul Vixie invented the Mail Abuse Prevention System (MAPS) which maintains a DNS blacklist of IP address.  This was done because it is easy for bad actors to buy thousands of Internet domain names per year but far more difficult to move IP addresses.  Without Mr. Vixie’s invention, our email inboxes would be inundated with far more spam.

IP Addresses are far More Scarce than Domain Names

Domain name registrars make a profit selling a virtually endless supply domain names, but network providers who host Internet servers have a very limited supply of IP addresses.  IP address blacklisting greatly reduces the leasing value of those scarce IP addresses so network operators are wary of leasing their IP addresses to bad actors.  It doesn’t matter how many cheap domain names the bad actors have, because their supply of IP addresses are far more constricted and any new domain name hosted on the same block of tainted IP addresses will automatically get blacklisted.  Websites like MXToolBox.com even allow Internet hosting customers to check if an IP block they’re leasing or about to lease is in a blacklist ghetto or not.

DNS Filtering is an Imperfect Necessity on the Internet

Because malicious actors on the Internet are moving targets and are difficult to combat, filtering technologies are an inexact science — they are neither completely effective nor completely ineffective.  Because of this inexact nature of filtering, the filters can’t completely filter out the bad websites and domains while sparing the good websites and domains sharing the same IP addresses.  When I ran the server operations at the non-profit think tank DigitalSociety.org, I found out the hard way that our IP addresses we were tainted by previous customers when many of our organization’s emails were being bounced by other Internet domains.  There was no practical way to completely remove our IP address block from every blacklist on the Internet so we had to move to a new block of clean IP addresses.

Despite being less than 100% effective and despite all the undesirable side effects of IP and DNS filtering, there is no easy way to combat determined criminals on the Internet.  Without these filtering technologies, we have no chance of combating email spam and malicious websites.  With these technologies, we at least make the Internet a more habitable environment with some tradeoffs in limited collateral damage.  Like medical science, the best we can do with Internet filters is to minimize the threats while minimizing collateral damage.

Extending the IP Blacklists From Email to DNS

In 2010, Paul Vixie began to extend the concept of IP blacklisting from spam to DNS by proposing the DNS RPZ system to combat Internet scammers who “phish” for new victims by soliciting them with fake emails to steal their Internet login credentials or money.  Vixie began his proposal with some poignant observations:

Paul Vixie: “Most new domain names are malicious.  I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators.”

The crux of the DNS RPZ proposal is that if IP filtering is effective in blocking spam from a malicious domain, then the same concept can be applied to the malicious websites.  If an IP address has a track record for hosting malicious webpages and domains, there is a high probability that new domains popping up at the same IP address is also malicious.

Paul Vixie’s Contradiction on the Protect IP Act

Extending the concept of DNS RPZ further, new domains popping up at an IP addresses known to host domains selling counterfeit goods or pirated music probably will engage in the same behavior.  But how does the creator of DNS RPZ feel about using his technology to combat piracy and counterfeit goods on the Internet?  Vixie answered this question in his article “COICA and Secure DNS”.

Paul Vixie: “I’ve been asked by several people whether ISC’s Response Policy Zone technology (referenced above) can be used to implement government mandated DNS blocking, for example to protect Hollywood against intellectual property theft or to protect children against abuse by the distribution and viewing of Child Abuse Materials or to protect a society against content deemed dangerous by its government. Sadly my answer to this is a qualified “yes.”  I say “qualified” because while I can agree that it’s worth perturbing the whole Internet ecosystem to wipe out a domain that’s being used for the distribution of Child Abuse Materials I simply cannot agree that this level of perturbation is warranted for the protection of intellectual property.”

Simply put, Paul Vixie believes that the protection of Intellectual Property is not worth the collateral damage associated with his filtering technology but blocking spam, scams, or child abuse material is.  Mr. Vixie is certainly entitled to his views and has a right to influence government like any other citizen, but his article contradicts his endorsement of the Internet engineers’ letter opposing the Protect IP Act.

The thesis of the letter opposing the Protect IP Act is that protecting Intellectual Property is important but DNS filters are ineffective and dangerous.  Yet Paul Vixie is the inventor of DNS filters, so it is self-evident that he does not think his invention is ineffective.  Vixie simply believes that protecting Intellectual Property is not important enough to deserve the protection of his technology.

DNS Filtering Does not Endanger DNSSEC

Another key assertion made by the engineers opposing the Protect IP act is that it endangers the cyber-security of the nation by compromising DNS Security Extensions (DNSSEC).  DNSSEC is a superior replacement for the currently flawed X.509 Public Key Infrastructure (PKI) system used to facilitate Secure Socket Layer (SSL) communications for sensitive activities like online payment processing or password authentication.  DNSSEC could offer a more secure and scalable alternative to X.509 for more secure SSL communications.  As a Certified Information Systems Security Professional (CISSP) and a proponent of DNSSEC, I was very concerned about the merits of DNS filtering.  But once I examined the accusation in detail, it became obvious that the alleged danger of DNS filtering to DNSSEC was meritless.

The engineers opposing the Protect IP Act merely assert that websites blocked by court orders would be inaccessible through secure mechanisms facilitated by DNSSEC.  But secure access to an illegal site is moot because the purpose of the Protect IP court ordered filters is to prevent any access to that illegal site.  These opponents of DNS filtering never make the claim that DNS filtering will compromise DNSSEC in the general case for websites that aren’t blacklisted with a court order.  DNS filtering is not a threat to legal websites implementing DNSSEC.

Those engineers also argue that DNS filtering can be misused by hackers to downgrade DNSSEC to insecure DNS, but criminals can misuse DNS filtering regardless of whether the Protect IP Act passes or not.  Furthermore, security downgrades are a problem inherent to weakly designed applications that allow end users to opt out of secure operation.  Security downgrades are not caused by a fundamental weakness in DNSSEC and the problem is merely exposed by DNS filtering.  Web browsers, for example, are notoriously weak in security because they allow end users to opt out of security while applications like email or corporate remote access software are designed to refuse a downgrade to insecure operation.

DNS Filtering Does not Encourage DNS Fragmentation

The final charge made by the engineers opposing the Protect IP Act is that DNS filtering will encourage the fragmentation of DNS and devalue the validity of the Internet’s officially sanctioned DNS system operated by the Internet Assigned Numbers Authority (IANA).  Paul Vixie even argued that domain name seizures will result in an alternative Pirate DNS system at a cost of $20,000 to $1 million that will pull people (seeking pirate content) away from the official IANA DNS system.  But this charge is also meritless because real world evidence suggests that the IANA DNS system has thrived in parallel with other DNS alternatives.

In response to the domain name seizures in 2010, content pirates proposed a workaround that would create a new .P2P name space that complements rather than replaces the official IANA system.  The system would be free to operate because it uses peer-to-peer (P2P) distribution and the system would still have its users use IANA for official top level domains like .COM.  It’s also noteworthy that there are hundreds of thousands of private “Intranet” business DNS domains that complement the IANA DNS system.  A pirate DNS system will not endanger the IANA DNS system anymore than the hundreds of thousands of Intranet DNS systems operated by businesses.

Another solution implemented by pirates is the web browser plug-in called MAFIAAFire Redirector for Mozilla Firefox and Google Chrome.  The plug-in maintains a database of government seized Internet domains so that users can still access those seized domains.  Like the .P2P workaround, MAFIAAFire does not bypass the official IANA DNS system.  Both real world pirate DNS alternatives avoid Vixie’s nightmare scenario of the official IANA DNS system being supplanted.  The theory of DNS fragmentation is simply unfounded.