My DNS Filtering Research before House SOPA Panel

data_filter_shutterstock_92376511-1024x768

The US House of Representatives was debating the Stop Online Piracy Act (SOPA) bill yesterday and the issue of DNS Filtering and the alleged danger to the Internet was raised.  My research on DNS Filtering was referenced as a rebuttal to the claims that DNS Filtering would break the Internet.  My past writings have discussed this topic in detail on a very technical level, but now is a good time to update and summarize the findings.

Background

DNS Filtering is a technological solution being proposed by the Senate Protect IP Act and the House SOPA bill that would require broadband providers to filter out (block) DNS records for websites ordered taken down by a US Court.  The reason they were ordered taken down by a Court is because they were found to be infringing copyrights or selling counterfeit goods.

DNS or Domain Name System in lay terms is basically the Internet’s phone book.  It takes domain names like Microsoft.com and translates it to a machine routable Internet Protocol (IP) address.  Human users of the Internet use the domain name and the IP addresses and DNS mechanism is all handled under the hood.  When the DNS is blocked for a certain website (its domain name), it makes access to that website difficult without the end user making an active effort to bypass the block.

Why the assertions against DNS filtering are wrong

The key arguments opposing DNS Filtering are:

  • DNS Filtering is easily bypassed
  • DNS Filtering would break Internet Cybersecurity
  • DNS Filtering would fracture the Internet

Bypassing DNS Filtering is moot

The claim that DNS Filtering can easily be bypassed by content pirates is misguided because it fails to recognize the purpose of DNS Filtering.  The purpose of DNS Filtering is not to stop end users from pirating content, the purpose is to stop counterfeit goods and copyright infringing websites from posing as legal sites and charging paying customers for advertising time or direct compensation.  The people who pirate content are going to use the no-fee no-ad peer-to-peer (P2P) alternatives.  The people who pay to access these blocked websites were paying customers who may have had no idea they were buying pirated or counterfeit goods.  DNS Filtering informs those users (essentially victims) that the website was taken down by the courts for illegal activity.  Anyone who would bypass the DNS Filter probably wouldn’t be going there in the first place because they can get the content free.

DNS Filtering doesn’t break Internet Cybersecurity

The engineers who are claiming that DNS Filtering would break the security extension standard for DNS called DNSSEC, and thereby break Internet Cybersecurity.  This is because a website whose DNS was blocked by court order cannot operate in secure DNSSEC mode.  I refuted this argument in my paper, pointing out that the purpose of the court order is to completely break access to those websites whether they were running in non-secure DNS mode or secure DNSSEC mode.  When I debated the engineers opposed to DNS Filtering at the Internet Governance Forum, those engineers insisted that DNS Filtering breaks DNSSEC.

This makes it seem like there are opposing engineers making these conflicting assertions

  • Stephen Crocker and other engineers opposed to DNS Filtering continued to insist that DNS Filtering breaks DNSSEC
  • I claim that DNS Filtering only breaks DNS and DNSSEC for websites that were ordered to be blocked and broken by a US Court

But if we examine these two statements, they are not conflicting at all – both statements are true.  The difference is that the latter statement by me is more specific, and was not refuted.  Where we differed is our interpretation of these statements.  Crocker et al interpreted this to mean that this constitutes a break of Internet cybersecurity and the adoption of the DNSSEC standard.  I interpreted this to mean that DNS Filtering has nothing to do with DNSSEC operation on the rest of the Internet or affect the DNSSEC standards process or adoption.

Since Crocker et al never explained how DNS Filtering would break DNSSEC for the rest of the Internet, it is clear that they are overreaching in their conclusions.

Since that debate on DNS Filtering at the Internet Governance Forum, Paul Vixie (one of the engineers who opposes DNS Filtering) has come out with another argument explaining how DNS Filtering supposedly breaks DNSSEC.  Vixie claims that web browsers implementing DNS and DNSSEC backup mechanisms are necessary for the success of the DNSSEC standard, and that the proposed DNS Filtering laws would make it illegal to implement web browser DNS backup.  DNS backup means that a failed (or blocked) DNS request could be bypassed, and this could be interpreted as an affront to DNS Filtering court orders, and somehow that would mean DNS backup would have to be made illegal.

But this is yet another overreaching technical argument that falls apart under even the most basic examination.  First, the Protect IP Act and SOPA bill never mention DNSSEC or DNS backup.  Even if those bills did something so crazy, there is no way those bills could practically outlaw DNS backup because every Internet connected device on the planet already has the built-in capability of DNS backup.  Second, DNS backup isn’t even mentioned in the DNSSEC standards (here and here) so there is no threat to the DNSSEC standardization process or adoption of the standard.

There have never been anything more than overreaching conclusions and uninformed opinion to support the claim that DNS Filtering threatens Cybersecurity, yet the claims of these engineers opposing DNS Filtering is so pervasive that these views are presented as fact.

The House of Representatives addressed the security issue

Members of the House recently addressed the claims that their bill would allegedly threaten Internet Cybersecurity by offering some amendments.  They made explicit assurances that their proposed bill should not be construed in any way to compromise or impose onerous obstacles to the security of the Internet.  The amendment read:

(5) NO IMPACT ON SECURITY OR INTEGRITY.— Nothing in title I shall be construed to authorize a court to require compliance with an obligation under section 102(c) in a manner that would impair the security or integrity of the domain name system or of the system or network operated by or on behalf of the party subject to the obligation.

Neither the House nor Senate bills in their original forms made any threatening moves to DNSSEC but this new amendment makes it explicit that there is no intent to impair security operations of DNS.

No Evidence of DNS Fracturing on the Internet

The engineers opposed to DNS Filtering claim is that if courts are allowed to block infringing websites, alternative DNS systems will pop up and replace the Internet’s official DNS service controlled by the Internet Assigned Numbers Authority (IANA) and fracture the Internet.  But this speculation of DNS fracturing has been proven wrong by real-world examples.

The Internet’s official IANA controlled DNS already coexists with hundreds of thousands of private DNS services operated by organizations, businesses, governments, and militaries.  Those private DNS services have to coexist because wholesale replacement of the Internet’s DNS service is impractical and there is no reason for infringing website operators to do any different.  When the US courts began seizing rogue websites a few years ago, a web browser plug-in called MAFIAAFire was created to bypass those court blocks by patching in the blocked domain names.  The plugin used the practical and easy method of listing addresses for the blocked domain names but did not attempt to replace the entire IANA DNS service which would have been horrifically challenging.

Conclusions

Based on the fact that those engineers opposed to DNS Filtering have voiced their opposition to Protect IP act and SOPA bill for non-engineering reasons, it seems they are attempting to pass off non-engineering arguments as black and white scientific engineering arguments.  Those engineers certainly deserve to have their personal opinions heard on any policy debate, but those personal opinions should not be presented as engineering facts.

Regardless of an engineer’s position of the proposed Senate and House bills, whether it is opposed or in favor of one or both bills, engineering should remain purely fact- driven.  Once the facts are considered, there is no engineering argument against DNS Filtering.