My DNS Filtering Research before House SOPA Panel

The US House of Representatives was debating the Stop Online Piracy Act (SOPA) bill yesterday and the issue of DNS Filtering and the alleged danger to the Internet was raised.  My research on DNS Filtering was referenced as a rebuttal to the claims that DNS Filtering would break the Internet.  My past writings have discussed this topic in detail on a very technical level, but now is a good time to update and summarize the findings.


DNS Filtering is a technological solution being proposed by the Senate Protect IP Act and the House SOPA bill that would require broadband providers to filter out (block) DNS records for websites ordered taken down by a US Court.  The reason they were ordered taken down by a Court is because they were found to be infringing copyrights or selling counterfeit goods.

DNS or Domain Name System in lay terms is basically the Internet’s phone book.  It takes domain names like and translates it to a machine routable Internet Protocol (IP) address.  Human users of the Internet use the domain name and the IP addresses and DNS mechanism is all handled under the hood.  When the DNS is blocked for a certain website (its domain name), it makes access to that website difficult without the end user making an active effort to bypass the block.

Why the assertions against DNS filtering are wrong

The key arguments opposing DNS Filtering are:

  • DNS Filtering is easily bypassed
  • DNS Filtering would break Internet Cybersecurity
  • DNS Filtering would fracture the Internet

Bypassing DNS Filtering is moot

The claim that DNS Filtering can easily be bypassed by content pirates is misguided because it fails to recognize the purpose of DNS Filtering.  The purpose of DNS Filtering is not to stop end users from pirating content, the purpose is to stop counterfeit goods and copyright infringing websites from posing as legal sites and charging paying customers for advertising time or direct compensation.  The people who pirate content are going to use the no-fee no-ad peer-to-peer (P2P) alternatives.  The people who pay to access these blocked websites were paying customers who may have had no idea they were buying pirated or counterfeit goods.  DNS Filtering informs those users (essentially victims) that the website was taken down by the courts for illegal activity.  Anyone who would bypass the DNS Filter probably wouldn’t be going there in the first place because they can get the content free.

DNS Filtering doesn’t break Internet Cybersecurity

The engineers who are claiming that DNS Filtering would break the security extension standard for DNS called DNSSEC, and thereby break Internet Cybersecurity.  This is because a website whose DNS was blocked by court order cannot operate in secure DNSSEC mode.  I refuted this argument in my paper, pointing out that the purpose of the court order is to completely break access to those websites whether they were running in non-secure DNS mode or secure DNSSEC mode.  When I debated the engineers opposed to DNS Filtering at the Internet Governance Forum, those engineers insisted that DNS Filtering breaks DNSSEC.

This makes it seem like there are opposing engineers making these conflicting assertions

  • Stephen Crocker and other engineers opposed to DNS Filtering continued to insist that DNS Filtering breaks DNSSEC
  • I claim that DNS Filtering only breaks DNS and DNSSEC for websites that were ordered to be blocked and broken by a US Court

But if we examine these two statements, they are not conflicting at all – both statements are true.  The difference is that the latter statement by me is more specific, and was not refuted.  Where we differed is our interpretation of these statements.  Crocker et al interpreted this to mean that this constitutes a break of Internet cybersecurity and the adoption of the DNSSEC standard.  I interpreted this to mean that DNS Filtering has nothing to do with DNSSEC operation on the rest of the Internet or affect the DNSSEC standards process or adoption.

Since Crocker et al never explained how DNS Filtering would break DNSSEC for the rest of the Internet, it is clear that they are overreaching in their conclusions.

Since that debate on DNS Filtering at the Internet Governance Forum, Paul Vixie (one of the engineers who opposes DNS Filtering) has come out with another argument explaining how DNS Filtering supposedly breaks DNSSEC.  Vixie claims that web browsers implementing DNS and DNSSEC backup mechanisms are necessary for the success of the DNSSEC standard, and that the proposed DNS Filtering laws would make it illegal to implement web browser DNS backup.  DNS backup means that a failed (or blocked) DNS request could be bypassed, and this could be interpreted as an affront to DNS Filtering court orders, and somehow that would mean DNS backup would have to be made illegal.

But this is yet another overreaching technical argument that falls apart under even the most basic examination.  First, the Protect IP Act and SOPA bill never mention DNSSEC or DNS backup.  Even if those bills did something so crazy, there is no way those bills could practically outlaw DNS backup because every Internet connected device on the planet already has the built-in capability of DNS backup.  Second, DNS backup isn’t even mentioned in the DNSSEC standards (here and here) so there is no threat to the DNSSEC standardization process or adoption of the standard.

There have never been anything more than overreaching conclusions and uninformed opinion to support the claim that DNS Filtering threatens Cybersecurity, yet the claims of these engineers opposing DNS Filtering is so pervasive that these views are presented as fact.

The House of Representatives addressed the security issue

Members of the House recently addressed the claims that their bill would allegedly threaten Internet Cybersecurity by offering some amendments.  They made explicit assurances that their proposed bill should not be construed in any way to compromise or impose onerous obstacles to the security of the Internet.  The amendment read:

(5) NO IMPACT ON SECURITY OR INTEGRITY.— Nothing in title I shall be construed to authorize a court to require compliance with an obligation under section 102(c) in a manner that would impair the security or integrity of the domain name system or of the system or network operated by or on behalf of the party subject to the obligation.

Neither the House nor Senate bills in their original forms made any threatening moves to DNSSEC but this new amendment makes it explicit that there is no intent to impair security operations of DNS.

No Evidence of DNS Fracturing on the Internet

The engineers opposed to DNS Filtering claim is that if courts are allowed to block infringing websites, alternative DNS systems will pop up and replace the Internet’s official DNS service controlled by the Internet Assigned Numbers Authority (IANA) and fracture the Internet.  But this speculation of DNS fracturing has been proven wrong by real-world examples.

The Internet’s official IANA controlled DNS already coexists with hundreds of thousands of private DNS services operated by organizations, businesses, governments, and militaries.  Those private DNS services have to coexist because wholesale replacement of the Internet’s DNS service is impractical and there is no reason for infringing website operators to do any different.  When the US courts began seizing rogue websites a few years ago, a web browser plug-in called MAFIAAFire was created to bypass those court blocks by patching in the blocked domain names.  The plugin used the practical and easy method of listing addresses for the blocked domain names but did not attempt to replace the entire IANA DNS service which would have been horrifically challenging.


Based on the fact that those engineers opposed to DNS Filtering have voiced their opposition to Protect IP act and SOPA bill for non-engineering reasons, it seems they are attempting to pass off non-engineering arguments as black and white scientific engineering arguments.  Those engineers certainly deserve to have their personal opinions heard on any policy debate, but those personal opinions should not be presented as engineering facts.

Regardless of an engineer’s position of the proposed Senate and House bills, whether it is opposed or in favor of one or both bills, engineering should remain purely fact- driven.  Once the facts are considered, there is no engineering argument against DNS Filtering.

  • […] here: My DNS Filtering Research before House SOPA Panel « High Tech … Posted in Act, all, and, at, day, dns, in, int, internet, is, my, net, of, on, online, piracy, […]

  • nucrash

    I am more concerned about using DNS filtering as censorship of the internet as a whole. Granted, I am not a content provider, but I know already how much search controls what people see, but to lock things down by DNS filtering as well. But hey, it’s alright if we are protecting someone because that seems to be all we are cared about.

  • George Ou

    Nucrash, your comments are out of the engineering scope of this post but I’ll be happy to respond.

    The word “censorship” is overused and it is misused here. DNS Filtering affects foreign domains, and whose owners refuse to respond to court inquiries. It does not “censor” the Internet, and is far less invasive than the anti-spam DNS filtering mechanisms invented by Paul Vixie.

    I know that people are trying to call this “Chinese style censorship”, but really? I was born in China and I know what repression is, and this is not repression. This is about known counterfeit goods foreign websites being taken to court, and being taken offline. This is about Google profiting on directing search traffic to these sites, and Google has been fined $500 million for profiting on sending traffic to counterfeit drug sites.

    Censorship is about preventing someone to speak at any venue. Because a rogue website has been taken down that might include some legal content that might have to move to an alternative free site, that isn’t censorship. That’s called a lawful society, the kind of society where police would stop a street vendor from selling pirated CDs and DVDs.

    • Andrew B

      “This is about Google…..” — so SOPA is about taking Google down? And regarding your reference to MAFIAAFire, so SOPA is about taking Mozilla down? Tell me that SOPA doesn’t authorize taking those two down, or tell me that you believe both should go down.

      • Rob Dee

        Maybe it IS about taking Google (and Amazon and eBay and….) down…but maybe that is not a bad thing. Look, Google et al are partners in this selling of pirated goods and they are making $millions off it. At best they are complacent about it and at worst they are actively exploiting it for the $$$. Why shouldn’t they be forced to choose between being taken down or STOP HELPING PIRATES? Any half sane entity would choose the later and, poof, problem solved and no need for these new laws.

        I own a small business that attempts to bring better products to the market for a lower price by using better designs and manufacturing processes. Do you realize how much those pirates damage even a tiny company like mine? I have to constantly chase the Asian pirates who sell copies of my products on these sites. They ship directly from Asia and usually don’t even pay the fair duty due on the goods. But no problem, I can just perform my due diligence and stop the sites selling my stuff, right? WRONG! there is no way to do that. No one in Asia cares to do it because they are making money off stealing my designs. And the US authorities don’t have the authority they would need to make it happen. I have even asked hackers, very good ones, to try to cripple these websites and they failed.

        So is this censorship? I am not trying to prevent you from knowing about it. I am only trying to prevent those pirates from selling stuff they stole from me. Is that unfair?

        I am no fan of the big, high-profile, consumer companies like Nike and Ralph Lauren but I do believe in the right of any company to protect its name and logo so that all of you out there, the consumers, know when you are buying from me and when you are buying from someone else. Even though it is the big companies that are leading the charge it affects tiny companies like mine too….AND every one of YOU out there who shop on the Net. Ever order a brand name item on the Net and get a price of junk and then no response to your request for a refund? Better yet, ever get a call from an irate grandmother asking for a refund for a piece of junk that has your name in it but was not sold by you? Ever been threatened with a lawsuit and/or criminal action by that gal? Not fun trying to explain to her that I cannot refund her money because I never had it. She thinks I am a crook…and I can see why she would be suspicious of my lengthy, patient, and diligent attempts to explain the truth. That severely impacts my public image and grandma is stuck with the expensive junk. This is not victimless; we all feel the negative effects.

        And as for Google, I think your loyalty to them is misplaced. Just go ahead right now and do a search on Google. Pick any topic you want to search about and type it in right now. Invariably you will have to wade through thousands of baloney ads and fakers who PAID GOOGLE to try to elbow in on whatever topic was searched. Think I am wrong? just read about Google’s AdWords program and see how much they make (see that here: Many of the ads are obvious rip-offs…go ahead and sign up if you dare and you’ll see. And Google has not screened those rip-offs out yet they shouldn’t be responsible for their role in this sham?

        Google is nothing but an advertising company selling commercials. If they are going to take that money maybe they should be responsible for some of the damage that the content causes. Sure, everyone has the right to advertise but just look closely at the results of that Google search and you will see that Google shows you what someone pays them to show you and they hide what they are paid to hide. So they are just a bunch of media whores who will tell you ANYTHING for $75. And they shouldn’t be responsible for the consequences of that?

        But the flood of unscreened ads has a worse affect, IMO. If some legit, small entity, like a couple people trying to start a bridge club in Billings, Montana or a support group for cancer patients in LA or whatever valid topic for which you searched, then the flood of ads, many obvious and outright baloney, stops the legit people from getting their word out….UNLESS they pay big bucks. THAT sounds more like censorship to me…and of the worst kind.

        Sure, weeding out the bad ads can lead us down the slippery slope of censorship but some of them are just too obvious. Really, if some company in China is offering to sell Nike shoes and Nike tells the authorities it is unauthorized then do we really have to argue that they should be removed from the Net? Does anyone really object to that action? I am asking and really want to know if you do….and why.

        I still have not made a final decision about how much of the PIPA and SOPA bills I may support or fight but I am 100% sure there is SOME validity to the concepts behind them. True, the devil is in the details, as with all laws, so these need MUCH MORE INVESTIGATION AND TWEAKING before I would ever support them being passed but this is important stuff with real consequences. In reading quite a few postings today I don’t think the important topics are being addressed on this and other blogs. If you are one of the many people who are just knee-jerk reacting “…censorship…bad…end of discussion” then I think you are missing the real meat of the argument. I implore you to look at the details more closely. I have to believe that some of this behavior is stuff we all want to stop…it is just a matter of how to do it with no collateral infringement of rights to free speech.

  • Saul T

    Thanks so much for writing this. Fantastic expose of the lies being told by piracy profiteers and their supporters. Will be forwarding everywhere.

  • B. Alexander

    “Because a rogue website has been taken down that might include some legal content that might have to move to an alternative free site, that isn’t censorship.”

    The problem with this statement is that you qualify a rogue website to be ANY website not just one strictly dedicated to infringement of copyright. Even if it is a legitimate service and a single user is breaking TOS; legitimate users are punished by loosing a service they may have needed or relied upon. “isn’t censorship”. That’s correct, but definitely gives the power to censor. For example, the power given to associations who would have people prosecuted for using songs in the background of their YouTube videos even though they are not trying to make or distribute content for profit. If you think there will not be abuse of this power you are sadly mistaken and are under the illusion that those who have this ability will be responsible with it. Unless you’re working to help fix the language of this bill you are not part of the solution but just making the problem worse and in the end, if it does come to pass, you’ll realize how wrong its inception was in its current state.

    BTW, attacking Google by saying they profited on the traffic of such sites and paid out huge fines just proves that the current system in place is working – they were found in fault and were required to pay – what more could the people want? Ah, but the government is not the RIAA or MPAA, they may not have seen any of this money and now with this bill I imagine they will. In the end, allowing these associations to dictate what they see as infringement and as what they see as allowable is too much power – as the saying goes Absolute Power Corrupts Absolutely. Primarily were seeing that its not about protecting the consumer or the Internet but rather about protecting profits – about the money and not the principle.

    Your writeup was about DNS filtering and arguing that it will not “break the Internet”; most people are not concerned with how it will be done, although they should, but more so about giving too much power and control to a small albeit powerful group. I hope you can appreciate these concerns and consider them when upholding your position in regard to use of DNS filtering as the method for blocking “rogue” sites.

  • George Ou

    “The problem with this statement is that you qualify a rogue website to be ANY website not just one strictly dedicated to infringement of copyright. Even if it is a legitimate service and a single user is breaking TOS;”

    No, you don’t understand the bill or how it works. It’s not just any site, it’s foreign domains. Moreover, it’s only after real attempts have been made to contact the site to get any user-uploaded content taken down, but the site refuses to respond to the request and refuses to respond to the courts. Only then is the foreign domain put on a take-down list. To claim that this affects Twitter or YouTube is outright misleading.

    Again, this article refutes the *engineering* claims. We can have a legitimate discussion about any due process issues or concerns about possibly onerous government mandates on Internet-related businesses, but we’re being mislead by engineers claiming that this adversely affects the Internet on an engineering level, because some of those same engineers admit that DNS Filtering doesn’t affect the Internet on an engineering level.

  • B. Alexander

    @Saul T
    SO the opposing engineers are piracy profiteers? It’s ok for others to have a difference of opinion and not be a “supporter” of piracy or any other illegal activity. Just so ya know, bless your heart.

  • Erik Falor

    @Saul T: The notion that everyone opposed to SOPA is a “piracy profiteer” is a tired old straw-man argument. Please inform yourself and bring better contentions to the discussion.

    @George Ou: You make a more compelling case for DNS Filtering than I’ve heard anywhere else. However, I’m afraid that your nuanced analysis is lost on the Representatives who support SOPA. They (esp. Reps Goodlatte and Watt) frequently admit their ignorance on the technical issues and show absolutely no interest in increasing their understanding. This “I can’t be bothered with the details” attitude is unpleasant among personal company, but when it comes from our elected representatives it is scary, to say the least.

    Since you’re one of the handful of experts they keep citing, perhaps you can bend their ears and give them something substantive to say for the next round of discussions. Even if they still don’t understand it, the variety would be refreshing.

  • George Ou

    Here’s my main concern Erik. We have opponents of SOPA and PIPA who are wagging their fingers at the SOPA/PIPA proponents for a lack of understanding of the technical under-workings of the Internet, and they all keep circling back to this one research paper asserting that DNS Filtering will destabilize (speculatively) and break DNSSEC security. In fact they hinge their entire technical arguments on this and a large part of the media just repeats it as fact, and they only present this view.

    But this single paper does not even explain how DNS Filtering will affect websites that aren’t placed on a block list by a court, and its speculation on DNS fragmentation has been proven false by every real-world example. Worst still is the fact that one of the key backers Paul Vixie has in two documented occasions admitted that DNS Filtering does not break DNSSEC because the widely used DNS Filtering technology Vixie invented doesn’t. So we have key engineers signing papers claiming a breakage of DNSSEC who admit that it doesn’t break DNSSEC, and this same dubious paper is what the anti SOPA/PIPA crowd are hinging their technical arguments on.

  • Zoon

    Ou’s reputation as a shoddy writer of fact-refuting, intellectually embarrassing misinformation earns both him and ZDNet the dishonor of a Zoon award nomination for spectacularly bad work in promoting the regression of human achievement.

  • JustSomeGuy

    “The purpose of DNS Filtering is not to stop end users from pirating content” But that is SOPA’s stated purpose. If the action described within the bill does not effectively accomplish the bill’s stated purpose, then it does not belong in the bill.

  • George Ou

    ““The purpose of DNS Filtering is not to stop end users from pirating content” But that is SOPA’s stated purpose.”

    The stated purpose of SOPA and PIPA is to take action against site operators, not end users.

  • DNS Engineer

    “The engineers who are claiming that DNS Filtering would break the security extension standard for DNS called DNSSEC, and thereby break Internet Cybersecurity. This is because a website whose DNS was blocked by court order cannot operate in secure DNSSEC mode.”

    I’m afraid you do not exhibit a clear understanding of how DNSSEC works, at least beyond the superficial level. And because of this lack of understanding, your second statement completely mischaracterizes the issue.

    Here is the problem, in a nutshell.

    DNSSEC requires all of the DNS entries in a “zone” (such as a Top Level Domain, such as “.gov”), to be not only signed, but to be linked in a circular chain.

    Filtering out DNS responses for any single domain in a given “zone”, breaks the chain.

    There is a reason the chain exists, and it happens to be critical to how DNSSEC works. It exists so that the complete list of legitimate names in the zone can be validated, and so their details can be confirmed via signatures.

    Filtering a DNS entry makes that portion of the linking impossible to validate from a signature standpoint. A linkage covers a range of potential names which are not registered, and thus not valid.

    When the linkages are broken, it becomes impossible to validate other non-SOPA’d DNS names using DNSSEC. Those domains are then considered “bogus”, and when DNSSEC is widely used, those domains become unavailable.

    As soon as the first SOPA’d domain is blocked, a significant portion of DNSSEC will immediately break, because of this.

    If the first blocked domain, for example, happens to be, then anything after that in the alphabet would no longer be considered “secure” in DNSSEC.

    (In actual fact, the commonly deployed DNSSEC TLDs used a different chaining method, using hashes of names instead of names, but the same principal applies. Breaking the chain in any low hash value, will invalidate the majority of DNSSEC entries in a zone.)

    The circular linkage is fundamental to DNSSEC, and always has been. It in fact exists SPECIFICALLY to prevent the forgery of DNS names.

    So, one mechanism, as proposed (SOPA) for fighting forgeries, will COMPLETELY AND TOTALLY BREAK another anti-forgery mechanism, which is technical, strong, and to the maximum degree possible with today’s technology, highly resistant to any counter-measures.

    It flies in the face of common sense to use an ill-advised and incompatible means, for domestic purposes (USA only), to attempt to combat an international issue which itself uses a global technology.

    Maybe you can think about this, and see if you can rebut any of this, now that it has been explained.

    If I need to use smaller words and maybe draw some pictures, let me know.

    If you agree that the issues I raise here are (if taken at face value) insurmountable, I would appreciate you addressing this in a new article here, and sending that to the Congress/Senate folks who appear to listen to what you say.

    Unless, for instance, you don’t care about having an Internet on which to publish your forum/blog, or on which you write as a subject.

  • Bravo To DNS Engineer

    DNS Engineer just provided in a nutshell one of the most important technical problems with SOPA. I will be eagerly awaiting the author’s reply.

  • Still waiting

    Still waiting for a reply to DNS Engineer.

  • Richard Bennett

    DNS Engineer is both right and wrong. DNSSEC does have an iterator that verifies the non-existence of a given domain by linking existing domains to each other, that’s right.

    The part that’s wrong is the assumption that SOPA alters this linkage in any way. The bill has language that says the DNS filtering mechanism can’t affect DNSSEC, and the likely implementation is simply to mask the results of particular queries by responding with response code REFUSED (see RFC 1035 for information on the meaning of this response.)

    So the internal structure of the DNS database won’t be affected at all.

    • DNS Engineer

      The issue isn’t the internal structure of the DNS database. The issue is filtering, regardless of how it is done, what it excludes or includes, and whether or not it replaces answers with DOJ substitutes.

      It is subtle, in that all of this concerns security. The jist of this is that it is fundamentally impossible to distinguish the activities of the DOJ from another party (with presumably nefarious intentions).

      This cuts both ways. That is the problem. Once Pandora’s box (DOJ actions to subvert legitimate DNS answers) is open, that particular vector necessarily becomes available for attackers.

      The presumption here is that SOPA is mandating DNS filtering, as opposed to, say, DNS database alteration. Without altering the DNSSEC entries for the affected domain names, what gets returned in response to a query for the affected domain is either nothing (filtered) or fails DNSSEC validation (substituted data without correct signatures).

      DNSSEC requires proof of non-existence for domains which don’t exist, so blocking only the content will break DNSSEC; suppressing the DNSSEC portion of the answers along with a forged response also requires additional DNSSEC answers which reveal the forgery; blocking everything will eventually cause the recursive resolver to seek answers elsewhere (also required by RFC 1035, if we’re quoting authorities).

      It is also important to understand how DNS resolvers treat DNSSEC violations in answers. If DNSSEC is enabled, and an answer is received that fails to validate, it is treated exactly the same as if it hadn’t received an answer. It will try another AUTHORITATIVE server (not another RESOLVER).

      DNSSEC was designed to be robust in the face of deliberate attacks, which is why SOPA necessarily must be considered anti-DNSSEC.

      REGARDLESS of how the filtering is done, it runs afoul of DNSSEC.

      So, if the language in the bill says filtering must not break DNSSEC, then the bill says “don’t filter”. Which is pretty silly.

      NB – It is also important to understand what “seek answers elsewhere” means. For Top Level Domains (TLDs) this would mean, eventually, after getting non-answers everywhere it tries in the US, it would eventally ask servers for the TLD located outside of US jurisdiction. For root servers, the same would apply. And the answers given by those would not be filtered, so that other than significantly slowing down the DNS performance for US users, SOPA would be ineffective, unless all DNS traffic via an ISP were to be blocked.

      Now consider an attack on users, by someone “bad”, using similar mechanisms. The end user would eventually turn off DNSSEC, in order to get answers. This would satisfy SOPA, but ultimately would defeat DNSSEC, and be a piracy/phishing enabler.

      It is a logical consequence of the requirements of SOPA. Is that REALLY what the bill’s backers want?

      Meanwhile, non-US residents will have DNSSEC protecting them, which includes protecting them against site-forgery, a much bigger and more economically significant Internet danger.

      • Richard Bennett

        Sorry, DNS Engineer, but you clearly don’t understand how DNS works. It’s not the case that “what gets returned in response to a query for the affected domain is either nothing (filtered) or fails DNSSEC validation (substituted data without correct signatures).”

        There is a third choice: an error message that explains why the question isn’t going to be answered. Per RFC 1035, DNS name servers can answer five different ways to any request, and one of those answers is REFUSED, which means “The name server refuses to perform the specified operation for policy reasons.”

        That’s the response proposed for filtering DNS responses, and it has no effect on DNSSEC at all.


  • DNS Engineer

    The bill does not specify REFUSED, and therein lies the problem.

    It allows the Service Provider to use ANY MEANS THEY CHOOSE, and gives safe harbor to the Service Provider.

    This means any Service Provider using any other means (e.g. black hole routing of an entire GeoIP region, like China) is meeting the bills requirements at minimum effort to themselves. Users of that Service Provider are not given “standing” to contest the approach used by the Service Provider (regardless of approach), nor are any affected third party domains.

    The “Balkanization” that other DNS folks write about has as much to do with the potentially large number of methods used by Service Providers, and the scope of the blocking methods they use, as it does with the details on DNS techniques.

    If the view of the Internet differs depending on where one is looking from, especially given the de-facto duopoloy of phone and cable compmanies in most US service provider markets, then the result is going to be chaotic, unpredictable, and fractured access to third party sites.

    When you combine the disparate DNS results that are likely to be received when using WiFi hot spots, mobile devices, roaming on mobile services, and whatever other methods get used for access, and consider the support load to help desks from naive users who don’t understand what is happening, you can see the results.

    It will be a death of a thousand paper cuts, for the US consumer internet.

    Now, if the bills in question mandated the specific method (REFUSED), centralized the administration of the black lists, with an effective oversight by independent administrators, then the issue would merely be a First Amendment one, and the technical community would likely have much less concerns.

    There is a huge difference between “allowing” REFUSED to be one mechanism available, and “requiring” that only REFUSED is used to implement filtering. If you consider the analogy between filtering DNS and use-of-force during criminal arrests, with “REFUSED” being analogous to “NON-LETHAL FORCE”, you can see why the difference between “allowed” and “required” is critical. If police arresting non-violent protesters are “REQUIRED” to use “NON-LETHAL” force, everyone is likely to accept this. If, on the other hand, police are merely “ALLOWED” to use “NON-LETHAL” force, that suddenly is likely to arouse a lot of objections.

    Unless REFUSED is put into the bill, I do not see the objections going away.

  • artistrights

    @DNS Engineer:

    Adding “refused” to the bill seems like a very easy fix to a problem dramatically described as the end of the internet as we know it. My instinct is that you didn’t know about this option. Regardless, this is the type of dialogue we need to have with our representatives. The answer should not be “kill the bill” when, as you now admit, a fairly simple change will make this bill completely workable (from an engineering position, at least).

  • Richard Bennett

    The bill inevitably leads to the conclusion that REFUSED is the only way to go, because it also instructs ISPs not to harm DNSSEC.

    I don’t feel comfortable legislating protocol response codes in acts of Congress, so this is going to be done in terms of a separate best practices process.

  • DNS Engineer

    I’m sorry to say, but this speaks volumes to lack of real-world knowledge on Service Provider networks.

    Attempting to use “best practices” for this issue, when the underlying issue is so technical, shies away from the only actual workable means to both implementation by SPs, and acceptable language for the wider technical community (esp. DNS experts).

    To understand the extreme skepticism over “best practices”, it is necessary to be familiar with the canonical “best practices” document, widely supported in the technical community, but which has failed to achieve widespread adoption in the SP community, in the last 11 years — BCP 38.

    Anyone following this discussion is urged to google it, and read, for example, mailing list archives for network operators (NANOG), to see how and why “best practices” tend to fail, even when those are so easy to implement, with little or no capital or operational costs.

    BCP 38 relates to blocking “spoofed IP” traffic, which has been the largest contributor, historically, to Denial of Service (DoS) attacks, among other things.

    So, I have to say, because “I don’t feel comfortable” isn’t a terribly defensible reason for not incorporating REFUSED into the language of the bill.

  • Richard Bennett

    Again, I don’t want Congress spelling out the details of RCODEs since new ones may be forthcoming, the DNS protocol may be updating, and there may be a better way to do it with the tools we have now.

    Although I have to admit that the idea of Congress legislating via code or pseudo-code is kinda funny from a making-Larry-Lessig’s-head-explode POV.

  • DNS Engineer

    The DNS group for DNS protocol updates is being shut down as of March. That means there will be no updates, no new RCODES, and no reason *not* to encode the REFUSED into the legislation. Please make sure your employers are aware of the relevant facts.

    The IETF is an open book, everything related to DNS and the development of it within the IETF can easily be verified.

    If there are better ways that don’t break DNSSEC, it would be better to shelve the legislation until those are identified, than to rush in legislation that does not require the use of whatever the best tool is.

    If there are no better things than REFUSED, then put it in the legislation. Simple as that.

  • Richard Bennett

    IANA will still assign numbers, so the status of protocol isn’t an issue.

    BTW, I don’t have any employers with a dog in this fight, the technical recommendations I make here are my own. I really don’t like Internet-enabled crime; funny, I know, but that’s just me.

  • Christophe T.

    Just shut down the whole internet in the US – the rest of the world won’t miss it all that much 🙂

    • Richard Bennett

      I’ll get right on that, sounds like a great idea. I’ll start by creating 10 million web sites selling counterfeit drugs.

      • Moot Mash

        Well, with SOPA breaking DNSSEC, that would be a far easier task to accomplish

        • Richard Bennett

          Fortunately, SOPA has no effect on DNSSEC.

  • DNSFiltering(.)com - SOPA/PIPA

    […] the ability to filter DNS queries for any web site deemed not in compliance. Related article:…se-sopa-panel/ Taking offers in the mid $xxx range. Domain at […]

  • Catherine A. Fitzpatrick

    Finally, an engineer who stands up to this hysterical edge-casing we’ve seen for months from other Internet engineers. Thank you, this is a public service.

  • William Rogers

    Please be aware that putting to much info into you host file can slow down you browsing experience (on start-up). I edited the HOST file to redirect stupid pop-ups from certain websites to my local host (

    I would however prefer the OpenDNS option. I live in the Netherlands and currently there is a law suit against providers concerning “the piratebay”

Comments are closed.