Forgot your password?
typodupeerror
Censorship Government The Internet United States Your Rights Online

DNS Heavyweights Raise Concern Over DNS Filtering 129

Posted by samzenpus
from the not-so-fast dept.
penciling_in writes "A group of DNS heavyweights have released a paper detailing serious concerns over the proposed DNS filtering requirements included as part of the bill recently introduced in the US Senate named Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 (PROTECT IP Act). The group which includes Paul Vixie, Dan Kaminsky, Steve Crocker, David Dagon and Danny McPherson, have detailed several serious technical and security concerns in the event that the mandated DNS filtering is enacted into law. Dan Kaminsky says: 'There are efforts afoot to manipulate the DNS on a remarkably large scale. The American PROTECT IP act contains several reasonable and well targeted remedies to copyright infringement. One of these remedies, however, is to leverage the millions of recursive DNS servers that act as accelerators for Internet traffic, and convert them into censors for domain names in an effort to block content.'"
This discussion has been archived. No new comments can be posted.

DNS Heavyweights Raise Concern Over DNS Filtering

Comments Filter:
  • by Yetihehe (971185) on Thursday May 26, 2011 @01:03PM (#36252664)
    Didn't anyone warn them that just blocking a domain name doesn't work?
    • by 1s44c (552956)

      Didn't anyone warn them that just blocking a domain name doesn't work?

      Yes. They didn't understand what a domain was or what blocking one meant.

    • But if it doesn't work, it'll only serve as a justification to introduce a tougher form of filtering. It's far easier politically to justify fixing a 'loophole' in an existing law than it is to propose something completly new. DNS blocks first, IP address blocks later.
  • by WillyWanker (1502057) on Thursday May 26, 2011 @01:04PM (#36252696)
    And what's to stop people from using a DNS server that's outside the US? Or even just punching in the IP address directly?
    • by i kan reed (749298) on Thursday May 26, 2011 @01:08PM (#36252738) Homepage Journal

      FBI agents with guns.

      • If you've got those, why do you need to fuck with DNS anyway?

        • Ok, well I was mostly joking, but you're forgetting the pareto principle.

          If they can eliminate 80% of file sharing with a 20% offort of blocking the DNS, the remainder can be treated just as I mentioned. If they had to expend that much effort on every person willing to google "movie torrents" and just click a link the FBI wouldn't be able to keep up.

      • Dogs [ohinternet.com] work too.

      • by sosume (680416)

        I can't wait for the feds to seize the root DNS servers for not complying.

        • by wkcole (644783)

          I can't wait for the feds to seize the root DNS servers for not complying.

          No need to do that. Killing a domain only requires changing the registry-level zone file. Also, as a legal matter the traditional gTLD's registries operate under a contract with the federal government. Simply put, the feds own .com, .net, .edu, .gov, and .org. so they could rather easily and effectively knock domains out of those zones if they wanted to work that way. As for the roots, they wouldn't ever need to seize anything, they just (at worst ) might need to get a new root zone deployed if they wanted

      • by Agripa (139780)

        ATF and the US Marshals are the ones with the guns. The FBI prefers fire.

    • What's a DNS server? (Score:5, Interesting)

      by billlava (1270394) on Thursday May 26, 2011 @01:12PM (#36252822) Homepage
      I think you greatly overestimate the technological literacy of the average American. Most people aren't going to have a clue how to change their DNS servers, but even for those who do understand how to get around such restrictions, this is still disturbing. This is just a way for government to get its foot in the door. Soon, they'll be mandating to ISPs which DNS servers their clients are allowed to use, and what IP ranges are 'legal' to access on the internet. Maybe I should just take off the tinfoil hat and relax, but I can't see how government getting involved in legislating the internet in ANY way is a good thing.
      • I didn't say I liked the idea, I only said that it would be highly inefficient, and as such shouldn't be done if for no other reason than it wouldn't have the desired effect. If someone wants to get to the Pirate Bay badly enough they'll figure out how to do it, as it's only a Google search away.
        • by billlava (1270394)
          I think we're pretty much on the same page here. I agree that DNS blocking will be very inefficient. As a matter of fact, it will probably just increase people's awareness of what DNS is, and how to take advantage of it.

          However, as I said before, I'm afraid that this is just a foot in the door. To borrow a phrase from paranoid philosophers of years past, this is a slippery slope. It's not hard to imagine regulators blocking swaths of IP address space or even filtering out specific pages on websites.
          • by JimFive (1064958)

            I'm afraid that this is just a foot in the door. To borrow a phrase from paranoid philosophers of years past, this is a slippery slope.

            I just wanted to point out that "slippery slope" is the name of a fallacy. The fact that you can imagine these regulations does not mean that this act necessarily leads to those regulations.

            We would do better to argue that this act itself is improper in itself.
            --
            JimFive

        • by 1s44c (552956)

          I didn't say I liked the idea, I only said that it would be highly inefficient, and as such shouldn't be done if for no other reason than it wouldn't have the desired effect. If someone wants to get to the Pirate Bay badly enough they'll figure out how to do it, as it's only a Google search away.

          If the bad guys have DNS they control who gets to see google.

          • by g0bshiTe (596213)
            To borrow from "Guns don't kill people..."

            Pirates don't illegally file share, it's ISP's that allow DNS that cause illegal file sharing.
      • by hedwards (940851)

        Yes, but are those really the sorts of folks that are downloading torrents of their favorite shows? I mean seriously.

      • by cdrguru (88047)

        Ah, but you miss the opportunity for folks to install the "New Unblocking DNS Mod" which grants you access to all sorts of pirated content. For only $10 you open up your computer and let some pirate application do whatever and you get access restored to the pirate sites you were being blocked from.

        Of course, you also just installed some software which returns your passwords to somewhere else. But that is why the software that changes the DNS servers is so cheap.

      • Another facet that wasn't mentioned in the paper is that as America attempts to legislate the internet so that the mega rich can become ultra rich, we simply remove ourselves from meaningful discussion about the problem and social view of file sharing.
        As a security buff i learned from experience that while the "rules" if examined presented my ideal view of the world, or let others know whats actually important to me, my logs function as a mirror, telling me how things actually looked.
        On behalf of the mega r

      • by DarkOx (621550) on Thursday May 26, 2011 @03:41PM (#36254832) Journal

        Like the average smuck was not going to be able to use dvdshrink? Come on you know some 1337 kid is going to read up on DNS just enough to learn how to set which server is used on Windows, whip out his intro to VB.net book and whip up a little single form program with all his code in the DoIt.OnClick() handler to set the value to some server in The Republic of North Bumfuck.

        Then everyone moron on facebook will be sending it to each other and installing it. That is Week 1.

        Week 2 is when everyones ISP just starts NAT'ing ever packet with a dst port 53 tcp or udp to their own DNS server.

        Week 3 same kid who has now learned that port translation can be used for other things besides playing wow behind his Linksys router starts his Google quest for a COM object that implements SSH....

        Week 4... Frustration ensues

        Week 5 ... A new VB.net app is published!

        • by sycorob (180615)
          Nice! Please to feed parent many mod points.
        • by houghi (78078)

          Like the average smuck was not going to be able to use dvdshrink?

          No, more like how the TSA started to fondle everybody (including terrorist and kids) and nobody did anything.

      • by Idbar (1034346)

        I think you greatly overestimate the technological literacy of the average American.

        I think you're underestimating the effort a young person will go through to get things online. Why would you think limewire, eDonkey, etc became popular?

        I think that if the price doesn't work for you, you'll look for cheaper alternatives. This is particularly true for kids from college down to school, that have absolutely no income, but are the largest consumers of popular media.

    • by sgt scrub (869860)

      DNS traffic is easily redirected. Typing in the IP address is definitely a work-a-round but it isn't plausible for someone to know the IP address of every place they want to go. sDNS is possible but, albeit pretty obviously, can be proxied with a MiM attack. What is needed is DNS over another protocol that is encrypted. One of the items on my to do list, and something that anyone can do instead of me, is to create a plugin for firefox that does DNS over HTTPS. I'm a little pissed with Mozilla right now

  • Not on my servers!! (Score:4, Interesting)

    by Eggplant62 (120514) on Thursday May 26, 2011 @01:09PM (#36252768)

    I guess it's time to get a read done of this nonsense and the see if I can't straighten my own elected officials out about how the tech works... *sigh*

    • Yeah, good luck. We went from Net Neutrality to this! With Net Neutrality they were saying, "Oh, leave it alone, it works fine. Don't force companies to not favor one site over another with premium QOS bandwidth." Now they're saying, "Stick it deep, as deep as possible, into the core of the Internet itself and control it all one record at a time!"

      Where are the Libertarians railing against Net Neutrality when you need them to rail against this? If any of you are one, I hope you bring this comparison up LO

      • by DarkOx (621550)

        I am anti-Net Neutrality ( because I am a libertarian and I don't think government should tell anyone how to run their IP network ). I am opposed to this because I don't think copyright infringement which is inherently a civil offense has any place in criminal code. I don't think the government has any place investigating civil matters between parties. If the *IAA has a problem with someone distributing materials owned by groups they represent, its up to them to discover it, its up to those groups to fil

  • by Anonymous Coward

    It's time to move away from centralized DNS, we can't leave the internet in the hands of the government. We need a compatible distributed DNS system.

    • by 1s44c (552956)

      It's time to move away from centralized DNS, we can't leave the internet in the hands of the government. We need a compatible distributed DNS system.

      I don't see how to implement such a thing when the bad guys can attach thousands of servers to the network and abuse the hell out of it.

      DNS though is a single point of failure attached to the internet and replacing it with something less abusable would be better.

  • by Anonymous Coward on Thursday May 26, 2011 @01:17PM (#36252900)

    Error 403: Forbidden
    Please be aware that copyright infringement is illegal. A copyright enforcement specialist will be contacting you shortly to schedule your mandatory attendance to one of our copyright education seminars.

    • by Anonymous Coward

      You forgot about the donation, erm. fee that would have to be made to the music/movie industry.

  • by Microlith (54737) on Thursday May 26, 2011 @01:23PM (#36252984)

    They don't matter. They haven't paid the requisite Campaign Contribution necessary for their opinions to be considered.

    • They don't matter. They haven't paid the requisite Campaign Contribution necessary for their opinions to be considered.

      I came here to say this. Saying these guys are "heavywieghts" in DNS doesn't matter one whit - how many senators they own, that's they only "weight" that's going to matter in this debate.

  • Hilarous

    This root key would have to be generated and signed in some kind of ceremony, maybe with people wearing viking hats and carrying swords and torches, and the resulting public validation key would have to be published on the web and managed according to RFC 5011 so that it can roll forward throughout all time. Videos from this ceremony would go up on YouTube.

    http://www.circleid.com/posts/20110318_on_mandated_content_blocking_in_the_domain_name_system/ [circleid.com]

  • by dstarfire (134200) on Thursday May 26, 2011 @01:48PM (#36253414)
    Well, y'all can stop worrying now. It appears the Protect IP bill won't even be making it to the senate floor, thanks to Senator Ron Wyden (Ore). Check out the story over on Ars http://arstechnica.com/tech-policy/news/2011/05/sen-ron-wyden-to-place-a-hold-on-the-protect-ip-act.ars [arstechnica.com]
    • “In December of last year I placed a hold on similar legislation, commonly called COICA, because I felt the costs of the legislation far outweighed the benefits. After careful analysis of the Protect IP Act, or PIPA, I am compelled to draw the same conclusion. I understand and agree with the goal of the legislation, to protect intellectual property and combat commerce in counterfeit goods, but I am not willing to muzzle speech and stifle innovation and economic growth to achieve this objective. At the expense of legitimate commerce, PIPA’s prescription takes an overreaching approach to policing the Internet when a more balanced and targeted approach would be more effective. The collateral damage of this approach is speech, innovation and the very integrity of the Internet.

      "The Internet represents the shipping lane of the 21st century. It is increasingly in America’s economic interest to ensure that the Internet is a viable means for American innovation, commerce, and the advancement of our ideals that empower people all around the world. By ceding control of the Internet to corporations through a private right of action, and to government agencies that do not sufficiently understand and value the Internet, PIPA represents a threat to our economic future and to our international objectives. Until the many issues that I and others have raised with this legislation are addressed, I will object to a unanimous consent request to proceed to the legislation."

  • Cool thing is, you can refer to everything on the internet with your own naming convention.

    for foo in `seq 0 255`; do
    for bar in `seq 0 255`; do
    for bin in `seq 0 255`; do
    for baz in `seq 0 255`; do
    echo "$foo.$bar.$bin.$baz www${RANDOM}"; >> /etc/hosts
    done
    done
    done
    done
  • P.R.O.T.E.C.T How much time and money is wasted on just coming up with an acronym like that?
  • Does this mean that if I have a HOSTS file, I have to filter through it, too?

    What if that HOSTS file is for an enterprise?

    What if that HOSTS file is published on the Internet for others to use?

    What about Ad-Blocking software that uses a system like HOSTS? If it is capable of blocking DNS, will it then be required to block censored hosts as well?

    What about VPN? Which side of the connection is reponsible?

    What about Cache? Will there be a mandate that all DNS cache's everywhere only last for X amount of hours

  • Congratulations. The US Senate has just guaranteed that the DNS will fracture. Nice going guys and gals. :(
    • by Coren22 (1625475)

      What is the problem? The problem is that companies want to use Chinese laws but have a .com domain. .com is a US TLD, so it falls under the laws of the US. If you want to sell counterfeit products in China, or fake drugs in Canada, than get a TLD from one of those countries, than the US laws can't touch you. I don't agree with this law, but it isn't like it matters for any other country's TLD, just the US TLDs.

      • The problem is that there are going to be two DNS. The official one maintained by the governments and the underground one maintained by those who believe in Freedom of Speech. There is nothing technically difficult in having many DNS. It has only been the convenience of having everything in one list that has prevented the breakup. But now, there is a reason for it to happen.
  • I would listen to Kaminsky, the man saved the internet from DNS vulnerability just a few years ago when he discovered the flaw in DNS and came up with a patch and solution to the issue. So I guarantee he knows more about DNS and security then Congress and the greedy and annoying RIAA.
  • We simply need a new URI scheme. Let us link to a name that is not in the "central root" of the DNS.
    dig:nameserver.example.com;http://mywebsite.lol

    Use the normal DNS root to bootstrap names of nameservers.

Nothing is faster than the speed of light ... To prove this to yourself, try opening the refrigerator door before the light comes on.

Working...