DNS Heavyweights Raise Concern Over DNS Filtering 129
penciling_in writes "A group of DNS heavyweights have released a paper detailing serious concerns over the proposed DNS filtering requirements included as part of the bill recently introduced in the US Senate named Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 (PROTECT IP Act). The group which includes Paul Vixie, Dan Kaminsky, Steve Crocker, David Dagon and Danny McPherson, have detailed several serious technical and security concerns in the event that the mandated DNS filtering is enacted into law. Dan Kaminsky says: 'There are efforts afoot to manipulate the DNS on a remarkably large scale. The American PROTECT IP act contains several reasonable and well targeted remedies to copyright infringement. One of these remedies, however, is to leverage the millions of recursive DNS servers that act as accelerators for Internet traffic, and convert them into censors for domain names in an effort to block content.'"
Blocking domains? Very effective... (Score:4, Informative)
Re: (Score:2)
Re: (Score:3)
Didn't anyone warn them that just blocking a domain name doesn't work?
Yes. They didn't understand what a domain was or what blocking one meant.
Re: (Score:2)
Ineffective (Score:3)
Re:Ineffective (Score:4, Funny)
FBI agents with guns.
Re: (Score:2)
If you've got those, why do you need to fuck with DNS anyway?
Re: (Score:2)
Ok, well I was mostly joking, but you're forgetting the pareto principle.
If they can eliminate 80% of file sharing with a 20% offort of blocking the DNS, the remainder can be treated just as I mentioned. If they had to expend that much effort on every person willing to google "movie torrents" and just click a link the FBI wouldn't be able to keep up.
Re: (Score:2)
Dogs [ohinternet.com] work too.
Re: (Score:2)
I can't wait for the feds to seize the root DNS servers for not complying.
Re: (Score:2)
I can't wait for the feds to seize the root DNS servers for not complying.
No need to do that. Killing a domain only requires changing the registry-level zone file. Also, as a legal matter the traditional gTLD's registries operate under a contract with the federal government. Simply put, the feds own .com, .net, .edu, .gov, and .org. so they could rather easily and effectively knock domains out of those zones if they wanted to work that way. As for the roots, they wouldn't ever need to seize anything, they just (at worst ) might need to get a new root zone deployed if they wanted
Re: (Score:2)
ATF and the US Marshals are the ones with the guns. The FBI prefers fire.
What's a DNS server? (Score:5, Interesting)
Re: (Score:2)
Re: (Score:1)
However, as I said before, I'm afraid that this is just a foot in the door. To borrow a phrase from paranoid philosophers of years past, this is a slippery slope. It's not hard to imagine regulators blocking swaths of IP address space or even filtering out specific pages on websites.
Re: (Score:2)
I'm afraid that this is just a foot in the door. To borrow a phrase from paranoid philosophers of years past, this is a slippery slope.
I just wanted to point out that "slippery slope" is the name of a fallacy. The fact that you can imagine these regulations does not mean that this act necessarily leads to those regulations.
We would do better to argue that this act itself is improper in itself.
--
JimFive
Re: (Score:2)
I didn't say I liked the idea, I only said that it would be highly inefficient, and as such shouldn't be done if for no other reason than it wouldn't have the desired effect. If someone wants to get to the Pirate Bay badly enough they'll figure out how to do it, as it's only a Google search away.
If the bad guys have DNS they control who gets to see google.
Re: (Score:2)
Pirates don't illegally file share, it's ISP's that allow DNS that cause illegal file sharing.
Re: (Score:2)
Yes, but are those really the sorts of folks that are downloading torrents of their favorite shows? I mean seriously.
Re: (Score:2)
Re: (Score:2)
Ah, but you miss the opportunity for folks to install the "New Unblocking DNS Mod" which grants you access to all sorts of pirated content. For only $10 you open up your computer and let some pirate application do whatever and you get access restored to the pirate sites you were being blocked from.
Of course, you also just installed some software which returns your passwords to somewhere else. But that is why the software that changes the DNS servers is so cheap.
Another danger (Score:1)
Another facet that wasn't mentioned in the paper is that as America attempts to legislate the internet so that the mega rich can become ultra rich, we simply remove ourselves from meaningful discussion about the problem and social view of file sharing.
As a security buff i learned from experience that while the "rules" if examined presented my ideal view of the world, or let others know whats actually important to me, my logs function as a mirror, telling me how things actually looked.
On behalf of the mega r
Re:What's a DNS server? (Score:4, Interesting)
Like the average smuck was not going to be able to use dvdshrink? Come on you know some 1337 kid is going to read up on DNS just enough to learn how to set which server is used on Windows, whip out his intro to VB.net book and whip up a little single form program with all his code in the DoIt.OnClick() handler to set the value to some server in The Republic of North Bumfuck.
Then everyone moron on facebook will be sending it to each other and installing it. That is Week 1.
Week 2 is when everyones ISP just starts NAT'ing ever packet with a dst port 53 tcp or udp to their own DNS server.
Week 3 same kid who has now learned that port translation can be used for other things besides playing wow behind his Linksys router starts his Google quest for a COM object that implements SSH....
Week 4... Frustration ensues
Week 5 ... A new VB.net app is published!
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
I think you greatly overestimate the technological literacy of the average American.
I think you're underestimating the effort a young person will go through to get things online. Why would you think limewire, eDonkey, etc became popular?
I think that if the price doesn't work for you, you'll look for cheaper alternatives. This is particularly true for kids from college down to school, that have absolutely no income, but are the largest consumers of popular media.
Re: (Score:2)
Re: (Score:2)
You can also do a whois lookup on the domain name, note the authoritative DNS servers for the domain, and query them directly. I've done that before to find the IP address of a site that had moved, yet the ISP's DNS server was still caching old records. (That doesn't seem to be as common nowadays, but some of the larger ISPs used to be absolute bastards with DNS caching. It often took days before you got updated records.) I am sure that could be done programatically as well.
Re: (Score:2)
DNS traffic is easily redirected. Typing in the IP address is definitely a work-a-round but it isn't plausible for someone to know the IP address of every place they want to go. sDNS is possible but, albeit pretty obviously, can be proxied with a MiM attack. What is needed is DNS over another protocol that is encrypted. One of the items on my to do list, and something that anyone can do instead of me, is to create a plugin for firefox that does DNS over HTTPS. I'm a little pissed with Mozilla right now
Not on my servers!! (Score:4, Interesting)
I guess it's time to get a read done of this nonsense and the see if I can't straighten my own elected officials out about how the tech works... *sigh*
Net Neutrality (Score:3)
Yeah, good luck. We went from Net Neutrality to this! With Net Neutrality they were saying, "Oh, leave it alone, it works fine. Don't force companies to not favor one site over another with premium QOS bandwidth." Now they're saying, "Stick it deep, as deep as possible, into the core of the Internet itself and control it all one record at a time!"
Where are the Libertarians railing against Net Neutrality when you need them to rail against this? If any of you are one, I hope you bring this comparison up LO
Re: (Score:2)
I am anti-Net Neutrality ( because I am a libertarian and I don't think government should tell anyone how to run their IP network ). I am opposed to this because I don't think copyright infringement which is inherently a civil offense has any place in criminal code. I don't think the government has any place investigating civil matters between parties. If the *IAA has a problem with someone distributing materials owned by groups they represent, its up to them to discover it, its up to those groups to fil
Re: (Score:2)
Sigh, this is probably the most pathetic troll post I've ever seen. Health Care Reform. Even without him doing another damned thing his entire term that alone would have put him way ahead of any President since Reagan.
Re: (Score:2)
I bet you're one of those bible-thumping lunatics who believes the world "hates you for your freedoms," you know, those freedoms you DON'T ACTUALLY FUCKING HAVE ANY MORE.
Or in some cases never had.. America can preach about freedom when it gets its prison population down to sane levels and when its cops stop electrocuting everyone who so much as looks at them funny.
distributed dns (Score:1)
It's time to move away from centralized DNS, we can't leave the internet in the hands of the government. We need a compatible distributed DNS system.
Re: (Score:2)
It's time to move away from centralized DNS, we can't leave the internet in the hands of the government. We need a compatible distributed DNS system.
I don't see how to implement such a thing when the bad guys can attach thousands of servers to the network and abuse the hell out of it.
DNS though is a single point of failure attached to the internet and replacing it with something less abusable would be better.
I'll just use the ip address! (Score:4, Insightful)
Error 403: Forbidden
Please be aware that copyright infringement is illegal. A copyright enforcement specialist will be contacting you shortly to schedule your mandatory attendance to one of our copyright education seminars.
Re: (Score:1)
You forgot about the donation, erm. fee that would have to be made to the music/movie industry.
Campaign Contributions (Score:3, Informative)
They don't matter. They haven't paid the requisite Campaign Contribution necessary for their opinions to be considered.
Re: (Score:2)
Eh, you elected them. Go ahead and whine about how corrupt they are, you put them into power. You were the ones that said "I want these people running my government." If the most protesting about it you're going to do is to make some stupid joke on Slashdot then you got what you deserved as far as I'm concerned.
Maybe these wicked guys are better than the alternative so the GP did the right thing voting them in?
Re: (Score:2)
The lessor evil is still evil.
Re: (Score:2)
Re: (Score:3)
They don't matter. They haven't paid the requisite Campaign Contribution necessary for their opinions to be considered.
I came here to say this. Saying these guys are "heavywieghts" in DNS doesn't matter one whit - how many senators they own, that's they only "weight" that's going to matter in this debate.
Who comes up with these titles for bills? (Score:1)
And where can I apply?
DEFINITELY Read the article by Paul Vixie (Score:2)
This root key would have to be generated and signed in some kind of ceremony, maybe with people wearing viking hats and carrying swords and torches, and the resulting public validation key would have to be published on the web and managed according to RFC 5011 so that it can roll forward throughout all time. Videos from this ceremony would go up on YouTube.
http://www.circleid.com/posts/20110318_on_mandated_content_blocking_in_the_domain_name_system/ [circleid.com]
Thank goodness it's been blocked (Score:4, Insightful)
Senator Ron Wyden's statement (Score:3)
“In December of last year I placed a hold on similar legislation, commonly called COICA, because I felt the costs of the legislation far outweighed the benefits. After careful analysis of the Protect IP Act, or PIPA, I am compelled to draw the same conclusion. I understand and agree with the goal of the legislation, to protect intellectual property and combat commerce in counterfeit goods, but I am not willing to muzzle speech and stifle innovation and economic growth to achieve this objective. At the expense of legitimate commerce, PIPA’s prescription takes an overreaching approach to policing the Internet when a more balanced and targeted approach would be more effective. The collateral damage of this approach is speech, innovation and the very integrity of the Internet.
"The Internet represents the shipping lane of the 21st century. It is increasingly in America’s economic interest to ensure that the Internet is a viable means for American innovation, commerce, and the advancement of our ideals that empower people all around the world. By ceding control of the Internet to corporations through a private right of action, and to government agencies that do not sufficiently understand and value the Internet, PIPA represents a threat to our economic future and to our international objectives. Until the many issues that I and others have raised with this legislation are addressed, I will object to a unanimous consent request to proceed to the legislation."
Re: (Score:2)
When you cut out all the political grandstanding in that quote, it kind of shocks me how well he understands the issue. Maybe the *IAAs forgot to pay him off last election season?
Re:Senator Ron Wyden's statement (Score:4, Funny)
Re: (Score:1)
I'm from Oregon... Ron Wyden is pretty awesome. Despite being a politician, he seems like a decent guy. And I may be wrong, but I think Ron boots linux. One of our Oregon reps does, I just can't find out which from the interwebz.
M
Re: (Score:2)
just use /etc/hosts (Score:2)
for foo in `seq 0 255`; do
for bar in `seq 0 255`; do
for bin in `seq 0 255`; do
for baz in `seq 0 255`; do
echo "$foo.$bar.$bin.$baz www${RANDOM}"; >>
done
done
done
done
Re: (Score:1)
My IPv6 junk is on the internet you insensitive clod!
Re: (Score:2)
Ewwww?
http://xkcd.com/305/ [xkcd.com]
Re: (Score:2)
Good idea...as long as you don't visit a shared server. Or a secure server. Or use a protocol where the real domain name is used as part of the communication.
PROTECT (Score:2)
Re: (Score:2)
Actually, they're not that expensive. They buy in bulk saving lots of money.
Re: (Score:2)
How do you go about moving the root DNS servers for .com, .net, .org? As they are TLDs for the US, and for whatever reason, everyone uses them anyways, you will still have this issue. If you want to live by the rules for Russia, than use a .ru domain, and you won't have to be effected by the laws in the US.
HOSTS File Legal Questions (Score:2)
Does this mean that if I have a HOSTS file, I have to filter through it, too?
What if that HOSTS file is for an enterprise?
What if that HOSTS file is published on the Internet for others to use?
What about Ad-Blocking software that uses a system like HOSTS? If it is capable of blocking DNS, will it then be required to block censored hosts as well?
What about VPN? Which side of the connection is reponsible?
What about Cache? Will there be a mandate that all DNS cache's everywhere only last for X amount of hours
Way to go...not! (Score:1)
Re: (Score:2)
What is the problem? The problem is that companies want to use Chinese laws but have a .com domain. .com is a US TLD, so it falls under the laws of the US. If you want to sell counterfeit products in China, or fake drugs in Canada, than get a TLD from one of those countries, than the US laws can't touch you. I don't agree with this law, but it isn't like it matters for any other country's TLD, just the US TLDs.
Re: (Score:1)
Listen the Dan (Score:2)
THE solution lies in the UI (Score:2)
dig:nameserver.example.com;http://mywebsite.lol
Use the normal DNS root to bootstrap names of nameservers.
Re: (Score:2)
You ARE a spamming nutbag, although you're right about hosts files. However, your link to go get a good hosts file is 503. Don't you check the links in your spam?
Re: (Score:2)
"You ARE a spamming nutbag" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage
Oh, really? Do you have your:
I'll play for a second, because I have time; none of your professional accreditations impress me. I've known many people who have had similar and some of them impressed me and some didn't.
You have retreated into psuedo-anonymity, but still sign your comments to feed your ego. You can see that the community does not want to see what you have to say but persist anyway; your theatrical text culminating in "That's right I am RIGHT... always am!" underscores your self-importance. If the community is uninterested
Re: (Score:3)
Between your writing style, unwillingness to log in and be moderated, and your insistence on ignoring what was actually said for what you want to read, you have made yourself the Slashdot equivalent of a street person on the corner jumping up and down, foaming at the mouth, and screaming that The End is Nigh with one hand down your pants and the other flailing incoherently at arm's length at all times.
If you don't see that your persistence in the face of this situation makes you a nut, you're utterly hopele
Re: (Score:3)
Nah, you're just an idiot trying to look like you know something. Sadly, glomming together bits and pieces of things you've heard here and there into walls of text - the SAME walls of text you repeat verbatim every chance you get... does not make you look smart. It makes you look like a total moronic idiot. Just figured you should know that before you repeat this nonsense the next time DNS, security, malware or whatever else comes up and you get the idea to repost the same wall-o-text post as the last few t
Re: (Score:1)
My goodness. We aren't trying to attack your comments on HOSTS files. We really don't care that much and most of us agree with your points. What we are trying to do is get you to shut up and go away because you, personally, are annoying.
Re: (Score:2)
And, that's valid grounds for down moderation, now isn't it?
YES. Yes, it is. The purpose of the moderation system, flawed though it is in many ways, is to produce comments that people want to read.
Re: (Score:2)
Yup, idiot with good copy/paste skills "telling" us nothing we don't already know. :-)
And here ya go! One more post to reply to with another wall-o-copy-paste-text! It's a shame you're so stupid you can't even post your own ideas. So, hope you enjoy this opportunity to yet again reply with a buncha magazine and website listings with little summaries attached to about stuff you dont understand.
You forget ADK, some of us know who you are. You like pretending to have functioning brain matter, but we know yo
Re: (Score:1)
APK, you're awesome [ashentech.com]
Protecting Nutcases (Score:1)
>Great... it's the HOSTS file spamming nutcase again.
I would say we should block him, but if he's using a HOSTS file, DNS Censorship won't work.
We need a different solution. Content-based censorship, maybe? That would work. More intrusive though.
*sigh* why does protecting liberties always mean protecting nutcases?
let's coin a new term (Score:3)
I'm curious how often the HOSTS-tard updates the hundreds of millions of entries in his gigabytes-large HOSTS file
Re: (Score:2)
Re: (Score:3)
The guy raises a good point, through packet mangling you can reroute DNS queries with users none the wiser. Since most providers don't offer any encryption (let alone authentication) of DNS queries, this is a real problem. But you can trade fingerprinted hosts files... Is there a cryptographically secured open DNS service that is also trustworthy?
Re: (Score:2)
See, I have no problem with your technical analysis, but with your presentation. I don't think you should be chased off of slashdot. I do think you should be regarded based on your behavior.