Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security

GCHQ Planning UK-Wide DNS Firewall (thestack.com) 194

An anonymous reader writes: UK surveillance agency GCHQ is exploring the use of a national 'firewall' in its fight against cybercrime, according to the organisation's head of cybersecurity. Alongside BT, Talk Talk and Virgin Media, GCHQ will work to filter out websites and email campaigns which are known to contain malicious content. The intelligence organisation believes that the best to way to set up such a blockade would be to build a national domain name system (DNS). In a speech delivered at the Billington Cyber Security Summit in Washington DC, director general for cyber security at GCHQ, Ciaran Martin, said: 'We're exploring a flagship project on scaling up DNS filtering: what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?'
This discussion has been archived. No new comments can be posted.

GCHQ Planning UK-Wide DNS Firewall

Comments Filter:
  • by Joe_Dragon ( 2206452 ) on Wednesday September 14, 2016 @09:54AM (#52885763)

    and then block porn / 3rd party candidates / free press.

    • It's England. More than two parties is encouraged.
      • Our third party self destructed a couple of years ago and our second party is in process of self destruction.
        • by Pax681 ( 1002592 )

          Our third party self destructed a couple of years ago and our second party is in process of self destruction.

          England's main parties you mean.. in Scotland the Scottish National Party is first by several country miles in terms of both Westminster and Holyrood elected representatives numbers.

          • by Cederic ( 9623 )

            Well, nationally too. The SNP don't make it into fourth place nationally. They're barely ahead of the Green party ffs.

            • by Pax681 ( 1002592 )

              Well, nationally too. The SNP don't make it into fourth place nationally. They're barely ahead of the Green party ffs.

              the changes at Holyrood [bbcimg.co.uk] kinda makes a point that image eh?
              2010 's Westminster seats in Scotland [bbci.co.uk]
              and after the 2015 election the electoral map looked like this [bbci.co.uk]
              Also... just ahead of the greens?.. quite an achievement considering they only stand for election in Scottish seats and have no need or interest in campaigning in English/Welsh or Irish seats. They have the votes of the vast majority of Scots but i suppose that doesn't count as if it's of any importance eh?

              • by Cederic ( 9623 )

                The SNP have more representation in Westminster per vote than any other party. Maybe more than every other party ever.

                So no, getting more votes in Scotland than everybody else counts for fuck all. It's still not democratic.

                I do also seem to recall them losing the vote they really cared about. No wonder Sturgeon's scared shitless of calling another referendum, for all her bleating about the supposed need for one.

        • And the reason for the Lib Dem destruction is in propping up a coalition government that nobody liked. The electorate punished them and not the larger partner of the coalition. Strange. Or maybe demonstration of just how much control the right wing media has over a large portion of the electorate.

          The implosion of Labour is hilarious. The party is collapsing because it's got too many MPs who wanted to be in the Conservative Party but somehow joined Labour, presumably by mistake.

          The Conservatives may be divid

          • by amorsen ( 7485 )

            English politics are strange.

            Conservatives and Lib Dems set up a coalition, Conservatives do a lot of bad things and Lib Dems only prevent some of them: Lib Dems collapse.

            Conservatives and Labour jointly try to run a campaign to stay in the EU, to deal with the mess that the Conservatives created: Labour collapse.

            • by AmiMoJo ( 196126 )

              I voted Lib Dem a few times, but the coalition was a betrayal. Tory policies are so far removed from what the Libs stood for, and they got such a bad deal out of the negotiation... And look where it got us. Out of the EU and likely on the virge of the UK breaking up as Scotland and Gibraltar seek to remain in.

              Labour is having an existential crisis. They want a leader with principals, but need a slimey piece of shit like Cameron to win an election.

          • And the reason for the Lib Dem destruction is in propping up a coalition government that nobody liked. The electorate punished them and not the larger partner of the coalition. Strange.

            Not really that strange. As far as I can tell, they got delayed punishment for going into a coalition with the Conservatives in the first place, rather than aligning with Labour as most Lib Dem voters would have expected. The fury at that cannot be understated; I believe their membership dropped considerably immediately after that fateful decision. Their rout at the following general election was only to be expected. Clegg destroyed that party.

      • It's England.

        Well, the UK. For now.

      • Aw, c'mon! Now I'm just feeling sad.
        --USA person
      • There is really only one party. They all serve the same masters.

    • and then block porn / 3rd party candidates / free press.

      Which of the remaining 11 parties after the first two currently in the house of commons do you consider to be the third one? And to which party to you count the cross bench peers in the Lords?

    • by ruir ( 2709173 )
      ...and sheep sites in Scotland.
    • by rubycodez ( 864176 ) on Wednesday September 14, 2016 @02:01PM (#52887803)

      Thoughtcrime, Winston Smith. It's all doubleplusungood thoughtcrime.

  • Good, Bad And Ugly (Score:5, Insightful)

    by alternative_right ( 4678499 ) on Wednesday September 14, 2016 @09:54AM (#52885773) Homepage Journal

    The Good: if there are known threats that can be filtered, this is the most efficient level on which to do them.

    The Bad: this will inevitably be extended to blocking torrent sites, Wikileaks and any web sites I administer.

    The Ugly: it will create a false sense of security, "educating" users to be less educated about their machines.

    • The Bad: this will inevitably be extended to blocking torrent sites, Wikileaks and any web sites I administer.

      That's OK. You can just run your own DNS server, and add those missing entries. You're welcome!

      • by smash ( 1351 )
        Except you know... your DNS needs to contact remote DNS servers for lookups which are then redirected to the government DNS on the great firewall of ...
        • by zlives ( 2009072 )

          just point to the remote DNS hosted by the NSA instead, there is still some freedoms allowed in the US.

        • by ShaunC ( 203807 )

          Except you know... your DNS needs to contact remote DNS servers for lookups which are then redirected to the government DNS on the great firewall of ...

          If I tell my DNS server it's authoritative for wikileaks.org and thepiratebay.se, it doesn't contact any remote servers to resolve those domains, it answers with whatever IPs I configured. Let it forward the rest of the queries happily along. If this "Great DNS Firewall" idea takes off, I suppose free thinkers in the UK will all be trading bootleg zone files, of all things.

    • Well, it's bad no matter how you look at it, primarily because even if you accept that filters are good, by and large they're ineffective, and are very prone to false positives.

    • by amxcoder ( 1466081 ) on Wednesday September 14, 2016 @12:25PM (#52887039)
      Not much good in this at all. There are already alternative DNS providers that will block most of this stuff selectively by each user. I use OpenDNS myself for this purpose. This is effectively censoring by the government, and nothing less.

      Yes, it will eventually used to block torrent sites, the Pirate Bay, etc. It will be used to block any of the other downloading sites that are available whether they are torrent trackers or straight downloads or streaming sites.

      Even more, if riots break out, or dissension protests start up, all of a sudden Twitter and FB will be temporarily blocked to prevent coordination by participants. The US has already done similar to this, for instance in bay area BART stations where they shutdown the cell phone repeaters to prevent communication in the stations when Oakland had riots/protests going on. If UK can do it by simply blocking DNS to these sites, the same results will happen.

      Who decides what is considered "MalWare"? What are the criteria? Malware could be the typical kind, but could also include hacking software, keygen apps, apps that the RIAA/MPAA and big-media doesn't like? Everyones idea of what is malware, is probably slightly different. Viruses yes, but not all the others are malware. I know most virus scanners pick up keygen's and other cracking software as a virus even if it's not, but because want to scare away people from using them.
      • OpenDNS is owned by Cisco, talk about having your tongue up the ass of the kind of corporate fascist scum who have governments in their pocket.....

        • My comment about OpenDNS was just an example of a service that does what they are proposing already, and is opt-in only, and is not run by the government, and is customizable by the user (or network admin) to select what gets blocked and what doesn't, rather than some secret hidden list of sites. If you don't like OpenDNS, then pick another provider, or run your own DNS server.

          I've used it for years without issues. If I have problems or don't like what they are doing, I can always point my home router
    • Missing the obvious, good citizen.

      Memory hole! Censorship! It didn't happen, it never happened.

    • by mjwx ( 966435 )

      The Good: if there are known threats that can be filtered, this is the most efficient level on which to do them.

      The Bad: this will inevitably be extended to blocking torrent sites, Wikileaks and any web sites I administer.

      The Ugly: it will create a false sense of security, "educating" users to be less educated about their machines.

      Erm.. the UK already requires ISP's to block torrent sites. It's as effective as an ashtray on a motorbike. Every torrent site can be accessed via a simple google search and they've simply given up on playing whack-a-mole with new URLs. As long as they have "thepiratebay.*" blocked, ISP's have effectively done all they legally have to and stooped caring.

    • So if the threats are well known by organisations with power like the GCHQ, why don't they instead do something about them? Yes the operate from within other countries but since when have that stopped the likes of GCHQ?
    • by grcumb ( 781340 )

      The Good: if there are known threats that can be filtered, this is the most efficient level on which to do them.

      The Bad: this will inevitably be extended to blocking torrent sites, Wikileaks and any web sites I administer.

      The Ugly: it will create a false sense of security, "educating" users to be less educated about their machines.

      The un-fucking-believably stupid: Ignoring the capacity for police state tactics in surveilling the domestic population, this is the same as tacking a bullseye onto the nation's internet and telling every terrorist, rogue nation and hacktivist:

      DO NOT PRESS THIS BUTTON. THIS ONE. RIGHT HERE. IT WOULD BE VERY BAD. SO DON'T PRESS IT.

  • Won't work. (Score:5, Insightful)

    by BarbaraHudson ( 3785311 ) <.moc.duolci. .ta. .nosduh.enaj.arabrab.> on Wednesday September 14, 2016 @09:55AM (#52885783) Journal
    You don't need DNS to visit a website. Also, there's nothing preventing you from running your own DNS.
    • Well, with name based virtual hosts you certainly need some sort of name to send the request to, whether provided by DNS or /etc/hosts or whatever.

      And yes, running your own DNS is trivial. IF your provider isn't blocking requests out that aren't headed to their own servers, much like smtp and port 25....

    • You don't need DNS to visit a website.

      I can think of two ways to visit a website without DNS, and both have serious drawbacks.

      Add the IP address and name to the hosts file
      This breaks whenever the site's IP address changes. This file is traditionally editable only by root, and root access is often impractical to gain on any type of device other than a desktop or traditional laptop PC, especially a smartphone or a tablet computer running a smartphone operating system. (Finally, recommending the use of such a file summons him.)
      Enter the IP address
      • Other than border security intercepting all outbound connections or datagrams on port 53.

        Not necessarily. A VPN to a n external server and they would never know what is inside that tunnel.

        • Why would they continue to allow a VPN across this nationwide firewall?

          The goal is to protect the Britons from "bad" websites as defined by the government. The first thing they want to try is to hide these sites from Britons by removing any DNS entry to them. When the government realizes that people are circumventing their firewall then I'd fully expect them to do what they can to block that traffic as well.

          This is doomed to fail since, as you predict, people will find a way around it. If they are succes

      • Nope.

        You also need the desired host name as part of your browser's web request, because most websites share an IP address with other web sites. Than means your going to have to either have a giant-ass hosts file or your own name server that magically gets updated with hundreds of millions of DNS records.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Agreed.

      The Internet was designed to route around disruptions in the network. Censorship one type of disruption.

      If an end user doesn't like what GCHQ is doing, they can:
      1. Install a DNSSEC-enabled nameserver software on their end device or home network to bypass the firewalls and detect man-in-the-middle rewrties.
      2. Utilize another open recursive server - there are millions to choose from.
      3. Utilizea a VPN to get out of the country and utilize Google or OpenDNS o

      • The VPN solution is hard to workaround, but it does require someone to purchase a VPN server somewhere. Blocking access to 'unauthorised' DNS server would be straightforwards if the UK cared to spend the money on the filtering hardware. Hell, they could even require you to apply for some kind of licence before they permit VPN traffic to be allowed out of your home connection. The UK are deadly serious about trying to lock down the internet, and now that they've decided to leave the EU, I don't see how anyon
    • I wonder if they plan on proxying DNS requests leaving the country? If so, the only workaround would be to use encryption and/or DNSSEC and a DNS server outside the country... possibly on a non-standard port in case they block 53.

    • You don't need DNS to visit a website. Also, there's nothing preventing you from running your own DNS.

      Hmm intriguing idea. I guess you could run your own DNS root server and maintain your own records for everything on all zones on the Internet. Its going to take some bandwidth to keep all that updated!

      But if you are thinking of just running your own local DNS server then its going to need forwarders and those forwarders are going to either be within the firewall and thus limited or outside the firewall and inaccessible.

      Or you could use an alternative port on a DNS forwarder outside the firewall. Some DNS se

    • You don't need DNS to visit a website. Also, there's nothing preventing you from running your own DNS

      So, why don't it work? The plan is apparently to stop malware with DNS filtering. They're not going to stop you running your own DNS and visiting the malware sites if you really want to.

    • by AHuxley ( 892839 )
      Just create a staging server within the UK, England and its a trusted local network request :)
  • by Errol backfiring ( 1280012 ) on Wednesday September 14, 2016 @09:58AM (#52885803) Journal
    How many times do we have to say that 1984 was not an instruction manual?
    • That's funny, I re-read Nineteen Eighty-four recently and I didn't see anything about a national DNS being used to restrict Internet access from the proles and Outer Party.

      In all seriousness, I don't think this is that big a deal. >99% of people already blindly trust their DNS to their ISP (generally about as untrustworthy as governments are in any case), and those that don't won't be affected by any regulations the UK wants to impose.
      • There was an internet in *1984*. Pay attention.

        There also were those who controlled what was remembered, and those who architected language with the end goal of non-state approved concepts being impossible to express or even conceived.

        • There was an internet in *1984*. Pay attention.

          The Internet existed in real life in the year AD 1984, yes. There was no internet in the novel Nineteen Eighty-Four by George Orwell, which was written in AD 1949.

          There also were those who controlled what was remembered, and those who architected language with the end goal of non-state approved concepts being impossible to express or even conceived.

          You're referring to the Ministry of Truth and Newspeak, respectively. Both of which have nothing to do with a national DNS. Now, it's true that the government could make it annoying to access unapproved websites, and there's nothing wrong with being skeptical of their intentions, but to say it's Orwellian is a massive hyperbole. Governments all th

    • How many times do we have to say that 1984 was not an instruction manual?

      Evidently one more time as always.

    • by AmiMoJo ( 196126 )

      They will never stop pushing, so we must never stop pushing back.

      The price of freedom is eternal vigilance.

  • If they do this, I hope that they will allow an opt-out. Anything else would feel like an act of censorship, even if that may not be the intent.

    • by Zocalo ( 252965 )
      Nothing should *ever* be opt-out. The default should always be to opt-in. If you can't make that enabling process easy to do and successfully sell the idea to your prospective end users (AKA "source of data" - because they are absolutely going to be saving all your DNS queries as "metadata"), then maybe it wasn't such a good idea to start with.
      • Nothing should *ever* be opt-out. The default should always be to opt-in. If you can't make that enabling process easy to do and successfully sell the idea to your prospective end users (AKA "source of data" - because they are absolutely going to be saving all your DNS queries as "metadata"), then maybe it wasn't such a good idea to start with.

        I won't argue with that, though I was more thinking about the alternative of not having a choice (opt-in or opt-out), as to having this imposed. I just don't want to see a 'Great Moat of Britain', being imposed. There are enough right wing isolationist attitudes at play, in the country today, that we don't need another one added to the fray.

    • If they do this, I hope that they will allow an opt-out. Anything else would feel like an act of censorship, even if that may not be the intent.

      Hahahahahahahaha! Of course that's the intent. And of course they won't allow an opt-out. Even if they did, to ask for it would be more or less to hang a big sign round your neck saying, "TERRORIST!"

  • FTFY GCHQ (Score:2, Insightful)

    by Anonymous Coward

    what better way of providing national surveillance

  • Because, if for no other reason, the World will be controlling their Internets anyways.

    Let them.

  • If this is just supplying a list of IPs, as Spamhaus, OpenBL and Dshield do, then it's nothing much to be concerned about. OTOH ... https://www.spamhaus.org/drop/ [spamhaus.org] http://www.openbl.org/ [openbl.org] https://www.dshield.org/xml.ht... [dshield.org]
  • This is a slippery slope and it's one of the reasons we shouldn't try to fix what isn't broken, by giving up control over domain assignments. We have more of a hands off tradition over here that other countries do not necessarily share.

  • A journey of a thousand miles must begin with a single step. --- Lao-tzu

    .
    This looks like the first step towards censorship to me. What will be next on the list of Things That Should Be Blocked?

  • by xfade551 ( 2627499 ) on Wednesday September 14, 2016 @10:21AM (#52886003)
    Hadrian's Firewall
  • by Archtech ( 159117 ) on Wednesday September 14, 2016 @10:31AM (#52886071)

    "[W]hat better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?"

    What better way of allowing the UK government to censor what British people can see and hear on the Internet, without the huge majority of them having any idea that their Internet access is being censored?

    And for those who have suggested this is no big deal, just wait. This is a case of "First they came for the communists", with a vengeance. Quite apart from the fact that this is exactly what the Chinese government has been doing with its "Great Firewall of China" - and getting it in the neck for alleged tyranny, totalitarianism and censorship.

    Of course, how this policy would work out in practice does depend very much on who decides what constitutes "known malware and bad addresses [sic]". Previous draconian laws passed by the British Parliament were, we were solemnly promised, to be used only in the most serious of terrorist cases. A couple of years later, the powers were in fact being used by town councils to spy on what people put into their rubbish, how they kept their gardens, and other such personal and utterly non-vital matters.

    If a law is passed establishing a "Great Firewall of Britain", we can be quite sure that within a couple of years literally thousands of government employees - from the Prime Minister to town hall clerks - will be contributing "bad addresses" to the cumulative DNS blacklist. Just like the current Homeland Security watch lists in the USA, thousands of items will be added every month, and nothing will ever be removed.

    Indeed, people living in Britain may well find that, one day in the not-too-distant future, they are no longer able to read or contribute to Slashdot. After all, just think of all the contentious issues and worrying statements that are to be found on its pages! Some government functionary - or, perhaps more likely, an instance of that classic responsibility-diffusing mechanism, a committee - will take the view that it would perhaps be for the best if this rather dubious Web site were no longer to be accessible from the UK.

  • Don't they have anything better to do than imitate bad Bond villain plots? [wikipedia.org].
  • by Archtech ( 159117 ) on Wednesday September 14, 2016 @10:47AM (#52886185)

    This proposal reminds me of the 1960 obscenity trial of Penguin Books for the publication of "Lady Chatterley's Lover" by D.H. Lawrence. The chief prosecutor, Mervyn Griffith-Jones, caused some merriment but also revealed his deep prejudices by asking if it were the kind of book "you would wish your wife or servants to read". (If they have time on their hands, readers are encouraged to compile a full list of the ways in which that remark was patronising and bigoted).

    If this proposal is taken up by the UK government, it will means that - more than fifty years after the "Lady Chatterley" trial, in an era that prides itself on its freedom of expression - government officials will be asking themselves, in the privacy of their offices, "Is this the kind of Web site you would wish your wife or servants to read?" As it is so very much easier to be safe than sorry, no doubt the answer will very often be, "Actually, no, old man, it isn't" - and off will go another batch of "bad addresses" to the Black List, never ever again to be seen.

  • Providing a national DNS service with nanny filtering sounds too easy to workaround (just point to Google's DNS, OpenDNS etc. instead - just any non-UK reliable DNS service would do). Wouldn't they also have to have the ISPs blocking those other DNS services as well?

    Like all these blocking services, they'll never publish the full list of what they block, hiding behind the claim that it's either proprietary or will give people clues as where the dodgy sites are. Problem is, this means they can block all sort

  • Comment removed based on user account deletion
  • ...Because this is how you get Balkanization. Why have just one pesky uncontrollable "World Wide" Web, when we could have 196 of them, all slightly different?
  • OK, so lets say this is done, and ISP's are required to have the DNS servers IP as their DHCP autoconfig response.

    Questions:

    1/ Who will own and operate this DNS service?
    2/ What will their DNS request logging retention look like?
    3/ Who will have access to those records and with what authentication?
    4/ Why are you now thinking this is something from George Orwell's 1984?

  • by jenningsthecat ( 1525947 ) on Wednesday September 14, 2016 @11:45AM (#52886705)

    What could go wrong? I mean really, who the fuck trusts a consortium of GCHQ and several mega-corps to neutrally and impartially protect them from "known malware and bad addresses"? Incidentally, I have to wonder - do those 'bad addresses' include sites that are critical of the government and/or the companies in question? Might they include 'non-approved' IP telephony services? Sites that promote Scottish independence?

    The opportunities for abuse are endless. This is a very bad idea.

  • I'm so tired of this crap. If you fuck with DNS people will just use IP literals or invent separate control channels to replace DNS.

    Security strategies that "solve" a current problem while ignoring the fact your adversaries are thinking humans with a mind just like yours only lead to collateral damage while not solving the original problem.

    There is still quite a lot of low hanging fruit still left to be plucked in terms of human factors and system design that would actually be effective beyond screwing wit

    • "IP literals?" Nope, most web sites use an IP address shared with others, you also need the browser to put desired symbolic host name in hosts: field of request which the web server (or proxy) will then make to the appropriate vhost. That makes the problem more difficult to solve

      • "IP literals?" Nope, most web sites use an IP address shared with others

        What "most websites" do or don't do is irrelevant. IP addresses are cheap and easy for anyone with good or bad intentions to obtain especially in the future as IPv6 adoption increases. Criminal enterprises are not required to share their address space (e.g. throwaway virtual hosts and botnet victims) with others nor are they required to use DNS.

  • Manager: I'm sorry, but if you don't come up with that money by tomorrow, the bank is going to take your house.
    Homer: Well, good luck finding it, because I'm going to take the numbers off tonight!
    Manager: Well, we'll look for the house with no numbers.
    Homer: Then I'll take off the numbers on my neighbor's house.
    Manager: Then we'll look for the house next to the house with no numbers.
    Homer: [...] All right, you'll get your money...

  • Obviously, these people think that the Chinese are handling online free-speech and free access to information just right and want to copy their success-story. Sure, people can still get around this (DNS filtering and blocking is the cheapest, least-secure option), but that can simply be made illegal. In the end, the UK "Internet" will end up as a "walled garden" where only content deemed appropriate by the "authorities" is easy and legal to access. Rogue browsing will be treated according to another success

On a clear disk you can seek forever. -- P. Denning

Working...