Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Google Piracy The Internet

French Court Orders Google, Cloudflare, Cisco To Poison DNS To Stop Piracy (torrentfreak.com) 74

Posted by BeauHD from the anti-piracy-escalations dept.
An anonymous reader quotes a report from TorrentFreak: A French court has ordered Google, Cloudflare, and Cisco to poison their DNS resolvers to prevent circumvention of blocking measures, targeting around 117 pirate sports streaming domains. The move is another anti-piracy escalation for broadcaster Canal+, which also has permission to completely deindex the sites from search engine results. [...] Two decisions were handed down by the Paris judicial court last month; one concerning Premier League matches and the other the Champions League. The orders instruct Google, Cloudflare, and Cisco to implement measures similar to those in place at local ISPs. To protect the rights of Canal+, the companies must prevent French internet users from using their services to access around 117 pirate domains.

According to French publication l'Informe, which broke the news, Google attorney Sebastien Proust crunched figures published by government anti-piracy agency Arcom and concluded that the effect on piracy rates, if any, is likely to be minimal. Starting with a pool of all users who use alternative DNS for any reason, users of pirate sites -- especially sites broadcasting the matches in question -- were isolated from the rest. Users of both VPNs and third-party DNS were further excluded from the group since DNS blocking is ineffective against VPNs. Proust found that the number of users likely to be affected by DNS blocking at Google, Cloudflare, and Cisco, amounts to 0.084% of the total population of French Internet users. Citing a recent survey, which found that only 2% of those who face blocks simply give up and don't find other means of circumvention, he reached an interesting conclusion. "2% of 0.084% is 0.00168% of Internet users! In absolute terms, that would represent a small group of around 800 people across France!"

In common with other courts presented with the same arguments, the Paris court said the number of people using alternative DNS to access the sites, and the simplicity of switching DNS, are irrelevant. Canal+ owns the rights to the broadcasts and if it wishes to request a blocking injunction, it has the legal right to do so. The DNS providers' assertion that their services are not covered by the legislation was also waved aside by the court. Google says it intends to comply with the order. As part of the original matter in 2023, it was already required to deindex the domains from search results under the same law. At least in theory, this means that those who circumvented the original blocks using these alternative DNS services, will be back to square one and confronted by blocks all over again. Given that circumventing this set of blocks will be as straightforward as circumventing the originals, that raises the question of what measures Canal+ will demand next, and from whom.

French Court Orders Google, Cloudflare, Cisco To Poison DNS To Stop Piracy More | Reply

French Court Orders Google, Cloudflare, Cisco To Poison DNS To Stop Piracy

Comments Filter:

  • Have address for site A point to site B and address for B point to site C and address for C point to site A. Done, DNS poisoned -- technically. Honest French court, the pirates won't figure that out.

    • Re: (Score:3)

      by PPH ( 736903 )

      From TFS:

      the companies must prevent French internet users from using their services to access around 117 pirate domains.

      So, the proposed solution doesn't appear to support the letter of the law, never mind the spirit. If the end result is just to direct users to another pirate domain.

      • Simpler solution: just block access to your DNS servers from France. That does comply with the ruling, is easy to implement and doesn't affect anyone else.

        • If past rulings in France are any indication, they want these bans to affect all french citizens, no matter where in the world the access it from.

          Which IMO means the French government should require its citizens to identify themselves on the internet no matter where they access it from, that way non-french servers can easily determine who they need to ban to satisfy the French government.

          If they can't do that, then these tech companies are probably going to have to simply exit the EU, and run their services

        • Re: (Score:2)

          by unrtst ( 777550 )

          Simpler solution: just block access to your DNS servers from France. That does comply with the ruling, is easy to implement and doesn't affect anyone else.

          Look at who they're pressuring: Google, Cloudflare, and Cisco
          Why do those entities offer publicly accessible recursive DNS resolution?

          For Google, it's relatively low cost to run, and they get to track all those queries. That data is a gold mine to them. The cost/benefit to this means they'll block these sites so they can keep the data coming in from everyone else. Also, Google _STILL_ ends up getting the DNS queries for the troublesome domains, so there is zero loss to them by poisoning those DNS entries.

          A

    • Couldn't they poison DNS to send all the pirate looky-loo types directly to the French Courts web page?

      • Couldn't they poison DNS to send all the pirate looky-loo types directly to the French Courts web page?

        I'm sure that would turn on some people. Would their order apply to "Court Porn"? :-)

  • Insane ruling (Score:5, Interesting)

    by SmaryJerry ( 2759091 ) on Monday June 17, 2024 @06:16PM (#64556579)
    DNS blocking is like stopping crime by forcing a meth dealer to change their street address. Also, isn't DNS global for many of these companies so they are trying to impose local laws globally which is a disaster.

    • Re: (Score:3)

      by gweihir ( 88907 )

      More like removing the sign with the street-name.

      The thing is the TLD DNS in these cases is already in some other jurisdiction and does not care or they could have the site entry removed. And with that, any resolver that is not legally affected can resolve the server name (or do the next step if it is not a recursive one).

    • Re: (Score:2)

      by skogs ( 628589 )

      I would suggest that these large external providers simply stop responding to any IP address in France.
      I see no reason why they shouldn't deny a free unpaid service to a couple million people because 800 of them are 'pirates'.

      I'm sure a reasonable investigation would aid in finding these terrible illegals. Instead they're crying in public and doing stupid technical things that shouldn't be done.

    • Do as the court says and then never mention how ineffective it is.

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      I don't think DNS blocking is a good idea, but just on the point about DNS being global, these companies all run local servers inside France. Their CDN network directs users to the closest server, so they can in fact create the blockade just for the servers physically located inside France.

    • Also, isn't DNS global for many of these companies so they are trying to impose local laws globally which is a disaster.

      Actually, no. Many DNS servers will give different results based on the source IP from which the query originates. Only at the root level is DNS truly global.

  • Another reason to run a local resolver (Score:4, Insightful)

    by Seven Spirals ( 4924941 ) on Monday June 17, 2024 @06:21PM (#64556595)
    Unbound and other local DNS resolvers might be a decent idea. At least then they have to poison the root servers (which might not always work to do what they want). Continued attempts at poisoning may actually destabilize the way DNS works altogether depending how how far they go. If so, this opens up a vacuum for "what replaces DNS?" for those who reject the international censors. That's a good thing and a good question. The more decentralized the better in order to hide the control surfaces from individual governments.
    • You can't realistically poison the roots in this way.
      Nobody asks the root for an A record.

      You ask for the TLD NS records, then you ask one of them for the NS record for the domain, then you ask that NS server for the A record.
      If they *could* force the roots to poison- they would.
      The design makes it so they can really only target recursors.

      • Re: (Score:3)

        by gweihir ( 88907 )

        Hahaha, yes. Asking a root server for anything is not a thing you want to do often. And they do not recurse. No idea how fast they are now, but 15 years ago you could wait a minute or longer for a root server to answer. They could theoretically poison the respective TLD server, but realistically, the TLD server will be in a different jurisdiction than the block order anyways or they could just as it to legitimately remove the domain. Hence you can either recurse yourself or ask somebody that also could not

        • Bingo.

        • Re: (Score:2)

          by Shakrai ( 717556 )

          No idea how fast they are now, but 15 years ago you could wait a minute or longer for a root server to answer.

          Uhh, I've been on the Internet since the early 90s and I have never seen it take 60+ seconds to get an answer from a root server. The entire DNS system would break down if that were the case. Their answers come back in milliseconds, as do answers from most DNS servers worth a damn, and the root servers should be (in theory) even faster since they're authoritative only for TLDs and do not do recursion.

          • Re: (Score:2)

            by gweihir ( 88907 )

            1) The Internet would not in any way "break down". DNS caching is a thing and root-server answers come with 48h lifetime by default.
            2) I did not do any systematic study or anything, but I am pretty sure that is what I saw and I did the query repeatedly.

            • Re: (Score:2)

              by Shakrai ( 717556 )

              Thank you for mansplaining how DNS caching works. Now try mansplaining which root server you hit that took over >60 seconds to respond to a query. I just went through eight of them and all eight responded in under 30ms. The GLTD servers also responded similarity first when looking up domains under the various TLDs.

              • Re: (Score:2)

                by gweihir ( 88907 )

                If you just want to be an insightless asshole, I will simply stop communicating with you. Or you could notice that I wrote "15 years ago" and no, the Internet would _not_ break down if root DNS were slow. Interestingly you have not even answered to that.

                • Re: (Score:2)

                  by Shakrai ( 717556 )

                  You might have noticed that my time on the Internet predates "15 years ago", I never saw the behavior you claim you did, and I said "the DNS system would break down", not "the Internet". You can quibble over the definition of "break down" by pointing to cache, except, server reboots/cache resets are a thing, and there's a long list of reasons why it would be problematic if it took seconds -- let alone minutes -- to get answers from the root servers.

                  I've been involved in systems administration, including D

      • You can easily do that. I have seen in Italy an ISP which was redirecting anything to udp/tcp port 53 to their own resolvers.
        So, put any IP you want and you will get the same data, even if no DNS service exists on that IP.

        But, that's harder to block DoH unless it only runs on specific IPs like 8.8.8.8.

        • It's not 1999. DNS is generally not done over port 53 by default anymore. In fact if you use either Chrome or Firefox you're firing DNS queries over under port 443 using DoH (DNS over HTTPS) by default.

        • You can easily do that. I have seen in Italy an ISP which was redirecting anything to udp/tcp port 53 to their own resolvers.

          That is not poisoning the root, that's pretending to be the root. Entirely different situation.
          And still entirely useless, since as mentioned- you don't ask the root for A records.

          Really, all you're doing- is as I mentioned- poisoning the recursor.

          • It's not poisoning root. It's pretending to be every DNS server on the internet. You don't need to poison root to give manipulated answers once you control the network.

            • Unsure if we're having a language barrier, here.
              You seem to have missed the point of my post.

              Person I replied to said that "they could poison the root".
              I then explained to them that due to the design of DNS- its hierarchical nature- one doesn't poison the root to take over a host record.
              You have to target the authoritative nameserver for that domain, or whatever recursor the person is using.

              In the case where the ISP cannot redirect all of the customer's DNS traffic (what the article is about, hence w

    • Re: (Score:2)

      by jvkjvk ( 102057 )

      Simply use a VPN. Problem solved.

    • Continued attempts at poisoning may actually destabilize the way DNS works altogether depending how how far they go. If so, this opens up a vacuum for "what replaces DNS?" for those who reject the international censors. That's a good thing and a good question. The more decentralized the better in order to hide the control surfaces from individual governments.

      Introducing chaos is not automatically an entry point for the good guys to mount their offensive. How did the breakdown of national security during 9/11 turn out? Maybe we could come around to something better. But unless someone can actually point to it as it presently exists and make a very good case for it to sweep in and save the day, I am going to be much more inclined to believe that the entities with massive amounts of political and economical power are going to get to resolve the chaos their way.

      Th

      • Breaking things lets these entities get a do-over in dictating the outcome.

        Good point. I was hoping for a do-over to make things less vulnerable to individual government policy. You seem to be pointing out that the do-over might give them more power and that's more likely.

        The main advantage the free internet has right now is that much of it was defined before where it was going was obvious

        Alas, you're right. The chance for building something else, like a nationwide WiFi/LoRa network using volunteers has already been thought of by governments and other bad guys. They now use the threat of kiddiepron to shut that down, as it's not clear what would happen to a volunteer run network if tested in court

    • Re: (Score:1)

      by jonadab ( 583620 )
      I realize the people behind this *intend* for the public to perceive it as a law-enforcement measure (specifically, copyright law enforcement), and in practice they're doing it mainly to maintain the illusion that they can actually do stuff they said they can do, so they don't look as incompetent as they are, and that's all pretty normal, coming from any major government.

      But, it is nonetheless true that DNS poisoning is fundamentally a technique for compromising the security of computer systems that don't b

  • Being a DNS resolver of choice isn't likely to last very long after you lose the public's trust that you're actually supplying the data they are requesting. These entities don't supply DNS services for fun, they have a profit motive.

    Creating a new market pressure to use alternatives is not going to be very palatable to them.

  • Reminds me of threats to stop my email (Score:3)

    by gweihir ( 88907 ) on Monday June 17, 2024 @07:05PM (#64556695)

    Always funny because I run my own MTA. For DNS resolution, I currently use my ISP, but using a different DNS or even running your own recursive resolver is really not that hard. Who ever is impressed by a DNS block is truly a digital have-not.

  • If they're not using a VPN, and not using the VPN services DNS, they are just asking for it anyways.

  • The laws of the United States, in which these companies are based, disallow the government(s) to force publishing any speech of any kind, true or false.

    That means Google, etc. have a constiutional US right to put what they want into DNS, although as an ITSEC guy I'll go with "just put the real data in there."

    France is a great country, and I hope they eat their cheese and drink their wine and surrender to nazis... but they don't get to tell USican companies to poison DNS.

    France courts - you have exceeded you

    • The laws of the United States, in which these companies are based, disallow the government(s) to force publishing any speech of any kind, true or false.

      The US Constitution only places restrictions on US governments, not any other government.

      but they don't get to tell USican companies to poison DNS.

      They can in France where companies doing business there are required to follow French law, just as companies doing business in the US have to follow US laws.

  • Acts of terror to support a commercial venture... I'm not so sure they thought this through.

  • Fails again ... because internet

  • Yet another step in preparation for the summer Olympics. They are trying to make sure that all the money from streaming goes to authorized broadcasters and, ultimately, in part, to the French government.

Slashdot Top Deals

You can't have everything... where would you put it? -- Steven Wright

Close