For many years, I’ve been one of the people who work to make the Internet as safe and secure as possible — a task I’ve sometimes compared to being a sheriff who helps to bring law and order to the Wild West. And although the real Wild West has been civilized for more than a century, the virtual version — the Internet — is still decidedly wild.
For example, in October, the Internet Corporation for Assigned Names and Numbers (ICANN) gathered in Toronto for one of its regular meetings. One topic of growing interest at the meeting was DNS blocking, and it’s a topic that will continue to surface into the foreseeable future. The reason? It’s something that governments around the world are interested in and that online users care about. And that means it’s something both security and law enforcement professionals need to learn more about, with a focus on what’s effective and what is not.
As a start, ICANN’s Security and Stability Advisory Committee (SSAC), of which I am a member, recently issued a paper on DNS blocking, called, “Advisory on Impacts of Content Blocking Via the Domain Name System (DNS).”
DNS blocking allows organizations — or governments — to have varying degrees of control over Internet resources. Some of the reasons why blocking is implemented (or is under consideration) include court orders, action by law enforcement and treaties. Some organizations view preventing access to Web-based content in the same light as preventing workers from incurring phone charges by blocking the ability to dial long-distance numbers. If there’s online content that could infect computers with malware, for example, the organization might develop a policy to block specific DNS lookups so that users can no longer access that content. However, DNS blocking and its ramifications are far more complex than blocking a telephone number.
The reality is that blocking is usually straightforward to bypass; that means using the DNS for blocking purposes is ineffective and can result in unanticipated short-term consequences. For example, users of legal sites could be temporarily “locked out” of those sites for a period.
There are also longer-term ramifications; the primary one: DNS blocking presents conflicts with the adoption of DNS Security Extensions (DNSSEC). As an example, earlier this year, Comcast shut down its “Domain Helper,” which was created to provide suggestions and links to its customers when they mistyped a Web address. Domain Helper worked by using what Comcast’s Chris Griffiths (Manager of DNS Engineering) termed as “DNS response modification tactics.” In other words, redirection of DNS addresses.
Comcast found that blocking the DNS at a resolver level (like DNS redirect services) is technically incompatible with DNSSEC. It can create conditions indistinguishable from a malicious modification of DNS traffic, like the DNS cache poisoning attacks that I wrote about previously. Comcast chose to turn off DNS blocking rather than have their customers not knowing whether a DNS error was intentional or caused by an attacker.
As I’ve noted before, the core infrastructure of the Internet was built when security was an afterthought. And while no security solution is 100 percent “guaranteed” effective, we’re better off operating from a position of maximum security rather than risking a hack that uses DNS blocking to execute malicious activities.
Along with technical issues in regards to DNS blocking, there are also political concerns. A recent report from the Office of the High Commissioner for Human Rights noted that “even where justification is provided, blocking measures constitute an unnecessary or disproportionate means to achieve the purported aim, as they are often not sufficiently targeted and render a wide range of content inaccessible beyond that which has been deemed illegal.”
Regardless of how it’s achieved and reviewed, any DNS blocking measure should incorporate the following principles:
• The organization only imposes a policy on a network and users over which it exercises administrative control.
• The organization determines that the policy is beneficial to its own interests and that of its users.
• The organization implements the policy using the technique that is least disruptive to its network operations and users, unless regulations specify certain techniques.
• The organization makes a concerted effort to do no harm to networks or users outside its administrative control as a consequence of implementing the policy.
When these principles are not applied, using the DNS for blocking purposes can cause serious collateral damage and other unintended consequences with few — if any — available remedies.
At the very least, any DNS blocking actions should be disclosed to all affected parties, including end users, service providers and application designers. Not disclosing the block will likely result in unnecessary troubleshooting activities and, potentially, unintended bypassing activities performed by network operators and end users. Transparency isn’t a complete solution but, without it, DNS blocking can be misdiagnosed as an outage or a malicious attack. And not surprisingly, those affected would likely attempt to mitigate it.
Governments and organizations should make sure that technical and political implications are fully understood by all parties before blocking policies are developed. Whether you are participating in policy making or you are required to adhere to policies being made, understanding the options — and their results — will help guide your choices.