Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

DNS Blocking: Where Technical Considerations Meet Political Considerations

For many years, I’ve been one of the people who work to make the Internet as safe and secure as possible — a task I’ve sometimes compared to being a sheriff who helps to bring law and order to the Wild West. And although the real Wild West has been civilized for more than a century, the virtual version — the Internet — is still decidedly wild.

For many years, I’ve been one of the people who work to make the Internet as safe and secure as possible — a task I’ve sometimes compared to being a sheriff who helps to bring law and order to the Wild West. And although the real Wild West has been civilized for more than a century, the virtual version — the Internet — is still decidedly wild.

For example, in October, the Internet Corporation for Assigned Names and Numbers (ICANN) gathered in Toronto for one of its regular meetings. One topic of growing interest at the meeting was DNS blocking, and it’s a topic that will continue to surface into the foreseeable future. The reason? It’s something that governments around the world are interested in and that online users care about. And that means it’s something both security and law enforcement professionals need to learn more about, with a focus on what’s effective and what is not.

DNS BlockingAs a start, ICANN’s Security and Stability Advisory Committee (SSAC), of which I am a member, recently issued a paper on DNS blocking, called, “Advisory on Impacts of Content Blocking Via the Domain Name System (DNS).”

Technical Considerations

DNS blocking allows organizations — or governments — to have varying degrees of control over Internet resources. Some of the reasons why blocking is implemented (or is under consideration) include court orders, action by law enforcement and treaties. Some organizations view preventing access to Web-based content in the same light as preventing workers from incurring phone charges by blocking the ability to dial long-distance numbers. If there’s online content that could infect computers with malware, for example, the organization might develop a policy to block specific DNS lookups so that users can no longer access that content. However, DNS blocking and its ramifications are far more complex than blocking a telephone number.

The reality is that blocking is usually straightforward to bypass; that means using the DNS for blocking purposes is ineffective and can result in unanticipated short-term consequences. For example, users of legal sites could be temporarily “locked out” of those sites for a period.

There are also longer-term ramifications; the primary one: DNS blocking presents conflicts with the adoption of DNS Security Extensions (DNSSEC). As an example, earlier this year, Comcast shut down its “Domain Helper,” which was created to provide suggestions and links to its customers when they mistyped a Web address. Domain Helper worked by using what Comcast’s Chris Griffiths (Manager of DNS Engineering) termed as “DNS response modification tactics.” In other words, redirection of DNS addresses.

Comcast found that blocking the DNS at a resolver level (like DNS redirect services) is technically incompatible with DNSSEC. It can create conditions indistinguishable from a malicious modification of DNS traffic, like the DNS cache poisoning attacks that I wrote about previously. Comcast chose to turn off DNS blocking rather than have their customers not knowing whether a DNS error was intentional or caused by an attacker.

As I’ve noted before, the core infrastructure of the Internet was built when security was an afterthought. And while no security solution is 100 percent “guaranteed” effective, we’re better off operating from a position of maximum security rather than risking a hack that uses DNS blocking to execute malicious activities.

Advertisement. Scroll to continue reading.

Political Considerations

Along with technical issues in regards to DNS blocking, there are also political concerns. A recent report from the Office of the High Commissioner for Human Rights noted that “even where justification is provided, blocking measures constitute an unnecessary or disproportionate means to achieve the purported aim, as they are often not sufficiently targeted and render a wide range of content inaccessible beyond that which has been deemed illegal.”

Regardless of how it’s achieved and reviewed, any DNS blocking measure should incorporate the following principles:

• The organization only imposes a policy on a network and users over which it exercises administrative control.

• The organization determines that the policy is beneficial to its own interests and that of its users.

• The organization implements the policy using the technique that is least disruptive to its network operations and users, unless regulations specify certain techniques.

• The organization makes a concerted effort to do no harm to networks or users outside its administrative control as a consequence of implementing the policy.

When these principles are not applied, using the DNS for blocking purposes can cause serious collateral damage and other unintended consequences with few — if any — available remedies.

At the very least, any DNS blocking actions should be disclosed to all affected parties, including end users, service providers and application designers. Not disclosing the block will likely result in unnecessary troubleshooting activities and, potentially, unintended bypassing activities performed by network operators and end users. Transparency isn’t a complete solution but, without it, DNS blocking can be misdiagnosed as an outage or a malicious attack. And not surprisingly, those affected would likely attempt to mitigate it.

Governments and organizations should make sure that technical and political implications are fully understood by all parties before blocking policies are developed. Whether you are participating in policy making or you are required to adhere to policies being made, understanding the options — and their results — will help guide your choices.

Related: ICANN’s Rolling Controversy: Verification of WHOIS Registration Data

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.