Connect with us

Hi, what are you looking for?


Security Architecture

DNS Blocking: Where Technical Considerations Meet Political Considerations

For many years, I’ve been one of the people who work to make the Internet as safe and secure as possible — a task I’ve sometimes compared to being a sheriff who helps to bring law and order to the Wild West. And although the real Wild West has been civilized for more than a century, the virtual version — the Internet — is still decidedly wild.

For many years, I’ve been one of the people who work to make the Internet as safe and secure as possible — a task I’ve sometimes compared to being a sheriff who helps to bring law and order to the Wild West. And although the real Wild West has been civilized for more than a century, the virtual version — the Internet — is still decidedly wild.

For example, in October, the Internet Corporation for Assigned Names and Numbers (ICANN) gathered in Toronto for one of its regular meetings. One topic of growing interest at the meeting was DNS blocking, and it’s a topic that will continue to surface into the foreseeable future. The reason? It’s something that governments around the world are interested in and that online users care about. And that means it’s something both security and law enforcement professionals need to learn more about, with a focus on what’s effective and what is not.

DNS BlockingAs a start, ICANN’s Security and Stability Advisory Committee (SSAC), of which I am a member, recently issued a paper on DNS blocking, called, “Advisory on Impacts of Content Blocking Via the Domain Name System (DNS).”

Technical Considerations

DNS blocking allows organizations — or governments — to have varying degrees of control over Internet resources. Some of the reasons why blocking is implemented (or is under consideration) include court orders, action by law enforcement and treaties. Some organizations view preventing access to Web-based content in the same light as preventing workers from incurring phone charges by blocking the ability to dial long-distance numbers. If there’s online content that could infect computers with malware, for example, the organization might develop a policy to block specific DNS lookups so that users can no longer access that content. However, DNS blocking and its ramifications are far more complex than blocking a telephone number.

The reality is that blocking is usually straightforward to bypass; that means using the DNS for blocking purposes is ineffective and can result in unanticipated short-term consequences. For example, users of legal sites could be temporarily “locked out” of those sites for a period.

There are also longer-term ramifications; the primary one: DNS blocking presents conflicts with the adoption of DNS Security Extensions (DNSSEC). As an example, earlier this year, Comcast shut down its “Domain Helper,” which was created to provide suggestions and links to its customers when they mistyped a Web address. Domain Helper worked by using what Comcast’s Chris Griffiths (Manager of DNS Engineering) termed as “DNS response modification tactics.” In other words, redirection of DNS addresses.

Comcast found that blocking the DNS at a resolver level (like DNS redirect services) is technically incompatible with DNSSEC. It can create conditions indistinguishable from a malicious modification of DNS traffic, like the DNS cache poisoning attacks that I wrote about previously. Comcast chose to turn off DNS blocking rather than have their customers not knowing whether a DNS error was intentional or caused by an attacker.

Advertisement. Scroll to continue reading.

As I’ve noted before, the core infrastructure of the Internet was built when security was an afterthought. And while no security solution is 100 percent “guaranteed” effective, we’re better off operating from a position of maximum security rather than risking a hack that uses DNS blocking to execute malicious activities.

Political Considerations

Along with technical issues in regards to DNS blocking, there are also political concerns. A recent report from the Office of the High Commissioner for Human Rights noted that “even where justification is provided, blocking measures constitute an unnecessary or disproportionate means to achieve the purported aim, as they are often not sufficiently targeted and render a wide range of content inaccessible beyond that which has been deemed illegal.”

Regardless of how it’s achieved and reviewed, any DNS blocking measure should incorporate the following principles:

• The organization only imposes a policy on a network and users over which it exercises administrative control.

• The organization determines that the policy is beneficial to its own interests and that of its users.

• The organization implements the policy using the technique that is least disruptive to its network operations and users, unless regulations specify certain techniques.

• The organization makes a concerted effort to do no harm to networks or users outside its administrative control as a consequence of implementing the policy.

When these principles are not applied, using the DNS for blocking purposes can cause serious collateral damage and other unintended consequences with few — if any — available remedies.

At the very least, any DNS blocking actions should be disclosed to all affected parties, including end users, service providers and application designers. Not disclosing the block will likely result in unnecessary troubleshooting activities and, potentially, unintended bypassing activities performed by network operators and end users. Transparency isn’t a complete solution but, without it, DNS blocking can be misdiagnosed as an outage or a malicious attack. And not surprisingly, those affected would likely attempt to mitigate it.

Governments and organizations should make sure that technical and political implications are fully understood by all parties before blocking policies are developed. Whether you are participating in policy making or you are required to adhere to policies being made, understanding the options — and their results — will help guide your choices.

Related: ICANN’s Rolling Controversy: Verification of WHOIS Registration Data

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption