A Not-So-Brief History of DNS Blocking — And Why It Sucks

I suppose I’m getting old. I cannot believe that the intellectual property lobbyists (or, as I affectionately refer to them, the “IP Mafia”) have once again trotted out their Holy Grail of blocking websites at the domain-name level. More mind boggling, I cannot believe that this idea gets more popular with policymakers over time, despite the fact that DNS blocking would do far more widespread damage to our overall economy and communications infrastructure today than it could have done back when the IP Mafia, the anti-pornography crusaders, and all the other would be censors of the Internet first floated it in the late 1990s. Part of the problem, of course, is that the vast majority of people (lucky for them) never had to sit through the endless iterations of this for the last fifteen years. Hence, the endless repetition by “serious” white-haired guys who just happen to work for the largest content companies who have not updated their talking points since the late 1990s and rant about how this ‘gosh-darned Internet is full of lawlessness and by-gum we gotta do something con-sarnit.’

So please forgive yet another old geezer his wander down memory lane on DNS blocking and why it builds a massive security hole into our underlying broadband infrastructure. For those playing at home, this is why the vast majority of the cybersecurity establishment in the United States is having serious heebie-jeebies about PIPA/SOPA. Sandia National Laboratory is not exactly a hotbed of piracy, and former Bush Admin Cybersecurity Czar Stewart Baker is hardly part of the “information wants to be free” crowd. They are freaked out because the proposal builds a permanent hole in our broadband infrastructure and invites every identity thief and Iranian hacker to come in and do their worst. Which means that even if we totally 100% believed the Hollywood lobbyists about the legal intent of the law, building the capacity to do DNS blocking compromises security for everyone. Because once the capacity is built in to the system, it will get hacked and exploited. So while we are sitting here in the dark because some hacker crashed our electric grid, or trying frantically to chase down every identity thief who redirected our credit card information from Amazon.com, we can console ourselves that Congress never intended for this to have any domestic impacts.

More below . . .

For those new to this issue, I highly recommend reading the background provided by my employer Public Knowledge. But for those trying to move through this post quickly, here’s a recap of the current state of play.

People who oppose PIPA/SOPA

The Center for Democracy and Technology (CDT) keeps a growing list of who opposes PIPA/SOPA. To summarize the high points.

National Sandia Lab and every other significant cybersecurity expert and organization. The engineers who created the Internet, who created the most popular software for routing Internet traffic, and most Internet engineers generallyHuman rights orgsTea Party Patriots, Heritage Foundation, Competitive Enterprise Institute, Brookings Institution, Moveon.org, and just about every other major activist organization on the left or right. Consumer groups. Law ProfessorsInternet companiesVenture capitalists, start ups, and business peopleIndependent musicians. Ashton Kutcher. MC Hammer. And lots and lots of ordinary users in these communities getting pissed off and calling their members of Congress.

And the Obama Administration.

People who support PIPA/SOPA

The Movie Industry, The Music Industry, The Television Industry.

People who get money from any of the above – and not even all of those.


As an aside, one of the amazing, heartwarming and ironic things about PIPA/SOPA is that it plays like some Hollywood movie about traditional enemies all setting aside their traditional hatreds to fight the common enemy that threatens to destroy us all. Sadly, in this case the common enemy that threatens to destroy us all is Congress on a PAC contribution-high passing legislation that compromises cybersecurity, free speech and fundamental liberties rather than some space alien or foreign army. Ah well. Back to the story . . . .

Our Story So Far

We have two bills that supporters are pushing through Congress as fast as humanly possible. Because hey, when the lobbyists you love want you to screw up something as critically important as the Internet, you need to move damn fast before anyone not receiving Hollywood money (and there are some) gets a chance to look too closely. On the Senate side, we have the Protect IP Act (PIPA), championed by both Harry Reid (D-NV) and Pat Leahy (D-VT). PIPA was introduced by Leahy on May 12, 2011. It went to mark up and was passed out of the Judiciary committee a mere two weeks later, on a theory that why would anyone want an actual hearing with experts and stuff. And because the Senate has absolutely nothing better to do, and because the case for this legislation is so obviously cut and dried, has scheduled a cloture vote for January 24, the day after the Senate reconvenes.

On the House side, we have a bill sponsored by House Judiciary Chair Lamar Smith (R-TX), called the Stop Online Piracy Act (SOPA). In a demonstration that sometimes the “People’s House” can prove more thoughtful than the “Greatest Deliberative Body,” Smith actually held a hearing on SOPA. For better or worse, the hearing turned into a competition for who could display the most ignorance about the actual engineering issues and how they impact cybersecurity, prompting committee member and Cybersecurity Subcommittee Chair Dan Lungren (R-CA) to ask Smith for a referral to the Cybersecurity Subcommittee for a hearing on the off chance that, you know, maybe there might possibly be some security concerns with messing with the guts of the Internet to enable people to redirect internet traffic.

Smith decided that having experts in to examine the bill raised too many concerns, for example they might point out all the security flaws, so he scheduled a mark-up of SOPA instead. Happily, thanks to the delaying tactics of dedicated members who think that actually taking the time to do this right might be important, we were treated to the spectacle of Lamar Smith, born-again conservative representative from Texas, adamantly defending the copyrights of pornographers against an amendment proposed by the gay progressive from Denver. More importantly, they successfully kept SOPA from getting out of Committee before the members went home for break.

And then the sh** storm erupted. Turns out just about everyone in the universe not paid by the entertainment industry absolutely hates PIPA and SOPA. It takes a heck of a bill to get Tea Party Patriots and Moveon.org moving in the same direction, to get Competitive Enterprise Institute to tell U.S. Chamber they are backing the wrong horse, and get just about every cybersecurity expert in the country to say “What the $#@! Are you morons thinking??!!” But while Lamar Smith and other House supporters have gone back to the drawing board for now  (possibly because they found themselves facing actual primary challenges over SOPA), Pat Leahy and Harry Reid remain adamant that we need to pass this into law and only THEN should we do a study to find out how bad it is. Because passing laws that create gaping security holes in our cyber-infrastructure and get condemned as free speech violations by Reporters without Borders and similar orgs is a better way to create jobs than focusing on legislation actually designed to create jobs.

What Is DNS Blocking And How Does It Work

You can find much clearer, more concise explanation on the Public Knowledge website. For the technically inclined, you can see Paul Vixie’s most recent explanation of why this proposal is so awful here. But here’s my old geezer take on it.

Things move along the internet via something called the TCP/IP protocol suite. Places on the Internet have internet protocol (IP) addresses, which are long strings of numbers. Since human beings don’t do well with long strings of numbers, a bunch of folks at the dawn of the Internet (the most famous of whom was Jon Poste) decided to develop a way to convert the IP addresses into domain names (e.g., “example.com”) and back again. We call this system for converting names to IP addresses that machines understand the “domain name system” or “DNS” for short. This system was designed by engineers who assumed that the users of this system would be people who wanted to voluntarily interconnect with each other, and they therefore made it super easy for people to use to move information from one place to another. Sadly, they did not spend a lot of time thinking about how total wankers could mess it up, so they did not put a lot of effort into figuring out how to handle questions of security, piracy, or other forms of basic human dickishness.

About the mid-1990s, the Internet went mainstream. All of a sudden, an entire world of total assholes and utter idiots had access to the system and proved very inventive about how to behave badly – whether that involved registering domain names that corresponded to the names of famous trademarks or thinking up exciting ways to attack networks so that others couldn’t use them. Meanwhile, for awhile there, it also looked like the Internet was a magic genie that kept laying golden eggs or some such. While that attracted a lot of business, it also got a lot of people used to making money in traditional ways worried about this “disruptive” technology. Finally, as with every other human technology ever developed, people started using it for stuff other people didn’t like, ranging from the outright illegal and disgusting (child porn) to stuff we consider noble and wonderful but other governments think suck (political free speech).

It did not take those who wanted to control the Internet, whether in the interest of protecting the innocent, being a total jerk, a complete dictator, an incumbent looking to keep out the competition, a censor of pornography, or just someone who felt wronged by any of the above, that the DNS represented the closest thing the Internet had to a central control switch. For the Internet to work, everyone needed to have the same address system. Disappear from the address system and no one can find you – unless you find a way back into the address system.

So lots of people wanted to get their paws on the DNS – all for what they considered the best of reasons. In the end, only trademark holders got their hooks in to the naming system, primarily by not going after the IP addressing part the engineers considered the important part. The result was the creation, after much angst and kvetching, of the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN was designed as a “technical coordinating body” that was never, ever, ever supposed to get into actual policy or content regulation – except for the trademarks as domain names thing.

For various reasons, ICANN proved to be a complete genius at doing as little as possible as slowly as possible when it came to policy. As a result, pretty much everyone who had hoped to seize control of ICANN as a means of gaining control of the naming system of the Internet either wandered off.

DNS Rerouting Does Not Die

Various means of hacking the DNS to reroute traffic did not die when folks gave up on leveraging ICANN. Nation states like China required their internet service providers (ISPs) to block access to sites by blocking their IP addresses and engage in DNS filtering. The government tells the ISPs to reroute traffic away from certain sites and prevent traffic from those sites from reaching  subscribers in their countries. Meanwhile, illegal hackers went from being just assholes to extremely serious and extremely dangerous criminals and terrorists. Remember when I said that the engineers who created the Internet did not give a lot of thought to the idea that people would try to mess it up? The construction of the DNS left it vulnerable to all kinds of attacks, from distributed denial of service (DDOS) attacks that can paralyze portions of the network, to DNS redirection attacks that reroute traffic without the user knowing from the intended site to an illegitimate site, allowing the hacker to capture the information or insert themselves in networks (e.g., man in the middle attack). And every now and then, you had something really dramatic, like the time Pakistan accidentally hijacked the web by blocking Youtube.

DNSSEC Solves Security Problems By Making DNS Rerouting As Impossible As Possible

As a result, of all the security problems with DNS, ICANN started a project to develop a more secure form of DNS. Happily, while ICANN has a policy process that moves at the speed of molasses in winter, it does get tech coordination done. Eventually. After a couple of years of playing around on security, the ICANN process (which includes the IETF process) developed domain name system security extensions  DNSSEC. DNSSEC makes sure that the DNS routing requests and information are authentic. While not a cure-all (nothing ever is), pretty much everyone in cybersecurity agrees that DNSSEC is an important improvement in routing internet traffic and that we will improve our security by gradually converting our DNS routing infrastructure to include DNSSEC.

Now comes the rub. DNSSEC is utterly incompatible with the DNS rerouting and DNS filtering mandated by PIPA (and effectively mandated by SOPA). That’s not just me talking, that’s pretty much everybody not taking entertainment industry money. PIPA/SOPA requires that every broadband provider have a mechanism for blocking “rogue” websites (and, depending on the version of the bill, other sites as well). Just who could get swept up and blocked by the bill is the part that degenerates into a shouting match, with PIPA/SOPA supporters saying it will only get the “worst of the worst” and those of us who have seen these guys rampantly abuse the existing copyright rules for taking down website content and the recent seizures of domain names by the U.S. government viewing these assurances rather skeptically. But all that misses the bigger point that has the cybersecurity establishment freaked out. Just having this capacity forced into the system at all, regardless of how you intend to use it, makes it impossible to secure DNS with DNSSEC.

In fact, it does just the opposite. It mandates that every broadband provider in the country must build the very security hole DNSSEC is designed to fix into its system as a feature. To put this in terms the non-technically inclined PIPA supporter can understand, this ranks up there with Doofenshmirtz (from Phineas and Ferb) building a self-destruct button into every –inator. He doesn’t intend for it to ruin his plans, but it always does. Similarly, no matter how much the IP Mafia insist that they only intend to use the PIPA tools on foreign websites, it doesn’t matter. At some point, the hacker equivalent of Perry the Platypus is going to come along and push the self destruct button. At which point, it is a little too late for PIPA supporters to say “whoops! Sorry we left a gaping security hole for hackers to take down the power grid. But at least we stopped several dozen tweens from illegally downloading a preview copy of Twilight: Breaking Dawn Part II.”

Which Brings Us To Our Mindboggling Conclusion

So on one side, we have the entire cybersecurity establishment, free speech advocates, engineers, companies that actually use the Internet, and the White House saying: “My God! For the love of humanity, if you care on iota about the future of the United States, please don’t pass PIPA.” On the other side, you have the people who thought a remake of Arthur would be a summer blockbuster saying “Oh ignore them.” So of course, Harry Reid and Pat Leahy decide to settle this the rational way – by listening to the Hollywood guys as the altrusitic voices of reason and dismissing everyone else as evil Google/Facebook mercenaries lying for financial gain. The fact that the Hollywood guys give them the campaign contributions and cameo roles in Batman movies in no way influences this evaluation, of course.

So Leahy has announced, in a press release that makes it clear he still remains deeply suspicious that actual engineers who do cybersecurity for a living could possibly know what they are talking about rather than MPAA lobbyists, that he would amend PIPA to make DNS blocking of rogue websites mandatory just like before. However, after we require broadband providers to install this security hole in our broadband infrastructure, we will then study it to determine just how much damage it will do. Meanwhile, Harry Reid admits that he doesn’t know what effect PIPA will have, and that it will probably be bad, but we should pass it anyway because, ummmm…jobs or something.

Yes, as my colleagues at Public Knowledge have chronicled, PIPA would still suck rocks even if DNS Blocking dropped out entirely. Also, you would think that once the IP Mafia turned out to be utterly and completely wrong about the centerpiece of the bill, you might want to go back and reexamine everything else because maybe, possibly, they were equally wrong about the other sections.  But it is mind-bogglingly astounding that, after all the evidence and protest from folks who normally don’t give a rat’s patootie about copyright policy and generally try to avoid politics, Pat Leahy and Harry Reid remain blissfully immune to persuasion even on the DNS blocking provisions. Just as Senators from tobacco states have an inability to understand that smoking causes cancer, and any evidence you point to remains highly suspect and merely anecdotal, so too have Senators Leahy and Reid developed an astounding inability to listen to what actual engineers say if it contradicts what their good buddies from Hollywood tell them at fund raisers.

Finally, in what is perhaps the ultimate irony, we have Harry Reid and Pat Leahy siding with Rupert Murdoch against the Obama Administration. Add it to the list of things you thought you’d never see, along with Lamar Smith defending pornographers and Marsha Blackburn pushing for deep regulation of the Internet.

We have until January 24 to change their minds, or change the minds of enough other Senators to keep PIPA from moving forward. Tomorrow, major websites from Reddit to I Can Has Cheeseburger to Wikipedia will go dark to protest PIPA, hopefully breaking through the mainstream media blackout and raising awareness of the issue.  We have 6 cosponsors recanting. If we keep up the pressure, I am hopeful we can bring enough to their senses.

Stay tuned . . . .

Comments are closed.