[Chapter-delegates] Input Request: DNS Blocking

[Paul Brooks]

On 18/01/2011 7:36 AM, Sally Wentworth wrote:
> We have noted that a number of governments are considering and/or implementing public policies to try to address illegal online sites (also known sometimes as “rogue websites” or "sites dedicated to infringing activities") that would require ISPs to block DNS resolution to sites containing illegal content.  While we recognize the need for development of public policy by governments (in consultation with all stakeholders), we believe that policies of this sort would have negative implications for the global DNS and for the implementation of DNSSEC, among other issues.
>
> To help ISOC and its members think about and respond to these issues weare developing principles that have global applicability and also provide a baseline to respond to national policy developments.  We are specifically seeking to address the proposals to require ISPs to block DNS resolution of "illegal" sites.  Please note that this is a different discussion/context than the issues associated with Wikileaks and so we'd like to keep those threads separate here.

We in ISOC-AU have been engaged with advising the Australian government on these sorts
of things - several years ago I put together a presentation (which was circulated
within ISOC I believe) that examined many of the common proposed methods of
implementing content filtering/blocking, and the ease of circumvention, in the context
of the proposals at the time to block Internet content that was 'refused classification'.

DNS blocking was one of those methods, where I pointed out that it was ineffective in
achieving the goal of preventing access to the relevent undesirable content, as it was:
    a) easily bypassed by the viewer, by entering the IP address directly into the browser
    b) easily bypassed by the viewer, by configuring different DNS resolvers into
their computer (especially DNS resolvers off-shore and not subject to theblacklist)
    c) easy to bypass by the content provider, by registering many different domain
names that point to the same IP address
    d) can cause massive collateral damage, by blocking all material hosted under that
domain name whether it is within scope or not
    e) can cause collatoral damage by blocking all information exchange regardless of
protocol - a DNS query can't distinguish if it was generated as a precursor to a
webpage query, file transfer or email session (however the authorities might see this
as a bonus)
    e) a vector for denial-of-service attacks on popular sites - e.g. arrange for
twitter.com or facebook.com to be entered into the blacklist


>
> We are thinking of principles along the following lines:
>
> - The Internet is a global network of networks that provides for the neutral passage of packets - requirements to adjust or prevent DNS responses would impair this neutrality.

This characterisation of 'adjust or prevent DNS responses' says nothing about
interfering with the initial DNS query - perhaps change 'responses' to 'exchanges' to
cover both directions.

In any case this principle probably needs more work, as it is not clear to me that
'the industry' agrees on the importance of neutrality, or what neutralityactually
means - as evidenced by the recent US shenanigans. If we can so publicly debate and
disagree on what neutrality means, why would we expect the world's governments to
believe it is important?

> - For the Internet to be truly global it must be consistent - in general, what an Internet user "sees" when accessing a particular domain name from one location should be the same as what is seen when accessing the same domain name from another location
I'm not convinced this is a true principle. Many sites deliberately tailor and change
the look-and-feel of the content to adjust for local conditions, be it geographic
(display in a local language), by device (different content for differentsized
screens, mobile vs broadband connection), displaying local-targeted advertising, etc.

You could extend this to add something like "under the sole control of the content
owner - the network should not modify the look-and-feel of the content without the
consent of the content source" which is another way of highlighting the neutrality of
the network - but in the context of a site hosting undesirable content, Idon't think a
government policy is going to be too concerned about the desires or consent of the
site owner to be seen the same way everywhere.


> - Policies should be narrowly tailored and consistent with open standards and accepted operational practices: technical “fixes” to short-circuit due process or violate fundamental and accepted procedures may harm the global Internet.
>
> - The Internet is global. International cooperation (rather than country-by-country solutions) at the technical and policy levels is essential.
>
>
> I would appreciate your comments on the above points.  We would also welcome information on whether and how DNS blocking policies are being considered or implemented in your country.  Please send your feedback by Friday, 28 January 2011.
In Australia, the government decided to go with blocking specific URLs, rather than
DNS lookups - however while this remains government policy, implementation of the URL
blacklist has been postponed to an unspecified future.


Hope this helps...


Paul Brooks
ISOC-AU