[Chapter-delegates] Input Request: DNS Blocking

Carlos M. Martinez carlosmarcelomartinez at gmail.com
Tue Jan 18 04:09:26 PST 2011 

I believe Paul summarizes perfectly well all that is wrong with DNS
blocking. I would like to add only the following:

- There cannot be a blacklist that is outside all public scrutiny. No
institution in a democracy works in this way. Even the intelligence
agencies are (sometimes at least) subject to parliamentary oversight.
Why should this blacklist be different?

- There cannot be *any* blacklist that is not open to an appeal process.
Again, they way these blacklists operate reminds of dark periods in the
history of mankind, with an "extra-judicial" flavor to it. If even an
actual  pedophile is warranted a public trial and has the right to due
process, how can a website owner (a much, much lighter offense, even in
the case of actually distributing material) can be subject to a secret
and appeal-less process ?

Best regards,

Carlos

On 1/18/11 9:45 AM, Paul Brooks wrote:
> On 18/01/2011 7:36 AM, Sally Wentworth wrote:
>> We have noted that a number of governments are considering and/or implementing public policies to try to address illegal online sites (also known sometimes as “rogue websites” or "sites dedicated to infringing activities") that would require ISPs to block DNS resolution to sites containing illegal content.  While we recognize the need for development of public policy by governments (in consultation with all stakeholders), we believe that policies of this sort would have negative implications for the global DNS and for the implementation of DNSSEC, among other issues.
>>
>> To help ISOC and its members think about and respond to these issues weare developing principles that have global applicability and also provide a baseline to respond to national policy developments.  We are specifically seeking to address the proposals to require ISPs to block DNS resolution of "illegal" sites.  Please note that this is a different discussion/context than the issues associated with Wikileaks and so we'd like to keep those threads separate here.
> We in ISOC-AU have been engaged with advising the Australian government on these sorts
> of things - several years ago I put together a presentation (which was circulated
> within ISOC I believe) that examined many of the common proposed methods of
> implementing content filtering/blocking, and the ease of circumvention, in the context
> of the proposals at the time to block Internet content that was 'refused classification'.
>
> DNS blocking was one of those methods, where I pointed out that it was ineffective in
> achieving the goal of preventing access to the relevent undesirable content, as it was:
>     a) easily bypassed by the viewer, by entering the IP address directly into the browser
>     b) easily bypassed by the viewer, by configuring different DNS resolvers into
> their computer (especially DNS resolvers off-shore and not subject to theblacklist)
>     c) easy to bypass by the content provider, by registering many different domain
> names that point to the same IP address
>     d) can cause massive collateral damage, by blocking all material hosted under that
> domain name whether it is within scope or not
>     e) can cause collatoral damage by blocking all information exchange regardless of
> protocol - a DNS query can't distinguish if it was generated as a precursor to a
> webpage query, file transfer or email session (however the authorities might see this
> as a bonus)
>     e) a vector for denial-of-service attacks on popular sites - e.g. arrange for
> twitter.com or facebook.com to be entered into the blacklist
>
>
>> We are thinking of principles along the following lines:
>>
>> - The Internet is a global network of networks that provides for the neutral passage of packets - requirements to adjust or prevent DNS responses would impair this neutrality.
> This characterisation of 'adjust or prevent DNS responses' says nothing about
> interfering with the initial DNS query - perhaps change 'responses' to 'exchanges' to
> cover both directions.
>
> In any case this principle probably needs more work, as it is not clear to me that
> 'the industry' agrees on the importance of neutrality, or what neutralityactually
> means - as evidenced by the recent US shenanigans. If we can so publicly debate and
> disagree on what neutrality means, why would we expect the world's governments to
> believe it is important?
>
>> - For the Internet to be truly global it must be consistent - in general, what an Internet user "sees" when accessing a particular domain name from one location should be the same as what is seen when accessing the same domain name from another location
> I'm not convinced this is a true principle. Many sites deliberately tailor and change
> the look-and-feel of the content to adjust for local conditions, be it geographic
> (display in a local language), by device (different content for differentsized
> screens, mobile vs broadband connection), displaying local-targeted advertising, etc.
>
> You could extend this to add something like "under the sole control of the content
> owner - the network should not modify the look-and-feel of the content without the
> consent of the content source" which is another way of highlighting the neutrality of
> the network - but in the context of a site hosting undesirable content, Idon't think a
> government policy is going to be too concerned about the desires or consent of the
> site owner to be seen the same way everywhere.
>
>
>> - Policies should be narrowly tailored and consistent with open standards and accepted operational practices: technical “fixes” to short-circuit due process or violate fundamental and accepted procedures may harm the global Internet.
>>
>> - The Internet is global. International cooperation (rather than country-by-country solutions) at the technical and policy levels is essential.
>>
>>
>> I would appreciate your comments on the above points.  We would also welcome information on whether and how DNS blocking policies are being considered or implemented in your country.  Please send your feedback by Friday, 28 January 2011.
> In Australia, the government decided to go with blocking specific URLs, rather than
> DNS lookups - however while this remains government policy, implementation of the URL
> blacklist has been postponed to an unspecified future.
>
>
> Hope this helps...
>
>
> Paul Brooks
> ISOC-AU
>
>
> _______________________________________________
> Chapter-delegates mailing list
> Chapter-delegates at elists.isoc.org
> https://elists.isoc.org/mailman/listinfo/chapter-delegates

More information about the Chapter-delegates mailing list