DNS-gebaseerd internetfilter ondermijnt internet

Afbeelding: borders / frontiere van Paolo Cuttitta | Licentie: CC BY

Een groep experts zegt dat het wetsvoorstel van de Amerikaanse regering om te filteren op basis van DNS de stabiliteit van het internet in gevaar brengt.

In het rapport Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill schrijven zij onder meer:

By mandating redirection, PROTECT IP would require and legitimize the very behavior DNSSEC is designed to detect and suppress. Replacing responses with pointers to other resources, as PROTECT IP would require, is fundamentally incompatible with end-to-end DNSSEC. Quite simply, a DNSSEC-enabled browser or other application cannot accept an unsigned response; doing so would defeat the purpose of secure DNS. Consistent with DNSSEC, the nameserver charged with retrieving responses to a user’s DNSSEC queries cannot sign any alternate response in any manner that would enable it to validate a query.

DNS filtering does not remove or prevent access to Internet content. It simply prevents resolution by a particular DNS server of a filtered domain to its associated IP address. The offending site remains available and accessible through non-filtered nameservers or numerous other means, including direct accessibility from the client to the server if they have the corresponding information.

As noted above, both users and operators of infringement sites will likely respond to DNS filtering by redirecting users’ DNS settings to point outside of the United States. One cannot predict which DNS services they will use instead, but one can anticipate that some if not many of the new DNS resolvers will be well outside U.S. jurisdiction, possibly run by the same criminals running the infringement sites, and perhaps even on the same systems and hardware.

Data gleaned from their customers’ access to their DNS servers can be useful for a number of purposes. First, it can allow an ISP to identify increases and shifts in traffic, which can inform infrastructure investment, network optimizations, interconnection strategies, and peering relationships. Even more critically, monitoring DNS data is a vital part of maintaining network security. […] As users increasingly turn to other DNS servers to avoid the DNS filtering, ISPs have less and less ability to manage security threats and maintain effective network operations. By losing visibility into network security threats, ISPs will be less able to identify customer computers that have been infected by a virus and come under the control of a criminal botnet.

CDNs localize content delivery by distributing the same content across a number of servers on a wide range of networks. This localization reduces network congestion and decreases the load that would otherwise be put on a single server. Many CDNs use the IP address of the DNS resolver to estimate a user’s location and route the user to the fastest available server. To such networks, U.S. users who have changed their DNS resolvers for all lookups will appear to the CDNs to be browsing from abroad. As a result, these users could be routed to offshore servers not just for DNS queries, but also for content, undermining precisely the benefits CDNs provide by optimizing traffic distribution to account for proximity of client and server.

Two likely situations ways can be identified in which DNS filtering could lead to non-targeted and perfectly innocent domains being filtered. The likelihood of such collateral damage means that mandatory DNS filtering could have far more than the desired effects, affecting the stability of large portions of the DNS.

First, it is common for different services offered by a domain to themselves have names in some other domain, so that example.com’s DNS service might be provided by isp.net and its e-mail service might be provided by asp.info. This means that variation in the meaning or accessibility of asp.info or isp.net could indirectly but quite powerfully affect the usefulness of example.com. If a legitimate site points to a filtered domain for its authoritative DNS server, lookups from filtering nameservers for the legitimate domain will also fail. These dependencies are unpredictable and fluid, and extremely difficult to enumerate.

Second, some domain names use “subdomains” to identify specific customers. For example, blogspot.com uses subdomains to support its thousands of users; blogspot.com may have customers named Larry and Sergey whose blog services are at larry.blogspot.com and sergey.blogspot.com. If Larry is an e-criminal and the subject of an action under PROTECT IP, it is possible that blogspot.com could be filtered, in which case Sergey would also be affected, although he may well have had no knowledge of Larry’s misdealings.