I've written recently about a general purpose method called DNS Response Policy Zones (DNS RPZ) for publishing and consuming DNS reputation data to enable a market between security companies who can do the research necessary to find out where the Internet's bad stuff is and network operators who don't want their users to be victims of that bad stuff. I've also tried to explain why lawfully mandated blocking is wrong headed and will produce no desirable results but many undesirable ones. During an extensive walking tour of the US Capitol last week to discuss a technical whitepaper with members of both parties and both houses of the legislature, I was asked several times why the DNS RPZ technology would not work for implementing something like PROTECT-IP. Now home from my travels, I'm putting the answer I gave in DC on the record here.
Let's imagine that some reputation source such as the US Department of Justice or a security company like Microsoft or Trend Micro produces a list of domain names that it describes as "bad". The exact nature of the badness could be anything from "sells unlicensed copies of Hollywood blockbusters" to "will try to infect your computer with malware." Imagine in each case that some common format like DNS RPZ is used to publish this list of bad domain names. Finally, let's imagine that some set of network operators decides to subscribe to this badness feed, either because the law requires that they do so or because they want to protect their users and customers from whatever the bad thing is. The effect of all this imagination should be that when the protected users try to access the bad domain names it will not work.
What will those protected users do? I think there are three ways this can go.
If the thing the protected user could not access was a web site that would have tried to infect their computer with malware, or some other thing that they presumably do not want, they'll think "oh great, my ISP is protecting me, I sure am glad I picked them and not one of their competitors" and they'll pay their ISP bill on time and maybe send a little extra this month as a "tip" for the wonderful service.
If the thing the protected user could not access was a web site selling unlicensed copies of Hollywood blockbusters and the user didn't realize this, they'll think "oh wow, I had no idea, I really ought to stop searching for the $1.00 version of this download and limit my searches to more reputatable companies" and off they'll go to iTunes or Amazon to look for a licensed copy of the movie and future movies.
However, if the thing the protected user could not access was a web site selling unlicensed copies of Hollywood blockbusters and the user actually did know this, they'll think "the content police are on the job and they've subverted my ISP" and they'll invest ten minutes or so installing a VPN or thirty seconds or so installing a browser plugin to move their DNS activities outside of their ISP's influence.
In other words, DNS RPZ and similar DNS blocking technologies work very well when the protected user's interests are aligned with their ISP's interests. It's a huge convenience to have the domain names that would hurt a user not work any more — where the definition of "pain" is in the eyes of that user. On the other hand it's merely a minor and temporary inconvenience to have domain names not work any more that the user likes and depends on but which hurt someone other than the user.
The reason this comes out as "mandated blocking doesn't work" is that mandated blocking must inevitably target domain names that users have no interest in being protected from. There would be no need to mandate blocking of domain names users find harmful; the invisible hand of the market would automatically take care of the matter.
I apologize for my naivete on this subject in my earlier articles about DNS blocking. I thought it was well understood that all Internet users can trivially bypass their ISP's DNS servers and that any kind of DNS blocking that a user doesn't want will be ineffective.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DNS Services
Minds + Machines
Neustar DDoS Protection