Home / Blogs

Alignment of Interests in DNS Blocking

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Paul Vixie

I've written recently about a general purpose method called DNS Response Policy Zones (DNS RPZ) for publishing and consuming DNS reputation data to enable a market between security companies who can do the research necessary to find out where the Internet's bad stuff is and network operators who don't want their users to be victims of that bad stuff. I've also tried to explain why lawfully mandated blocking is wrong headed and will produce no desirable results but many undesirable ones. During an extensive walking tour of the US Capitol last week to discuss a technical whitepaper with members of both parties and both houses of the legislature, I was asked several times why the DNS RPZ technology would not work for implementing something like PROTECT-IP. Now home from my travels, I'm putting the answer I gave in DC on the record here.

Let's imagine that some reputation source such as the US Department of Justice or a security company like Microsoft or Trend Micro produces a list of domain names that it describes as "bad". The exact nature of the badness could be anything from "sells unlicensed copies of Hollywood blockbusters" to "will try to infect your computer with malware." Imagine in each case that some common format like DNS RPZ is used to publish this list of bad domain names. Finally, let's imagine that some set of network operators decides to subscribe to this badness feed, either because the law requires that they do so or because they want to protect their users and customers from whatever the bad thing is. The effect of all this imagination should be that when the protected users try to access the bad domain names it will not work.

What will those protected users do? I think there are three ways this can go.

If the thing the protected user could not access was a web site that would have tried to infect their computer with malware, or some other thing that they presumably do not want, they'll think "oh great, my ISP is protecting me, I sure am glad I picked them and not one of their competitors" and they'll pay their ISP bill on time and maybe send a little extra this month as a "tip" for the wonderful service.

If the thing the protected user could not access was a web site selling unlicensed copies of Hollywood blockbusters and the user didn't realize this, they'll think "oh wow, I had no idea, I really ought to stop searching for the $1.00 version of this download and limit my searches to more reputatable companies" and off they'll go to iTunes or Amazon to look for a licensed copy of the movie and future movies.

However, if the thing the protected user could not access was a web site selling unlicensed copies of Hollywood blockbusters and the user actually did know this, they'll think "the content police are on the job and they've subverted my ISP" and they'll invest ten minutes or so installing a VPN or thirty seconds or so installing a browser plugin to move their DNS activities outside of their ISP's influence.

In other words, DNS RPZ and similar DNS blocking technologies work very well when the protected user's interests are aligned with their ISP's interests. It's a huge convenience to have the domain names that would hurt a user not work any more — where the definition of "pain" is in the eyes of that user. On the other hand it's merely a minor and temporary inconvenience to have domain names not work any more that the user likes and depends on but which hurt someone other than the user.

The reason this comes out as "mandated blocking doesn't work" is that mandated blocking must inevitably target domain names that users have no interest in being protected from. There would be no need to mandate blocking of domain names users find harmful; the invisible hand of the market would automatically take care of the matter.

I apologize for my naivete on this subject in my earlier articles about DNS blocking. I thought it was well understood that all Internet users can trivially bypass their ISP's DNS servers and that any kind of DNS blocking that a user doesn't want will be ineffective.

By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here.

Related topics: Censorship, Cybercrime, DNS, Internet Governance, Malware, Policy & Regulation, Security



Does the Id always rule online? Christopher Parente  –  Jul 26, 2011 8:08 PM PDT


That's a clear explanation. It raises a question more philosophical than technical, please bear with me I'm not an engineer.

Is your argument that if people want something online they will get it, so why bother trying to stop it? I've got a lot of libertarian blood in me too, but aren't there SOME things people shouldn't be able to get?

Or to phrase it another way, in your opinion is there ever an appropriate time to get in the way of "user interests." Thanks.

No, there are limits. Paul Vixie  –  Jul 26, 2011 11:20 PM PDT

At no time and in no way am I suggesting that the online world not be controlled.  The canonical example is child abuse materials but there are plenty of other things which society ought to say "no" to when it comes to the use of public infrastructure such as the Internet.  I won't go into the .XXX debacle since it's a corner case — some parts of society say no and other parts say yes and that makes it a rotten example for this.

But do consider spam and malware.  I reject the idea that the Internet and especially the Domain Name System (DNS) should work as well for spammers and malware authors as it does for everybody else — we (as in "We The People" or perhaps "We The Internet Users") have to find a way to offer those malicious users a differentiated service level.  I said as much in Taking Back The DNS:

I am just not comfortable having my own resources used against me simply because I have no way to differentiate my service levels based on my estimate of the reputation of a domain or a domain registrant.

So, to be as clear as I know how to be, I am not saying anything goes or that anything should go.  The Internet is created by the people who use it and those people should be able to set some limits on how it can be used.

My topic in the article we're both replying under is subtly different.  What I'm showing is that preventing the distribution of content that many users want is extremely difficult since users have a lot of easy alternatives when bypassing any kind of censorship.  One of the least practical places to prevent the distribution of content is by blocking DNS requests inside of Internet Access Providers, since users who don't want their requests to be blocked in this way can easily find new and probably off-shore ways to handle their DNS needs while softly mumbling words to the effect that "up with this I shall not put".

I'll repeat again for the record that I want the United States economy to thrive and that since digital entertainment is one of my country's chief exports I would like to see it better protected.  But whatever we do, especially where it involves government mandates, has to be a serious effort.  Mandated DNS blocking would be a very un-serious way of combatting online infringement.

Different emphasis The Famous Brett Watson  –  Jul 27, 2011 3:51 AM PDT

Christopher Parente said, "Is your argument that if people want something online they will get it, so why bother trying to stop it?"

I think that's the wrong emphasis for this issue. I would put it the other way around: "if people want to be protected from something, it doesn't matter if they can bypass the protection mechanism." This is the key to "alignment of interests": when the protection mechanism is doing something that the protected party views as being in his interest, then he has no motivation to bypass the mechanism.

The converse is also true: if people don't want to be "protected" from something, then it does matter if they can easily bypass the protection mechanism. Attempts to increase the difficulty of bypassing the system usually make the mechanism even more unpleasant (by imposing further restrictions), and thus further increase the motivation to bypass it: a vicious feedback effect.

The questions of who has what prerogative to restrict the actions of whom, and how they should or shouldn't go about it, are separate and controversial matters. The issue at hand draws a fairly simple relationship between ease of circumvention and desire to circumvent. It's stating the obvious when put that simply, but sometimes we need to emphasise obvious truths of this sort in order to clarify a more confusing bigger picture.

Paul Vixie said, "we… have to find a way to offer those malicious users a differentiated service level."

I agree. In fact, I consider it a general design maxim for public-facing systems. In my PhD thesis, "Network Protocol Design with Machiavellian Robustness", one of my summary "observations on design for Machiavellian robustness" is, "differing classes of service can be offered in accordance with differing expectations of acceptable use" [p81].

Good stuff Christopher Parente  –  Jul 27, 2011 5:18 AM PDT

Thanks Paul. Final question — what percentage of users do you think we're talking about here? In your post you give three scenarios — in the first two the user is not actively looking for unlicensed content, or at least doesn't realize the content is forbidden.

In the third scenario, the user is aware and won't tolerate being blocked. How large a number is this IYO, from the entire U.S. Internet population?

Brett — thanks for that info. When time allows I'll be checking out your thesis for more on "differentiated services," which sounds very interesting.

Population estimates Paul Vixie  –  Jul 27, 2011 7:35 AM PDT

During the years 1920 to 1933, the 18th Amendment to the U S Constitution banned the sale, manufacture, and transportation of alcohol.  History records this as having been unsuccessful for all but the gangsters and bootleggers; any customer who wanted access to the forbidden materials could find easy workarounds, and this was pretty much most of the interested parties.  When the idea was scrapped, people awoke as it from a dream wondering "what the heck was it that ever made that seem like a good idea?"

I think a prohibition on the resolution of the domain names of infringing web sites would go about like that.  So while I don't know what percentage of the United States' internet population are "knowing infringers" I do expect that almost all of them will seek easy workarounds like off-shore DNS or VPN services or browser plugins that will let them go on living pretty much as they did before the law was passed.  The only real beneficiaries of all this will be the gangsters and bootleggers.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks