Home / Industry

Breaking the DNS: Another Look at How SOPA Could Be Destructive

While the Stop Online Piracy Act (also known as SOPA or the E-Parasite Act) doesn't specifically define how ISPs should technically go about this, it does seem to indicate that an ISP should capture, redirect and modify DNS query/response pairs to ensure that a downstream user does not access the site. There's a number of ways to "remove support" from a foreign infringing website at the DNS level, so we'll take a look at the techniques that could be used at all the layers of the DNS and why some are more destructive than others.

There is the domain registration itself, which signals existence of a domain into the appropriate top-level domain's DNS zone.

For example, if the domain "example.com" was a foreign infringing site, a law enforcement agency could petition Verisign (the registry operator of the .com TLD) to remove the relevant DNS records that provide the delegation for example.com. In fact, this type of behavior isn't SOPA specific and our current judicial framework permits this to happen today.

One should note that the impact of such a suspension would have a worldwide impact. All users of the domain name would no longer be able to access services offered by that domain.

There's the authoritative DNS service for example.com which could be terminated.

A delegation for example.com is made from Verisign to the domain's authoritative DNS provider to a company such as Dyn. If a foreign infringing site were to be supported by a U.S. authoritative DNS provider, law enforcement could petition the authoritative DNS provider to remove support for the domain by terminating authoritative DNS service. Again, this would cause a worldwide suspension of services for the domain, but unlike a registry level termination, the alleged infringer could move services to another authoritative DNS provider and continue doing whatever he/she was doing utilizing the newly acquired authoritative DNS service.

There's recursive DNS interception, redirection and alteration (which is the primary technique contemplated by SOPA) that would be implemented at the ISP level.

Unlike TLD and domain authoritative nameservers (of which any set are under the same common administrative control, i.e. Dyn), recursive DNS servers are deployed Internet wide in clusters throughout ISPs. Under SOPA, U.S. ISPs would be required to accept an additional "feed" of data which would include a list of known or alleged domains participating in foreign infringement.

The feed would be used to block DNS queries made for foreign infringing domains and would remove U.S. access of these domains for users of U.S. ISPs. The feed could be incorporated into DNS using a variety of techniques including deep packet inspection (DPZ), a software interface such as BIND's Response Policy Zones (RPZ) or even by creating false zones in the recursive DNS servers view.

From Dyn's perspective, the third option — ISP-based DNS query manipulation — is the most hazardous to the health of the global DNS.

Implementing such a solution breaks the distributed tree of authority concept used by the DNS by "injecting" U.S. nationalized pieces of DNS policy into the system. ISPs around the United States would become responsible for implementing, maintaining and monitoring these SOPA feeds into their DNS infrastructures, creating an additional layer of operational complexity for their DNS operations. Additionally, since not all DNS systems permit the inclusion of external data feeds to support local policy, many operators would be required to upgrade the recursive DNS infrastructures in significant ways.

There's a number of conditions that could occur where a SOPA-fed recursive DNS server could hand back incorrect DNS data or be circumvented all together. If an ISP were to have issues pulling the SOPA feed or clearing domains from the SOPA list, a single domain could be blacklisted in the United States when it is perfectly legal to be used. If the source of a SOPA feed were to ever be compromised, an attacker could take critical Internet infrastructure domains offline by adding them to the feed (i.e. root-servers.net).

Savvy users could simply bypass a SOPA-enabled recursive DNS server by pointing their DNS settings to an off-shore recursive DNS server. Technically savvy networks might respond by blocking port 53 externally or by hijacking port 53 traffic on their network to their SOPA-enabled recursive DNS resolvers. Anyone want to bring Net Neutrality into this discussion? What would happen to users if an infringer decided to setup a "free, non-SOPA" recursive DNS server for users to use — one that additionally hijacked legitimate banking, ecommerce and business websites, too?

It is Dyn's opinion that the technical implementation techniques contemplated by SOPA do more damage to the global DNS than help solve the problem it aims to tackle. There are existing law enforcement techniques available to deal with copyright infringement today at the registry level, so we ask why are they not being effectively utilized? Must we resort to breaking the DNS?


About Dyn – Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Through a world-class network and unrivaled, objective intelligence into Internet conditions, Dyn ensures traffic gets delivered faster, safer, and more reliably than ever. Learn More

Related topics: Access Providers, Censorship, DNS, Intellectual Property, Networks, Policy & Regulation


Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Related Blogs

Related News

Explore Topics

Dig Deeper

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Join Neustar's Town Hall Meeting and Help Shape the Future Of .US

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Michele Neylon Appointed Chair Elect of i2Coalition

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

2016 U.S. Election: An Internet Forecast

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Understanding the Risks of the Dark Web

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic