DNS filtering: absolutely the wrong way to defend copyrights
Senator Ron Wyden (D-OR) has called the PROTECT IP Act “a threat to our economic future and to our international objectives.” He characterized its predecessor as a “bunker-busting cluster bomb when what you really need is a precision-guided missile.” The bill would force Domain Name System (DNS) operators to stop correctly resolving the names of so-called “rogues sites.”
Is this sort of monkeying with the DNS a problem? Yes, say DNS experts in a new report (PDF) on the practice. In their view, DNS filtering provisions would make the Web less secure—and do little to stop illegal filesharing sites.
DNSSEC is being implemented to allow systems to demand verification of what they get from the DNS. PROTECT IP would not only require DNS responses that cannot deliver such proof, but it would enshrine and institutionalize the very network manipulation DNSSEC must fight…
These rerouting measures “would weaken this important effort to improve Internet security,” the paper contends. They would “enshrine and institutionalize the very network manipulation” that DNS security components fight “to prevent cyberattacks and other malevolent behavior on the global Internet, thereby exposing networks and users to increased security and privacy risks.” Their widespread use would “threaten the security and stability of the global DNS” and create “significant risk of collateral damage, with filtering of one domain potentially affecting users’ ability to reach non-infringing Internet content.”
And in the end, they would do little to stop digital piracy. The authors say filters are easily evaded and would be of minimal help when it comes to cutting down on copyright infringement online.
The report is signed by five DNS experts from Shinkuro, Verisign, Georgia Tech, ICANN’s Security Council, and the Internet Systems Consortium, and it appeared just before the PROTECT IP ACT was placed on hold in the Senate at Wyden’s request.
The authors say that they have no beef with strong enforcement of intellectual property rights, but this kind of IP policing makes them cringe. Here’s why.
Such text shall specify
First, a quick primer on DNS. It’s the reason why, if you want to visit the United States Senate’s website, you can type “senate.gov” rather than its Internet Protocol address: 126.96.36.199. Domain name servers distributed around the world keep track of who has what IP number, aided by millions of recursive servers that make the number-to-name process much faster.“Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill”
What PROTECT IP would do is authorize the feds to serve a court order on an ISP, demanding that it take action against a US based website accused of engaging in intellectual property theft. Specifically, the ISP would be required “to prevent the domain name described in the order from resolving to that domain name’s Internet protocol address”—in other words, filtering or rerouting it elsewhere.
Wherever users would wind up, elsewhere-wise, they’d see a government announcement explaining the move. “Such text shall specify that the action is being taken pursuant to a court order obtained by the Attorney General,” the bill says.
What these security folks especially don’t like about this DNS redirection business is that it will mess with an up-and-coming extension for the system, called DNSSEC, which encrypts DNS records, making them more secure. DNSSEC’s main objective is to protect consumers and sites from so-called “Man-in-the-Middle” attacks, in which a miscreant intercepts a digital conversation, and, pretending to be a trusted source, fleeces the user of her security data.
Ironically, PROTECT IP bears strong resemblance to such a hack, except that it is authorized by the government, the experts note.
“DNSSEC is being implemented to allow systems to demand verification of what they get from the DNS,” they write. “PROTECT IP would not only require DNS responses that cannot deliver such proof, but it would enshrine and institutionalize the very network manipulation DNSSEC must fight in order to prevent cyberattacks and other miscreant behavior on the global Internet.”Photo illustration by Aurich Lawson