Last month, we posted our position piece on the Stop Online Piracy Act, also known as SOPA or the E-Parasite Act. In this post, I’m going to examine the technical details of the act and how it relates to the operation of the global Domain Name System (DNS).
SOPA proposes the idea of using DNS-based filtering by Internet Service Providers (ISPs) as a means to remove U.S. support of a foreign infringing website.
While the bill doesn’t specifically define how the ISP should technically go about this, it does seem to indicate that an ISP should capture, redirect and modify DNS query / response pairs to ensure that a downstream user does not access the site. There’s a number of ways to “remove support” from a foreign infringing website at the DNS level, so we’ll take a look at the techniques that could be used at all the layers of the DNS and why some are more destructive than others.
There is the domain registration itself, which signals existence of a domain into the appropriate top-level domain’s DNS zone.
For example, if the domain “example.com” was a foreign infringing site, a law enforcement agency could petition Verisign (the registry operator of the .com TLD) to remove the relevant DNS records that provide the delegation for example.com. In fact, this type of behavior isn’t SOPA specific and our current judicial framework permits this to happen today.
One should note that the impact of such a suspension would have a worldwide impact. All users of the domain name would no longer be able to access services offered by that domain.
There’s the authoritative DNS service for example.com which could be terminated.
A delegation for example.com is made from Verisign to the domain’s authoritative DNS provider to a company such as Dyn. If a foreign infringing site were to be supported by a U.S. authoritative DNS provider, law enforcement could petition the authoritative DNS provider to remove support for the domain by terminating authoritative DNS service. Again, this would cause a worldwide suspension of services for the domain, but unlike a registry level termination, the alleged infringer could move services to another authoritative DNS provider and continue doing whatever he/she was doing utilizing the newly acquired authoritative DNS service.
There’s recursive DNS interception, redirection and alteration (which is the primary technique contemplated by SOPA) that would be implemented at the ISP level.
Unlike TLD and domain authoritative nameservers (of which any set are under the same common administrative control, i.e. Dyn), recursive DNS servers are deployed Internet wide in clusters throughout ISPs. Under SOPA, U.S. ISPs would be required to accept an additional “feed” of data which would include a list of known or alleged domains participating in foreign infringement.
The feed would be used to block DNS queries made for foreign infringing domains and would remove U.S. access of these domains for users of U.S. ISPs. The feed could be incorporated into DNS using a variety of techniques including deep packet inspection (DPZ), a software interface such as BIND’s Response Policy Zones (RPZ) or even by creating false zones in the recursive DNS servers view.
From Dyn’s perspective, the third option — ISP-based DNS query manipulation — is the most hazardous to the health of the global DNS.
Implementing such a solution breaks the distributed tree of authority concept used by the DNS by “injecting” U.S. nationalized pieces of DNS policy into the system. ISPs around the United States would become responsible for implementing, maintaining and monitoring these SOPA feeds into their DNS infrastructures, creating an additional layer of operational complexity for their DNS operations. Additionally, since not all DNS systems permit the inclusion of external data feeds to support local policy, many operators would be required to upgrade the recursive DNS infrastructures in significant ways.
There’s a number of conditions that could occur where a SOPA-fed recursive DNS server could hand back incorrect DNS data or be circumvented all together. If an ISP were to have issues pulling the SOPA feed or clearing domains from the SOPA list, a single domain could be blacklisted in the United States when it is perfectly legal to be used. If the source of a SOPA feed were to ever be compromised, an attacker could take critical Internet infrastructure domains offline by adding them to the feed (i.e. root-servers.net).
Savvy users could simply bypass a SOPA-enabled recursive DNS server by pointing their DNS settings to an off-shore recursive DNS server. Technically savvy networks might respond by blocking port 53 externally or by hijacking port 53 traffic on their network to their SOPA-enabled recursive DNS resolvers. Anyone want to bring Net Neutrality into this discussion? What would happen to users if an infringer decided to setup a “free, non-SOPA” recursive DNS server for users to use – one that additionally hijacked legitimate banking, ecommerce and business websites, too?
It is Dyn’s opinion that the technical implementation techniques contemplated by SOPA do more damage to the global DNS than help solve the problem it aims to tackle. There are existing law enforcement techniques available to deal with copyright infringement today at the registry level, so we ask why are they not being effectively utilized? Must we resort to breaking the DNS?
SOPA proposes the idea of using DNS-based filtering by Internet Service Providers (ISPs) as a means to remove U.S. support of a foreign infringing website.
While the bill doesn’t specifically define how the ISP should technically go about this, it does seem to indicate that an ISP should capture, redirect and modify DNS query / response pairs to ensure that a downstream user does not access the site. There’s a number of ways to “remove support” from a foreign infringing website at the DNS level, so we’ll take a look at the techniques that could be used at all the layers of the DNS and why some are more destructive than others.
There is the domain registration itself, which signals existence of a domain into the appropriate top-level domain’s DNS zone.
For example, if the domain “example.com” was a foreign infringing site, a law enforcement agency could petition Verisign (the registry operator of the .com TLD) to remove the relevant DNS records that provide the delegation for example.com. In fact, this type of behavior isn’t SOPA specific and our current judicial framework permits this to happen today.
One should note that the impact of such a suspension would have a worldwide impact. All users of the domain name would no longer be able to access services offered by that domain.
There’s the authoritative DNS service for example.com which could be terminated.
A delegation for example.com is made from Verisign to the domain’s authoritative DNS provider to a company such as Dyn. If a foreign infringing site were to be supported by a U.S. authoritative DNS provider, law enforcement could petition the authoritative DNS provider to remove support for the domain by terminating authoritative DNS service. Again, this would cause a worldwide suspension of services for the domain, but unlike a registry level termination, the alleged infringer could move services to another authoritative DNS provider and continue doing whatever he/she was doing utilizing the newly acquired authoritative DNS service.
There’s recursive DNS interception, redirection and alteration (which is the primary technique contemplated by SOPA) that would be implemented at the ISP level.
Unlike TLD and domain authoritative nameservers (of which any set are under the same common administrative control, i.e. Dyn), recursive DNS servers are deployed Internet wide in clusters throughout ISPs. Under SOPA, U.S. ISPs would be required to accept an additional “feed” of data which would include a list of known or alleged domains participating in foreign infringement.
The feed would be used to block DNS queries made for foreign infringing domains and would remove U.S. access of these domains for users of U.S. ISPs. The feed could be incorporated into DNS using a variety of techniques including deep packet inspection (DPZ), a software interface such as BIND’s Response Policy Zones (RPZ) or even by creating false zones in the recursive DNS servers view.
From Dyn’s perspective, the third option — ISP-based DNS query manipulation — is the most hazardous to the health of the global DNS.
Implementing such a solution breaks the distributed tree of authority concept used by the DNS by “injecting” U.S. nationalized pieces of DNS policy into the system. ISPs around the United States would become responsible for implementing, maintaining and monitoring these SOPA feeds into their DNS infrastructures, creating an additional layer of operational complexity for their DNS operations. Additionally, since not all DNS systems permit the inclusion of external data feeds to support local policy, many operators would be required to upgrade the recursive DNS infrastructures in significant ways.
There’s a number of conditions that could occur where a SOPA-fed recursive DNS server could hand back incorrect DNS data or be circumvented all together. If an ISP were to have issues pulling the SOPA feed or clearing domains from the SOPA list, a single domain could be blacklisted in the United States when it is perfectly legal to be used. If the source of a SOPA feed were to ever be compromised, an attacker could take critical Internet infrastructure domains offline by adding them to the feed (i.e. root-servers.net).
Savvy users could simply bypass a SOPA-enabled recursive DNS server by pointing their DNS settings to an off-shore recursive DNS server. Technically savvy networks might respond by blocking port 53 externally or by hijacking port 53 traffic on their network to their SOPA-enabled recursive DNS resolvers. Anyone want to bring Net Neutrality into this discussion? What would happen to users if an infringer decided to setup a “free, non-SOPA” recursive DNS server for users to use – one that additionally hijacked legitimate banking, ecommerce and business websites, too?
It is Dyn’s opinion that the technical implementation techniques contemplated by SOPA do more damage to the global DNS than help solve the problem it aims to tackle. There are existing law enforcement techniques available to deal with copyright infringement today at the registry level, so we ask why are they not being effectively utilized? Must we resort to breaking the DNS?
No comments:
Post a Comment