Internet Engineers Criticize PROTECT IP DNS PlanJune 6, 2011
Recently, a group of five prominent Internet engineers released a paper detailing security and technical concerns regarding DNS filtering in rogue website legislation like the PROTECT IP Act. The paper highlights three broad sources of harm stemming from mandated DNS redirects: interference with existing DNS security measures, problems resulting from circumvention, and collateral damage from DNS interdependencies. Coupled with the ease with which DNS filtering can be circumvented, the paper shows the cost-benefit of proposals like PROTECT IP to be clearly in the red.
The first major problem is the tension between DNS filtering and the DNS Security Extensions, or DNSSEC. DNSSEC is a critical set of security updates being rolled out by the Internet Engineering Task Force with the promotion and encouragement of government and industry. Its purpose is to prevent against DNS cache poisoning and other security attacks. One of the underlying bases of DNSSEC is the ability to verify that any information associated with a given domain name actually comes from that name. On the other hand, PROTECT IP will require DNS providers to ensure an inconsistency between targeted domain names and their actual servers. This leads to a tension between the bill and the ongoing project of implementing DNSSEC:
By mandating redirection, PROTECT IP would require and legitimize the very behavior DNSSEC is designed to detect and suppress. Replacing responses with pointers to other resources, as PROTECT IP would require, is fundamentally incompatible with end-to-end DNSSEC. Quite simply, a DNSSEC-enabled browser or other application cannot accept an unsigned response; doing so would defeat the purpose of secure DNS. Consistent with DNSSEC, the nameserver charged with retrieving responses to a user’s DNSSEC queries cannot sign any alternate response in any manner that would enable it to validate a query.
The paper further concludes:
DNSSEC is being implemented to allow systems to demand verification of what they get from the DNS. PROTECT IP would not only require DNS responses that cannot deliver such proof, but it would enshrine and institutionalize the very network manipulation DNSSEC must fight in order to prevent cyberattacks and other miscreant behavior on the global Internet.
The paper also notes several ways in which circumventing any DNS blocking can lead to further technical and security problems. As nice as it would be if people looking for infringing material just gave up when they hit a DNS block, that’s highly unlikely to happen. They can turn to non-filtered DNS servers, install a simple browser plugin (with a 1-click install), or just type in the IP address of the desired site.
The first two of these alternatives—and the ones least likely to require any ongoing work by the user, create their own security and performance problems. First of all, redirected DNS settings can point to rogue DNS servers, which can compromise not just a circumventing use, but anyone who uses that computer, intercepting banking, e-commerce, and other critical information.
Circumvention will also mean that ISPs gain less data on network security threats, since they use their DNS services to monitor systems and guard against denial-of-service attacks, identify botnet hosts, and identify compromised domains.
The paper also notes two ways in which innocent domains may be filtered through the bill’s provisions. One way is if a given legitimate site uses a filtered DNS service:
If a legitimate site points to a filtered domain for its authoritative DNS server, lookups from filtering nameservers for the legitimate domain will also fail. These dependencies are unpredictable and fluid, and extremely difficult to enumerate. When evaluating a targeted domain, it will not be apparent what other domains might point to it in their DNS records.
In addition, one IP address may support multiple domain names and websites; this practice is called “virtual hosting” and is very common. Under PROTECT IP, implementation choices are (properly) left up to DNS server operators, but unintended consequences will inevitably result. If an operator or filters the DNS traffic to and from one IP address or host, it will bring down all of the websites supported by that IP number or host. The bottom line is that the filtering of one domain name or hostname can pull down unrelated sites down across the globe.
Another problem results when a targeted site is but one of several subdomains sharing the same domain:
For example, blogspot.com uses subdomains to support its thousands of users; blogspot.com may have customers named Larry and Sergey whose blog services are at larry.blogspot.com and sergey.blogspot.com. If Larry is an e-criminal and the subject of an action under PROTECT IP, it is possible that blogspot.com could be filtered, in which case Sergey would also be affected, although he may well have had no knowledge of Larry’s misdealings.
Finally, something that is mentioned briefly in the paper, but that bears mentioning: the potential international effects of the United States legitimizing practices that not only introduce technical and security risks, but can also be used by other regimes for more speech-restrictive purposes:
In addition, if the U.S. mandates and thereby legitimizes DNS filtering, more countries may impose their own flavor of DNS filtering. As this practice becomes more widespread, the extent to which a particular name is reachable will become a function of on which network and in which country a user sits, compromising the universality of DNS naming and thereby the “oneness” of the Internet. This situation will in turn increase the cost and challenge of developing new technologies, and reduce the reliability of the Internet as a whole. If the Internet moves towards a world in which every country is picking and choosing which domains to resolve and which to filter, the ability of American technology innovators to offer products and services around the world will decrease.
The debate over the PROTECT IP Act isn’t just a matter of copyright policy; it’s a matter of Internet policy. And at least as far as its DNS provisions go, it doesn’t seem to be changing that policy for the better.