The Domain Name System and DNS Blocking Malcolm Hutty Head of Public Affairs, LINX February 2011

The Domain Name System and DNS Blocking

Malcolm HuttyHead of Public Affairs, LINX

http://publicaffairs.linx.net

February 2011

About LINX

• A membership association for network operators• Based in London, UK• One of the largest Internet Exchanges in the world–400 member networks from over 50 countries–Over 1.2Tb/s peak traffic–Over 70% global Internet routes

• Public policy role in EU through

• The voice of Internet Services Providers in Europe• Represents over 1800 ISPs• Umbrella structure: –National associations are EuroISPA members–Governed by a Board with one member per association

• Supported by an advisory forum of large multi-national network and service providers

www.example.eu

1. User types domain name into browser

1. User types domain name into browser

2. Browser asks Access Provider for IP address of www.example.eu

What’s the IP address for

www.example.eu?


www.example.eu?

Access Provider

DNSResolver

3. DNS Resolver asks Root Name Server for IP of a DNS server for .eu

RootNameServer

Where’s the .eu registry DNS

server?

Where’s the .eu registry DNS

server?

Access Provider

DNSResolver

3. DNS Resolver asks Root Name Server for IP of a DNS server for .eu

RootNameServer

It’s at IP address:198.51.100.56


Access Provider

DNSResolver

4. DNS Resolver asks .eu DNS server for IP of the DNS server for example.eu

.eu RegistryDNS server

Where’s the DNS server for

example.eu?

Where’s the DNS server for

example.eu?

Access Provider

DNSResolver

4. DNS Resolver asks .eu DNS server for IP of the DNS server for example.eu




Access Provider

DNSResolver

5. DNS Resolver asks for the IP address for www.example.eu …

DNSexample.euWhat’s the IP

address for www.example.eu?


www.example.eu?

Access Provider

DNSResolver

5. DNS Resolver asks for the IP address for www.example.eu …

DNSexample.eu



Access Provider

DNSResolver

6. … and passes the IP address back to the browser

The IP address for www.example.eu

is: 192.0.2.12


is: 192.0.2.12

Access Provider

DNSResolver

7. … which contacts the website host using the IP address

Contacting 192.0.2.12

8. HTTP traffic begins

www.example.eu

192.0.2.12

Access Provider

DNSResolver

How DNS blocking works


www.example.eu?


www.example.eu?

Access Provider

DNSResolver


No such domain.No such domain.

Access Provider

DNSResolver


Or…



www.example.eu?


www.example.eu?

Access Provider

DNSResolver


Access Provider

DNSResolver

It’s at (cough) IP:203.0.113.234

(cough)

It’s at (cough) IP:203.0.113.234

(cough)


Police controlledserver

Access Provider

DNSResolver

203.0.113.234

Technical flaws in DNS blockingTechnical flaws in DNS blocking

Technical flaws: multiple / changing domain names


www.example.eu?


www.example.eu?

www.example.euwww.ejemplo.eu

Access Provider

DNSResolver



Access Provider

DNSResolver

No such domain.No such domain.



Access Provider

DNSResolver

Ok, can I have IP address for

www.ejemplo.eu?

Ok, can I have IP address for

www.ejemplo.eu?



RootNameServerAccess Provider

DNSResolver



Access Provider

DNSResolver

.euRegistryDNS server



Access Provider

DNSResolver DNS

ejemplo.eu



Access Provider

DNSResolver

The IP address for www.ejemplo.eu

is: 192.0.2.12

The IP address for www.ejemplo.eu

is: 192.0.2.12



Access Provider

DNSResolver

192.0.2.12

Technical flaws: user can bypass DNS by typing IP address directly into browser

Technical flaws: user can bypass DNS by typing IP address directly into browser

Technical flaws: user can bypass DNS by typing IP directly into browser

www.example.eu

192.0.2.12

Access Provider

DNSResolver

Technical flaws: many companies run their own DNS resolver

Jones & Jones Ltd

DNSResolver

Access Provider

DNSResolver


www.example.eu?


www.example.eu?


Jones & Jones Ltd

Access Provider

DNSResolver

RootNameServer

DNSResolver


Jones & Jones Ltd

Access Provider

DNSResolver


DNSResolver


Jones & Jones Ltd

DNSResolver

Access Provider

DNSResolver

DNSexample.eu


Jones & Jones Ltd

DNSResolver

Access Provider

DNSResolver


is: 192.0.2.12


is: 192.0.2.12


Jones & Jones Ltd

DNSResolver

Access Provider

DNSResolver

www.example.eu

192.0.2.12

Technical flaws: client can use a third-party DNS resolver

Access Provider

DNSResolver




Access Provider

DNSResolver


3rd partyDNSResolver

Access Provider

DNSResolver



www.example.eu?


www.example.eu?





DNSResolver




Access Provider

DNSResolver



DNSexample.eu

Access Provider

DNSResolver

Access Provider

DNSResolver




www.example.eu

192.0.2.12

Access Provider

DNSResolver

Technical flaws: web proxies


www.proxy.example?


www.proxy.example?

Access Provider

DNSResolver



DNSResolver


.example RegistryDNS server

Access Provider

DNSResolver


DNSproxy.example

Access Provider

DNSResolver


The IP address for www.proxy.example

is 198.51.100.207

The IP address for www.proxy.example

is 198.51.100.207

Access Provider

DNSResolver


www.proxy.example

198.51.100.207

Access Provider

DNSResolver

DNSResolver


Enter the URL you wish to access:www.example.eu


www.proxy.example

198.51.100.207

Access Provider

DNSResolver

DNSResolver

Where is www.

example.eu?

Where is www.

example.eu?


www.proxy.example

198.51.100.207

Access Provider

DNSResolver

DNSResolver

RootNameServer


www.proxy.example

198.51.100.207

Access Provider

DNSResolver

DNSResolver



www.proxy.example

198.51.100.207

Access Provider

DNSResolver

DNSResolver

DNSexample.eu

192.0.2.12192.0.2.12


www.proxy.example

198.51.100.207

Access Provider

DNSResolver

DNSResolver

www.example.eu


Enter the URL you wish to access:www.example.eu

Other tools use the proxy principle

Conclusions

• “DNS blocking” is a technical term– It describes a technical procedure, not an outcome– It is not synonymous with “preventing access using DNS”– It is unlikely to prevent users from reaching content they are

actively seeking

• There is a big difference between seeking to protect users from content they wish to avoid, and seeking to obstruct users from reaching content they seek– In the first case, you can enlist the support of users and the

software and services they use– In the latter, there is always a way around any impediment,

and these ways can and will be made easy for anyone to use

Documents

The Domain Name System and DNS Blocking Malcolm Hutty Head of Public Affairs, LINX February 2011