SAC127 - DNS Blocking Revisited
Abstract
The Domain Name System (DNS) translates human-readable domain names to Internet Protocol (IP) addresses that are used by computers to communicate with each other on the Internet. DNS blocking is a method for restricting access to information or services on the Internet by interfering with the normal process of responding to DNS queries about domain names or IP addresses. This is done either by denying that a name or address exists or by providing false information about it.
Blocking is one of several approaches to restricting or regulating access to Internet information. Often, DNS blocking is employed because it is relatively easy to implement, but it has limitations and potential side effects.
This report focuses on the technical means by which DNS blocking can be accomplished, and the effects—both intended and unintended—of its use in different contexts. The aim of this report is to advise the Internet community, and especially policymakers and government officials, of the implications and consequences of using DNS blocking to control access to resources on the Internet.
DNS blocking can be accomplished by changing the behavior of a DNS server so that it responds in a way that is different from normal, e.g. as was intended by the administrator of the domain name. When an end user wishes to connect to a web site or other service, a recursive resolver translates the domain name of that site or service into an IP address. DNS blocking via recursive resolvers modifies or blocks this translation.
DNS blocking is effective only to the extent that users rely on the DNS infrastructure where the blocking is implemented. Blocking can be bypassed by various methods, such as using an alternative DNS resolver to avoid a resolver where a block has been implemented or using a Virtual Private Network (VPN). The effectiveness of DNS blocking is often a matter of degree. It is crucial to understand that DNS blocking does not remove or alter the underlying content - it merely attempts to prevent access through the most common and convenient pathway. The content itself typically remains available at the original IP address or through alternative domain names or protocols, meaning that determined users can still reach it using other means. DNS blocking can have serious side effects. A block may affect users outside the jurisdiction of the party doing the blocking. Users may not know that a block is in place, and can interpret it as a site outage or other error, encouraging potentially insecure behavior to "fix" it. A block may affect domains that provide services for other domains, causing collateral damage beyond the intended scope of the block.
Governments use DNS blocking for complex purposes, and these can be controversial. One motivation is public safety, such as blocking domains that a government decides enable illegal activities or incite violence. Some governments use DNS blocking as a tool for censorship. The
SSAC notes that whether an action constitutes censorship, or the legality of any specific case of DNS blocking, will depend upon local laws (which vary widely across the globe), and can involve personal convictions, about which people may vary in good faith. For these reasons, the SSAC does not make statements in this report about the propriety of specific cases of DNS blocking–such discussions are more suited for political fora. The merits or advisability of governmental or other attempts to control access to resources on the Internet are beyond the scope of this report.
Blocking is one of several approaches to restricting or regulating access to Internet information. Often, DNS blocking is employed because it is relatively easy to implement, but it has limitations and potential side effects.
This report focuses on the technical means by which DNS blocking can be accomplished, and the effects—both intended and unintended—of its use in different contexts. The aim of this report is to advise the Internet community, and especially policymakers and government officials, of the implications and consequences of using DNS blocking to control access to resources on the Internet.
DNS blocking can be accomplished by changing the behavior of a DNS server so that it responds in a way that is different from normal, e.g. as was intended by the administrator of the domain name. When an end user wishes to connect to a web site or other service, a recursive resolver translates the domain name of that site or service into an IP address. DNS blocking via recursive resolvers modifies or blocks this translation.
DNS blocking is effective only to the extent that users rely on the DNS infrastructure where the blocking is implemented. Blocking can be bypassed by various methods, such as using an alternative DNS resolver to avoid a resolver where a block has been implemented or using a Virtual Private Network (VPN). The effectiveness of DNS blocking is often a matter of degree. It is crucial to understand that DNS blocking does not remove or alter the underlying content - it merely attempts to prevent access through the most common and convenient pathway. The content itself typically remains available at the original IP address or through alternative domain names or protocols, meaning that determined users can still reach it using other means. DNS blocking can have serious side effects. A block may affect users outside the jurisdiction of the party doing the blocking. Users may not know that a block is in place, and can interpret it as a site outage or other error, encouraging potentially insecure behavior to "fix" it. A block may affect domains that provide services for other domains, causing collateral damage beyond the intended scope of the block.
Governments use DNS blocking for complex purposes, and these can be controversial. One motivation is public safety, such as blocking domains that a government decides enable illegal activities or incite violence. Some governments use DNS blocking as a tool for censorship. The
SSAC notes that whether an action constitutes censorship, or the legality of any specific case of DNS blocking, will depend upon local laws (which vary widely across the globe), and can involve personal convictions, about which people may vary in good faith. For these reasons, the SSAC does not make statements in this report about the propriety of specific cases of DNS blocking–such discussions are more suited for political fora. The merits or advisability of governmental or other attempts to control access to resources on the Internet are beyond the scope of this report.
