DNS blocking

Last updated October 17, 2024

Domain Name System blocking, or DNS blocking / filtering, is a strategy for making it difficult for users to locate specific domains or websites on the Internet. It was first introduced in 1997 as a means to block spam email from known malicious IP addresses.^[1]

DNS blocking can also be applied for outgoing requests as well. Instead of returning the valid IP address of a requested site (for example, instead of 198.35.26.96 being returned by the DNS when "www.wikipedia.org" is entered into a browser,^[2] if this IP were on a block list, the DNS might reply that the domain is unknown or with a different IP address that directs to a site with a page stating that the requested domain is not permitted). The latter case where the user is redirected to another destination would be considered DNS Spoofing, otherwise known as "DNS Poisoning".^[3] DNS blocking can be applied to individual servers/IP address, or entire blocks of IP addresses for multiple reasons.

Some public DNS Resolvers, like Quad9 and CleanBrowsing, offer filters are part of their DNS. Quad9, for example, blocks access to known phishing and malicious domains. CleanBrowsing filters out adult content in their effort to protect kids online.

Proposed legislation

In addition to its technical impact, DNS blocking also has many social and political implications. Free speech and due process are key concerns regarding DNS blocking, particularly in the United States. DNS blocking was proposed to be mandated by the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA).^[4] It is a technique that essentially breaks the fundamental architecture of the internet. The goal for its use as intended by SOPA and PIPA is to prevent users from intentionally or unintentionally accessing web sites and web services that are known to host copyrighted material without authorization.

According to an article in Network World magazine, "Just about universally, the people responsible for the technical development and operation of the Internet have said that the DNS-blocking proposals would break vital Internet technology while at the same time being entirely ineffectual against people who are serious about violating copyright laws and largely ineffectual against those who do so casually."^[5] They go on to claim that politicians who support this type of legislation are motivated by pressure from lobbyists and donors to their campaigns. These lobbyists and donors are often affiliated with special interest groups such as the MPAA and RIAA.

Criticism

Google's chairman, Eric Schmidt, is quoted saying "I would be very, very careful if I were a government about arbitrarily [implementing] simple solutions to complex problems" in reference to DNS blocking and the PIPA bill.^[6] Experts claim that users could get around DNS blocking by using foreign search engines and foreign DNS servers. In fact, within two months of the legislation being introduced there were browser plug-ins released that enable users to resolve blocked domains.^[7]

Numerous industry experts have concerns regarding the effect of DNS blocking on the security of the Internet. A former Bush administration Department of Homeland Security policy director claimed that altering the Domain Name System "would do great damage to internet security."^[8]

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

In the Internet, a domain name is a string that identifies a realm of administrative autonomy, authority or control. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. Domain names are used in various networking contexts and for application-specific naming and addressing purposes. In general, a domain name identifies a network domain or an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, or a server computer.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication, payment, acceptance of an end-user license agreement, acceptable use policy, survey completion, or other valid credentials that both the host and user agree to adhere by. Captive portals are used for a broad range of mobile and pedestrian broadband services – including cable and commercially provided Wi-Fi and home hotspots. A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, and business centers.

The computer file hosts is an operating system file that maps hostnames to IP addresses. It is a plain text file. Originally a file named HOSTS.TXT was manually maintained and made available via file sharing by Stanford Research Institute for the ARPANET membership, containing the hostnames and address of hosts as contributed for inclusion by member organizations. The Domain Name System, first described in 1983 and implemented in 1984, automated the publication process and provided instantaneous and dynamic hostname resolution in the rapidly growing network. In modern operating systems, the hosts file remains an alternative name resolution mechanism, configurable often as part of facilities such as the Name Service Switch as either the primary method or as a fallback method.

The Web Proxy Auto-Discovery (WPAD) Protocol is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL.

Ad blocking or ad filtering is a software capability for blocking or altering online advertising in a web browser, an application or a network. This may be done using browser extensions or other methods.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to any computer that the attacker chooses.

Pharming is a cyberattack intended to redirect a website's traffic to another, fake site by installing a malicious program on the victim's computer in order to gain access to it. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real IP addresses. Compromised DNS servers are sometimes referred to as "poisoned". Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server.

OpenDNS is an American company providing Domain Name System (DNS) resolution services—with features such as phishing protection, optional content filtering, and DNS lookup in its DNS servers—and a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. The OpenDNS Global Network processes an estimated 100 billion DNS queries daily from 85 million users through 25 data centers worldwide.

DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the same host that served the script. Comparing domain names is an essential part of enforcing this policy, so DNS rebinding circumvents this protection by abusing the Domain Name System (DNS).

Vitalwerks Internet Solutions, LLC is a domain and host service provider. No-IP offers DNS services, DDNS, email, network monitoring and SSL certificates. Email services include POP3, SMTP, mail backup services, mail reflection and filtering.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

In computing, a blacklist, disallowlist, blocklist, or denylist is a basic access control mechanism that allows through all elements, except those explicitly mentioned. Those items on the list are denied access. The opposite is a whitelist, allowlist, or passlist, in which only items on the list are let through whatever gate is being used. A greylist contains items that are temporarily blocked until an additional step is performed.

The PROTECT IP Act was a proposed law with the stated goal of giving the US government and copyright holders additional tools to curb access to "rogue websites dedicated to the sale of infringing or counterfeit goods", especially those registered outside the U.S. The bill was introduced on May 12, 2011, by Senator Patrick Leahy (D-VT) and 11 bipartisan co-sponsors. The Congressional Budget Office estimated that implementation of the bill would cost the federal government $47 million through 2016, to cover enforcement costs and the hiring and training of 22 new special agents and 26 support staff. The Senate Judiciary Committee passed the bill, but Senator Ron Wyden (D-OR) placed a hold on it.

The Stop Online Piracy Act (SOPA) was a proposed United States congressional bill to expand the ability of U.S. law enforcement to combat online copyright infringement and online trafficking in counterfeit goods. Introduced on October 26, 2011, by Representative Lamar Smith (R-TX), provisions included the requesting of court orders to bar advertising networks and payment facilities from conducting business with infringing websites, and search engines from linking to the websites, and court orders requiring Internet service providers to block access to the websites. The proposed law would have expanded existing criminal laws to include unauthorized streaming of copyrighted content, imposing a maximum penalty of five years in prison.

There were different but similar copyright bills in the 112th United States Congress: The Stop Online Piracy Act (SOPA) in the House of Representatives and the PROTECT IP Act (PIPA) in the Senate. A typical route for legislation like this is to pass some version in both houses, then refer the two bills to a conference committee, which would produce a single bill likely to pass both houses.

A response policy zone (RPZ) is a mechanism to introduce a customized policy in Domain Name System servers, so that recursive resolvers return possibly modified results. By modifying a result, access to the corresponding host can be blocked.

Quad9 is a global public recursive DNS resolver that aims to protect users from malware and phishing. Quad9 is operated by the Quad9 Foundation, a Swiss public-benefit, not-for-profit foundation with the purpose of improving the privacy and cybersecurity of Internet users, headquartered in Zürich. Quad9 is entirely subject to Swiss privacy law, and the Swiss government extends that protection of the law to Quad9's users throughout the world, regardless of citizenship or country of residence.

References

↑ "What is DNSBL?". WhatIsMyIPAddress. Retrieved 2019-04-18.
↑ Hostname to IP Address Lookup, http://www.lookips.com/hostname-ip/www.wikipedia.org Archived 2018-04-16 at the Wayback Machine
↑ DNS Poisoning - Is it effective?, http://www.watchdoginternational.net/index.php/filtering-technology/56-dns-poisoning-dummy-web-servers/56-isp-dns-poisoning- Archived 2014-08-19 at the Wayback Machine , Retrieved June 10, 2012
↑ "Internet Society Supports Actions to Raise Awareness of the Consequences of Proposed U.S. Legislation, SOPA" (Press release). Internet Society. 12 December 2011. ProQuest 912231747.
↑ Bradner, Scott (17 January 2012). "Science, technology and politicians: Why is it so hard to get politicians to listen to the people who know what they are talking about?". Network World. ProQuest 917191332.
↑ Schwartz, Mathew J. (13 January 2012). "Copyright Bill Causes Stir On Foreign Website Blocking". InformationWeek. ProQuest 916010996.
↑ Ernesto (20 December 2011). "Firefox Add-On Bypasses SOPA DNS Blocking". TorrentFreak. Retrieved 18 April 2019.
↑ Kravets, David (13 January 2012). "Rep. Smith Waters Down SOPA, DNS Redirects Out". Wired.

External links

"A Not-So-Brief History of DNS Blocking — And Why It Sucks". Wetmachine. 2012-01-17. Retrieved 2023-05-30.
How SOPA could actually break the internet
Don't Break the Internet
4 Myths About DNS Filtering and Some Truth
What Is DNS-over-HTTPS And How To Configure It On Browsers?

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "What is DNSBL?". WhatIsMyIPAddress. Retrieved 2019-04-18.

[2] Hostname to IP Address Lookup, http://www.lookips.com/hostname-ip/www.wikipedia.org Archived 2018-04-16 at the Wayback Machine

[3] DNS Poisoning - Is it effective?, http://www.watchdoginternational.net/index.php/filtering-technology/56-dns-poisoning-dummy-web-servers/56-isp-dns-poisoning- Archived 2014-08-19 at the Wayback Machine , Retrieved June 10, 2012

[4] "Internet Society Supports Actions to Raise Awareness of the Consequences of Proposed U.S. Legislation, SOPA" (Press release). Internet Society. 12 December 2011. ProQuest 912231747.

[5] Bradner, Scott (17 January 2012). "Science, technology and politicians: Why is it so hard to get politicians to listen to the people who know what they are talking about?". Network World. ProQuest 917191332.

[6] Schwartz, Mathew J. (13 January 2012). "Copyright Bill Causes Stir On Foreign Website Blocking". InformationWeek. ProQuest 916010996.

[7] Ernesto (20 December 2011). "Firefox Add-On Bypasses SOPA DNS Blocking". TorrentFreak. Retrieved 18 April 2019.

[8] Kravets, David (13 January 2012). "Rep. Smith Waters Down SOPA, DNS Redirects Out". Wired.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]