Paul Vixie Explains, In Great Detail, Why You Don't Want 'Policy Analysts' Determining DNS Rules

from the let-the-geeks-be-geeks-please dept

Thu, Jan 12th 2012 3:50pm — Mike Masnick

There's been plenty of talk, obviously, about the problems with SOPA and PIPA and how they treat DNS as a tool for blocking, despite the massive problems it causes for security efforts like DNSSEC. Every single working engineer who's spoken out on this issue (that we've seen, at least), has made this same point. We've even heard from techies within the government saying the same thing. And, of course, even Comcast itself (despite supposedly being in favor of the bill) proudly admits that DNS blocking is incompatible with DNSSEC. Even as the House and Senate are trying to punt on DNS issue, they still fully expect to put it in place at a later date, so it's important to discuss why it's a bad, bad idea.

So far, the "pro-SOPA/PIPA" folks haven't been able to find a legitimate working technologist who says that these plans make sense. Instead, they've brought out some "policy analysts" who have some basic technology background, but not a deep understanding of DNS. But, because they can toss around some tech terms, SOPA/PIPA supporters think they sound credible. However, in his latest post on the subject, Vixie walks through a step-by-step explanation for why each suggested method of DNS blocking won't work and/or breaks DNSSEC. Basically, these "policy analysts" keep suggesting different ways that they think DNS blocking could work, and Vixie explains why they're wrong each time, and points out the importance of actually having DNS engineers do DNS engineering -- not policy analysts.

For example an early draft of this legislative package called for DNS redirection of malicious domain names in conflict with the end-to-end DNS Security system (DNSSEC). Any such redirection would be trivially detected as a man in the middle attack by secure clients and would thus be indistinguishable from the kind of malevolent attacks that DNSSEC is designed to prevent. After the impossibility of redirection was shown supporters of PIPA and SOPA admitted that a redirection (for example, showing an "FBI Warning" page when an American consumer tried to access a web site dedicated to piracy or infringement) was not actually necessary. Their next idea was no better: to return a false No Such Domain (NXDOMAIN) signal. When the DNS technical community pointed out that NXDOMAIN had the same end-to-end security as a normal DNS answer and that false NXDOMAIN would be detected and rejected by secure clients the supporters SOPA and PIPA changed their proposal once again.

The second to latest idea for some technologically noninvasive way to respond to a DNS lookup request for a pirate or infringing domain name was "just don't answer". That is, simulate network loss and let the question "time out". When the DNS technical community explained that this would lead to long and mysterious delays in web browser behavior as well as an increased traffic load on ISP name servers due to the built in "retry logic" of all DNS clients in all consumer facing devices, we were ignored. However when we also observed that a DNSSEC client would treat this kind of "time out" as evidence of damage by the local hotel or coffee shop wireless gateway and could reasonably respond by trying alternative servers or proxies or even VPN paths in order to get a secure answer, the supporters of SOPA and PIPA agreed with this and moved right along.

The latest idea is to use the Administrative Denial (REFUSED) response code, which as originally defined seemed perfect for this situation. To me this latest proposal as well as the road we've travelled getting to this point seems like an excellent example of why network protocols should be designed by engineers....

And yet... it's not being designed by DNS engineers at all. It's being designed by policy people, with a smattering of help from some former technologists who don't really understand DNS. That seems like a pretty big problem.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: blocking, dns, dnssec, paul vixie, pipa, policy, protect ip, sopa, technology

39 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Marcus Carab (profile), 12 Jan 2012 @ 3:46pm

It's worth noting, I think, that he then goes on to explain in great detail why the latest idea won't work either (just in case you didn't click through):

The preeminent DNS software on the Internet is BIND, whose market share has declined from 99% to 85% in the last 25 years. I maintained and rewrote BIND from 1989 or so until 1999 or so and I am also the author or co-author of a half dozen or so Internet RFC documents on the subject of DNS. So I know that we send REFUSED in response to a query when we don't like the client's IP address � DNS servers do not even look at the question before deciding whether to send REFUSED. On the client side, if we hear a REFUSED we give up on that server and move on to the next server � which means we assume that it was the client's IP address that the server is refusing, not the question we happened to be asking at that moment. Microsoft Windows will actually "de-preference" a name server if they hear too many REFUSED messages from it � so BIND is not the only DNS software that interprets REFUSED in this way. ... This means a classic non-secured DNS client will react to a REFUSED signal by treating the server as broken and just asking the next available server � hoping to find a server that is not broken. Whereas a newer DNSSEC client will react to REFUSED by ignoring it and continuing to wait � hoping for a real answer that might follow close on the heels of the potential forgery. In the unsecure case, the client will often do what the proponents of SOPA and PIPA would seem to want � display an error message in the web browser � but will occasionally just repeat the whole transaction a fraction of a second later, increasing the load on the ISP's name servers. In the DNSSEC case, the client will not do PIPA or SOPA are asking, there will just be delay followed by trying some other server, or retrying through a proxy, or otherwise circumventing what will look to DNSSEC like just another broken hotel or coffee shop wireless network.
[ link to this | view in chronology ]
xenomancer (profile), 12 Jan 2012 @ 3:59pm

Tangent, But Important
Attention everyone! I've finally got the CENSOR ME plugin I wrote yesterday up on the WordPress plugin directory. See it in action here. If you operate a WordPress blog and wish to participate in a blackout, its essentially an on/off switch. Simply activate it to blackout and deactivate it to go back to normal.
[ link to this | view in chronology ]
- Jeffrey Nonken (profile), 13 Jan 2012 @ 12:38pm
  
  Re: Tangent, But Important
  Sounds great. I'd consider using it if anybody ever read my blog besides spammers' 'bots. :)
  
  Seriously, thanks for doing this.
  [ link to this | view in chronology ]
Anonymous Coward, 12 Jan 2012 @ 4:10pm

Wreckers and saboteurs
And what accomplished villains these old engineers were! What diabolical ways to sabotage they found! Nikolai Karlovich von Meck, of the People's Commissariat of Railroads ... would hold forth for hours on end about the economic problems involved in the construction of socialism, and he loved to give advice. One such pernicious piece of advice was to increase the size of freight trains and not worry about heavier than average loads. The GPU exposed van Meck, and he was shot: his objective had been to wear out rails and roadbeds, freight cars and locomotives, so as to leave the Republic without railroads in case of foreign military intervention! When, not long afterward, the new People's Commissar of Railroads ordered that average loads should be increased, and even doubled and tripled them, the malicious engineers who protested became known as limiters ... they were rightly shot for their lack of faith in the possibilities of socialist transport.

�� Aleksandr I. Solzhenitsyn, The Gulag Archipelago
[ link to this | view in chronology ]
Anonymous Coward, 12 Jan 2012 @ 4:23pm

Institutionalized Lying
The real problem with poisoning the DNS is that it constitutes institutionalized lying. The owner of a domain name tells the DNS what their server IP address is. If any other entity somehow makes the DNS produce the wrong IP address, then that is no different from anybody else who is in a position of trust telling lies. We are rightly outraged when anybody else does it. It is no different when the DNS is lying. It is shocking that Congress should be proposing that the DNS should be perverted to tell lies. It proves that they are personally dishonest individuals. Vote the bums out.

The key to understanding America, is to figure out who is lying to who and why.
[ link to this | view in chronology ]
- Suja (profile), 12 Jan 2012 @ 4:39pm
  
  Re: Institutionalized Lying
  The key to understanding the world, is to figure out who is lying to who and why.
  
  FTFY
  [ link to this | view in chronology ]
  - Anonymous Coward, 12 Jan 2012 @ 4:47pm
    
    Re: Re: Institutionalized Lying
    Correct. Thanks.
    [ link to this | view in chronology ]
- Anonymous Coward, 12 Jan 2012 @ 4:45pm
  
  Re: Institutionalized Lying
  Oops, sorry grammar nazis, should be "who is lying to whom".
  [ link to this | view in chronology ]
- New Mexico Mark, 12 Jan 2012 @ 5:32pm
  
  Re: Institutionalized Lying
  Maybe congress could enact a bill that could force map companies (or web mapping sites or gps) to produce altered maps preventing travelers from reaching unacceptable destinations?
  
  What about forcing phone books (or phone number lookup sites) to remove or change phone numbers for un-persons?
  
  The possibilities are endless since our "representatives" (tm) are now enacting laws based on the principle of "liberty and justice for the highest bidder".
  [ link to this | view in chronology ]
- Al Bert (profile), 12 Jan 2012 @ 6:04pm
  
  Re: Institutionalized Lying
  I think more important to the task of any actual reform would be to ask:
  
  Why and in what circles has it become acceptable to suggest that lying is okay?
  
  The answer to "who and why" only reveals the criminals and their motives. The answer to "why is it acceptable" reveals the criminal culture, i.e: the root of the parasitic plant.
  [ link to this | view in chronology ]
TtfnJohn (profile), 12 Jan 2012 @ 5:15pm

The issue Vixie is outlining isn't just that DNS won't do what PIPA/SOPA want it to do but that there is nothing, no signal, no nothing that won't look to DNSSEC as an attack or potential attack. Or just a failure and the lookup will try again and keep trying overloading ISP servers.

Any way you look at it technically it can't be done the way SOPA/PIPA supporters want it to be done.

All to legislate a potential future, not a real one, for two failing entertainment sectors. Both failing at their own hand, I might add. (Again. ;-))

As for governments institutionalizing lying, even in the west, I'm afraid that happened decades ago. You know, things like domino theories and all that stuff, weapons of mass destruction found in Iraq that were never found once the troops landed and so on.

So why not now? Why not try to poison DNS so that it lies too. That way governments think they have control over something they've had no control of to now.
[ link to this | view in chronology ]
- blaktron (profile), 12 Jan 2012 @ 7:55pm
  
  Re:
  It goes worse than that. The only way to actually do it is to NAT the entire USA. People dont understand that you can just use a DNS server in another country unless you actively re-routing DNS requests to government servers.
  
  The technical realities of implementing a system like this is automatically freedom killing because its so easy to bypass without a single tool that the only way to ensure compliance is to intercept every DNS request in the USA.
  
  Also, once the requests have left the safe confines of a DNSSEC backbone, nothing at all will stop people from redirecting the redirections.
  [ link to this | view in chronology ]
  - Anonymous Coward, 13 Jan 2012 @ 1:35am
    
    Re: Re:
    Not to mention that there's DNS phonebook service on the web that, if a domain you wanted to go to is blocked, you could just query them in the way-back-machine add find an archived copy, and then add the entry to your hosts file.
    
    Problem solved. :)
    [ link to this | view in chronology ]
    - Anonymous Coward, 13 Jan 2012 @ 5:16am
      
      Re: Re: Re:
      Rightclicking yer network card - properties - clicking ipv4/6 - configure - specify a non US dns server.
      
      There, fixed it for you =)
      [ link to this | view in chronology ]
      - blaktron (profile), 13 Jan 2012 @ 11:45am
        
        Re: Re: Re: Re:
        Unless, like China, they redirect all DNS requests at the border.....
        [ link to this | view in chronology ]
        
        A Guy (profile), 13 Jan 2012 @ 12:31pm
        
        Re: Re: Re: Re: Re:
        That is also easy to bypass. An encrypted proxy or VPN that is only used for DNS requests is cheap and easy. Non traditional DNS tools can/will/have been developed. I bet if I were dropped in China with a laptop and an internet connection, I could bypass the "Great Firewall" in less than 3 minutes.
        [ link to this | view in chronology ]
MrWilson, 12 Jan 2012 @ 5:53pm

Translation: You can't Jedi mind trick a DNS client.

::waves fingers::

"These aren't the domain names you're looking for.
[ link to this | view in chronology ]
Anonymous Coward, 12 Jan 2012 @ 5:54pm

Vixie's last sentence sounds much like an "olive branch" being extended to see what might be done technically to solve the DNS/DNSSEC issue. Sounds like Leahy may very well be on the right track after all.
[ link to this | view in chronology ]
- blaktron (profile), 12 Jan 2012 @ 8:08pm
  
  Re:
  UGH, thats because you dont understand DNS, hes not being actually serious but commenting on how stupid the people suggesting these ideas are. The admin denial command is not used like that in the slightest, its used to breakup requests to prevent denial of service attacks when requesting big lists from the DNS server, not to permanently prevent access to a domain.
  
  If you understood any of that you would be anti-SOPA/PIPA, and thats the problem.
  [ link to this | view in chronology ]
- Richard (profile), 13 Jan 2012 @ 3:51am
  
  Re:
  Vixie's last sentence sounds much like an "olive branch" being extended to see what might be done technically to solve the DNS/DNSSEC issue. Sounds like Leahy may very well be on the right track after all.
  
  Paul has been really careless saying something that enabled you to misinterpret him like that.
  
  However you have been pretty wilful in your misinterpretation - so I guess he had a difficult task!
  [ link to this | view in chronology ]
  - Anonymous Coward, 13 Jan 2012 @ 8:04am
    
    Re: Re:
    You might want to consider conferring a benefit here by interpreting what he really meant.
    [ link to this | view in chronology ]
    - A Guy (profile), 13 Jan 2012 @ 12:38pm
      
      Re: Re: Re:
      He meant, if you want to spend the next 10 (20? 30?) years rewriting DNS and internet routing in general, and then spending the untold millions (billions? trillions?) to roll out the changes, good luck with that. He welcomes you to the industry debate.
      
      It was hard enough getting stakeholders together to do something (anything) about DNS security. Getting stakeholders together to completely redo the internet isn't going to happen quickly, and you probably won't be happy with the result.
      [ link to this | view in chronology ]
Anonymous Coward, 12 Jan 2012 @ 6:03pm

DNSSEC is all hot air. No one uses it, no one wants to use it, no one will use it. Except to attack others. Why keep talking about it?
[ link to this | view in chronology ]
- Mike Masnick (profile), 12 Jan 2012 @ 6:20pm
  
  Re:
  DNSSEC is all hot air. No one uses it, no one wants to use it, no one will use it.
  
  Wow. That's not even close to true.
  
  Hell, just yesterday we noted that Comcast has a complete rollout of DNSSEC.
  [ link to this | view in chronology ]
  - blaktron (profile), 12 Jan 2012 @ 7:57pm
    
    Re: Re:
    Of course its hot air Mike. Just like the internet. Just like the ideals that frame the constitution.
    
    Hes technically correct, yet displaying a stunning level of ignorance at the same time.
    
    Please AC, I wont interfere with your finger painting, you dont interfere with my network implementations.
    [ link to this | view in chronology ]
- Anonymous Coward, 12 Jan 2012 @ 6:52pm
  
  Re:
  Do you have to undergo training to be that stupid or is it just a natural talent?
  [ link to this | view in chronology ]
  - Anonymous Coward, 13 Jan 2012 @ 2:33am
    
    Re: Re:
    I think it's some new kind of trolling: instead of trying to make us look stupid, the trolls try (disturbingly hard) to make themselves look stupid.
    
    Kids these days...
    [ link to this | view in chronology ]
Anonymous Coward, 12 Jan 2012 @ 6:04pm

http://www.zeropaid.com/news/97512/senator-feinstein-filtering-the-internet-does-not-violate-free-sp eech/

Another idiot in power declares SOPA to be good.
[ link to this | view in chronology ]
Anonymous Coward, 12 Jan 2012 @ 6:46pm

Keep in mind Paul Vixie also wrote "whenever the goal of "DNS blocking'' is merely domain name disappearance and not content insertion then "DNS blocking'' will not break Secure DNS or even slow it down" so he has also clearly said that domain blocking with DNSSEC is possible.
[ link to this | view in chronology ]
- Richard (profile), 13 Jan 2012 @ 3:55am
  
  Re:
  That was a while ago in a response about a different issue. I think he's had a bit of time to think deeper about the problems since then.
  [ link to this | view in chronology ]
A Guy (profile), 12 Jan 2012 @ 7:21pm

Adding a "blocked" signal to the DNS protocol will not make piracy magically disappear.

Well, I guess if it will keep censorship proponents busy for the next 5-10 years developing and rolling the new DNS protocol, that's not so bad. It will give the rest of us time to innovate and move onto whatever comes next.
[ link to this | view in chronology ]
Anonymous Coward, 12 Jan 2012 @ 7:58pm

Vixie still hasn't really explained why a "simulated network loss" as he calls it wouldn't be effective. He only says it makes websites appear slow -- well, that would be the point of blocking these sites, right?
[ link to this | view in chronology ]
- Anonymous Coward, 13 Jan 2012 @ 1:40am
  
  Re:
  It makes everyone in the ISP slow because everyone will be asking redundent DNS query on blocked entries. Those who want to go to other websites will have to wait until the DNS servers have free time to serve them.
  [ link to this | view in chronology ]
- A Guy (profile), 14 Jan 2012 @ 12:06pm
  
  Re:
  Another word for this is distributed denial of service attack. The only difference being that instead of DDOSing a website to make it unviewable, you'd be doing it to yourself and your neighbors.
  [ link to this | view in chronology ]
Anonymous Coward, 13 Jan 2012 @ 1:46am

I'll add that as soon as DNS blocking rule on the U.S. is passed, I'll have to patch my local BIND source to block those kind of faulty DNS update entries. Just like what I did years ago to ignore the buggy 0.0.0.0 when queries certain server from China DNS and increase the TTL of that cached entry to insane value in order to prevent it to ask the same question in the future.

So please don't pass these laws, it makes my life more difficult.
[ link to this | view in chronology ]
Rich Kulawiec, 13 Jan 2012 @ 2:17am

What some of you are missing...
...particularly the AC's, is that decisions made about the architecture of DNS have repercussions in the operation of DNS: it doesn't operate in an abstract environment with infinite bandwidth, CPU and memory resources. I provided links to a number of mailing lists in a comment a couple of days ago; if you want to really try to understand how protocol decisions impact the real world, then you should probably be on those lists and reading the comments of the people who actually have to make this stuff work.
[ link to this | view in chronology ]
- Anonymous Coward, 13 Jan 2012 @ 2:34am
  
  Re: What some of you are missing...
  ... if you want to really try to understand...
  
  Most senators and representatives, and most of their staffs, are utterly baffled by:
  
  $ ./configure $ make # make install
  
  In Hollywood, people in command will order that sequence changed for dramatic effect!
  [ link to this | view in chronology ]
Violated (profile), 13 Jan 2012 @ 4:01am

D... N... S...
I think this also all about what we want our Internet data to be... Honest and trustworthy, or insecure and a liar.

It does not take much pondering to arrive at the right answer which also means people can't lie to an honest system.

I am looking forwards to Europe implementing DNSSEC when doing so will kill services like BT's CleanFeed system. The same system that currently denies you access to NewzBin2. I spot some more court fight due there.

What I am currently thinking is that if DNSSEC uses Administrative Denied then this should be avoidable through changing your DNS look-up server.
[ link to this | view in chronology ]
Albert Klausevits, 2 Aug 2016 @ 5:58am

I had a trouble with the body's weight, neck and back pain as well as motion security. After physical medicine rehab in New York Dynamic Neuromuscular Recovery (NYDNR) https://nydnrehab.com/ I really feel wonderfull!!! During DNS treatment, I alleviated for imbalances, dysfunctions, problems with position as well as control dysfunctions with a method that takes the individual back to placements of early advancement as well as makes use of treatment to progress feature as it is tolerated. The training is performed in one of the most all-natural (perfect) body positions. When learnt in this manner, the main activity systems become automatic supplying basis for healthy and balanced.
[ link to this | view in chronology ]