Russia Says Disconnecting From The Rest Of The Net 'Out Of The Question', But Wants Alternative DNS Servers For BRICS Nations
from the think-global,-act-local dept
At the start of the year, we wrote about a call for Russia to make its Internet infrastructure resistant to external attempts to shut it down, and able to work in isolation if need be. It looks like the authorities are moving ahead with the idea:
The Russian Security Council has asked the country's government to develop an independent internet infrastructure for BRICS nations, which would continue to work in the event of global internet malfunctions.
The RT news story has some details on how the BRICS subnet will work:
They decided that the problem should be addressed by creating a separate backup system of Domain Name Servers (DNS), which would not be subject to control by international organizations. This system would be used by countries of the BRICS bloc -- Brazil, Russia, India, China and South Africa.
The plan has evidently developed from a purely Russian intranet system to one that includes the other BRICS nations. Creating additional DNS servers will be easy, so there's no reason why it shouldn't happen -- not least because Putin has "personally set a deadline of August 1, 2018 for the completion of the task". Perhaps the most interesting aspect of the story is the following comment by Putin's Press Secretary, Dmitry Peskov:
"Russia’s disconnection from the global internet is of course out of the question," Peskov told the Interfax news agency. However, the official also emphasized that "recently, a fair share of unpredictability is present in the actions of our partners both in the US and the EU, and we [Russia] must be prepared for any turn of events."
That offers a pragmatic recognition that disconnection from the global Internet is no longer an option for a modern state, even if Iran begs to differ. It's true that local DNS servers provide resilience, but they also make it much easier for a government to limit access to foreign sites by ordering their IP addresses to be blocked -- surely another reason for the move.
This latest proposal is part of a long-running campaign by Russia to wrest control of key aspects of the Internet -- such as the DNS system -- from international bodies, for example during the ITU's World Conference on International Communications (WCIT) in 2012. Russia already had the support of other BRICS governments back then, which suggests they will back the new approach.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Yeah, this is not a new movie
And the moment this goes live -- if not before -- there will be static hosts files making the rounds. They won't contain everything but they'll have all the important stuff.
[ link to this | view in chronology ]
Re: Yeah, this is not a new movie
Really there needs to be a chinese wall between DNS providers and ISP's. These services should not be managed by the same companies. DNS is badly deprecated, and if you want to see it get fixed, you have to make it profitable to do so. Which means it has to be it's own service.
[ link to this | view in chronology ]
Re: Re: Yeah, this is not a new movie
More like abused than deprecated.
"if you want to see it get fixed, you have to make it profitable"
another reason markets are not self regulating
[ link to this | view in chronology ]
Re: Re: Re: Yeah, this is not a new movie
IMHO namecoin is closer to a servicable architecture going forward. As long as you have a root server, and/or a cascading database configuration, there will be MITM attacks.
The only thing that fixes that is blockchain. But... If your going to go to all that length, then even better is to make it indistinguishable from other traffic types.
IMHO the whole stack is deprecated, because ISO layers 4 and 5 should be transposed. Port numbers should never have been publicly exposed data. If it isn't exposed we get much closer to compelled NN, because full encryption at layer 4 forcibly deprecates QOS switching on traffic type.
[ link to this | view in chronology ]
Re: Re: Re: Re: Yeah, this is not a new movie
Sounds like a lot of bandaging you have in mind, why not simply stop hurting yourself?
[ link to this | view in chronology ]
Re: Yeah, this is not a new movie
What worries me about what Russia is doing is not that they're setting up an alternate root -- I think that has the potential to be a good thing, especially if it peers with the current root.
What worries me is whether they're going to mandate that all DNS traffic be limited to the upstream provider via router configurations -- that is, any DNS request that's not signed by the appropriate authority will be dropped.
In the past, the way DNS was designed prevented this sort of thing, but signing DNS traffic is a two way street -- you can verify there's been no MITM attempt, but you can also programmatically block queries to DNS servers you don't want your downstream users seeing.
This means it's possible that 8.8.8.8 and 9.9.9.9 (and all the other public DNS servers) may start getting dropped, and even local DNS resolvers may get dropped wholesale if they're from zones the upstream provider doesn't like.
I haven't used an ISP DNS in 20 years, but this plan could force people to do so or risk unreliability/fragmentation.
[ link to this | view in chronology ]
cyber warfare
Leaked documents from the NSA, CIA, and other agencies has demonstrated that the US government is on a mission to weaponize the internet, so it makes sense that other nations would take defensive precautions that would minimize damages from such attacks. Since NATO nations to a large degree control much of the critical internet backbones, the ability of individual nations to compartmentalize their own internet to at least some degree would be a logical step.
BRICS was established as a free trade block, though it has been slowly moving in the direction toward a military alliance, so it will be interesting to see if these countries will feel free to trust Russia and China --as opposed to the US & NATO-- for such a critical utility as internet service.
Considering the way that DNS servers in Western nations have increaasingly been used as a major censorship tool, it seems strange that the rest of the world would not have made major efforts to avoid US & EU-controlled DNS servers a long time ago.
[ link to this | view in chronology ]
Re: cyber warfare
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Current DNS is federated, where each server points to a more local authority until the DNS server that "owns" the IP eventually responds with the address that should be connected to.
Proxying basically lets you tunnel to some other starting location to kick off your chain of queries. Full proxying will create an encrypted tunnel to that starting point and move the entire chain of queries through the tunnel so that your ISP only sees a stream of encrypted data.
However, encrypted DNS traffic is easy to spot at the router with packet inspection. It stands out like a sore thumb, and is easy to drop if the owner of the router is so inclined. And once you've eliminated encrypted DNS traffic, it's just as easy to spot when someone's not going through the official, signed DNS root to get their DNS queries resolved. This may require a new layer added to DNS, but that's essentially what's happening here: the DNS chain will be signed so that you can trace the authority back to the originating server. This creates a chain of trust, but also creates a chain of control.
[ link to this | view in chronology ]
Re: Re:
How would they accomplish this? ... Make it so users are forced into using the official "browser" crafted by the ISP?
Certainly there are ways of circumventing this also.
[ link to this | view in chronology ]
Re: Re: Re:
Simple, block the IP addresses of all known DNS servers, other than there own. That is how they have blocked things like bit-torrent after all.
[ link to this | view in chronology ]
Re: Re: Re: Re:
There are two ways to acquire the root zone files (that is: the list of authoritative DNS servers for each root zone like .com, .net, .info, etc.) One is to apply for access to them, which isn't that onerous if you present identification and reasons. The other is to set up passive DNS listeners and just grab everything as it goes by -- perhaps augmenting that by doing a lot of queries.
In both cases, what you'd end up with -- to a sloppy first approximation -- would be a very large list of domain names along with their associated nameservers. You sort that list by the number of occurrences of each DNS server, and then block the top million plus the DNS servers for the Alexa top million plus all the open DNS servers that you know about.
That won't catch everything, but it will catch the overwhelming majority of the DNS servers used by the overwhelming majority of domains that anybody cares about.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
The reason that ISPs provide DNS service is to become a man in the middle, using one of the big DNS providers to do the heavy lifting. After they have logged your request, and filtered for anything that they want to block they pass it on to gt it resolved. This also allows them to respond to failed requests by sending you to an advertising page.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Yup. One would have to turn that off that function and populate manually those sites one desired to visit. I thought that was a well known given.
Even if you use a DNS server out there in wonderland, one can still enter an IP address in the browser - no DNS necessary.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
A filtered ISP provided DNS would be than what you propose, and you can use the hosts file to insert known IP addresses of sites that they block, so long as it is not an IP block.
[ link to this | view in chronology ]
Of course they'd need to make it illegal to use open DNS servers for this to fully match with their authoritarian ideas.
[ link to this | view in chronology ]
A more relevant story would be something like "Russia finally joins the many nations who are ready to firewall themselves from the rest of the world and go it alone."
While "The Great Firewall of China" is the best known, the Chinese were hardly the first, or only.
[ link to this | view in chronology ]
Re:
Keep in mind the following:
1. DNS holds all kinds of information in addition to the A records that are so often used by web browsers.
2. The root zone files are available. Getting them requires a process, but they're available.
3. Alternatively, there are passive DNS projects that have collected most of the data that exists in the root zones.
4. You can run your own DNS resolver on just about anything. I have one on each of my laptops and on a Raspberry Pi. You could run one on your phone or tablet.
5. Static hosts files are clumsy but in a pinch they suffice.
6. There are open DNS resolvers in many places.
7. VPNs, tunnels, tor, virtual hosts, proxies all enable BRICS DNS to be bypassed.
8. DNS traffic can be tunneled via other protocols.
9. Clouds, CDNs, etc. make it difficult to block services.
10. Even if 1-9 weren't in play, the inability of anyone in a BRICS nation to perform a certain DNS query has zero effect on their vulnerability to attack.
This is a combination of political grandstanding and a vague hand-waving attempt at censorship. It won't work.
[ link to this | view in chronology ]
Brilliant!
[ link to this | view in chronology ]
No one winning
Don't get me wrong, NSA isn't the poster child for everything that is right in the world but you have to ask yourself which is the lesser of two evils. As far as I am aware, NSA hasn't been out there stealing technology (looking at you China APT 1, APT 3) or crashing electrical grids or spreading malware in MeDoc.
[ link to this | view in chronology ]
Re: No one winning
This DNS server story could be a red herring. Russia no doubt knows that cyberwar defense means controlling as much as possible in its internet space - all the hardware, all the software, and all the technical expertise. Having full control also makes it easier for the government to spy, infiltrate, disrupt, disable, and all sorts of other underhanded shenanigans that paranoid, authoritarian governments tend to do.
[ link to this | view in chronology ]
Re: Re: No one winning
I have bad news for you.
The Russians and the Chinese are AHEAD of the US, both in terms of understanding the theater of war and in terms of navigating it. This is one of the outcomes of 15+ years of steadily-narrowing US focus on one particular strain of terrorism at the expense of many other threats.
I have worse news for you.
The Russians and the Chinese have repeatedly and thoroughly demonstrated that they know how to leverage poorly-run US-based operations against the US. This includes "social media" like Facebook and Twitter as well as numerous ISPs and web hosts with horribly bad security practices. This is a brilliant strategy on their part (using the infrastructure that we built, that we run, that we pay for, and we think we own) and every indicator suggests that they have a massive head start on defenders...who are only now slowly figuring out what's happened.
Let me give you one data point. Facebook has publicly admitted that there are 200M -- MILLION -- fake profiles on its site. Of course, like everyone else, they're lying: the number they know about in-house is larger. Much larger. And of course, like everyone else, the real number is larger -- much larger -- than the one they think they know. It's not at all a stretch to consider the possibility that there are a billion fake profiles on Facebook. (If you think this is unduly speculative, I invite you to consider the history of Yahoo's email account breach.)
[ link to this | view in chronology ]
Re: Re: Re: (beware the paper tiger)
The Russians and the Chinese are AHEAD of the US"
Such Dire warnings about Soviet superiority were the same sort of thing that Americans had constantly drummed into them throughout the entirety of the Cold War. But once the Soviet Union broke up, it became obvious that it was an extreme exaggeration, because for the most part, the Russians were decades behind Western technology and American military capability.
Or when back in 1990, all the times were were repeatedly told that Iraq had the world's fourth most powerful army?
It's hard to know exactly what sort of military capabilities other countries (especially adverse ones) actually have, but if history is any guide, we can be sure that whatever the US military industrial complex is screaming at us is likely to be a gross exaggeration if not an outright fantasy.
[ link to this | view in chronology ]
Re: Re: Re: Re: (beware the paper tiger)
Also keep in mind that cyberwar doesn't work the same way as traditional warfare. In the latter, a markedly inferior force can only succeed if it has some serious tactical/strategic advantages, e.g., the element of surprise. But in the former -- and we see examples of this every single day -- markedly inferior forces can succeed brilliantly.
Russian IS weak in many ways, for example, economically. But they don't have to be strong by any traditional metric in order to wage highly effective cyberwar.
[ link to this | view in chronology ]
Out of the frying pan, into the fire
That said, putting Russia in control would merely be going out of the frying pan into the fire. Russian control over Internet in Brazil, India or South Africa would be abused. As one example of how Russia is just as bad as the US for trying to apply its laws to entities in other countries where it has no lawful jurisdiction, try this gem from November 2015:
" It is notice of making an entry into the "Unified register of domain names, Internet web-site page links and network addresses enabling to identify the Internet web-sites containing the information prohibited for public distribution in the Russian Federation” the Internet web-site page (s) link (s):http://desciclopedia.org/wiki/Tomoyo_Daidouji . "
" In case the hosting provider and (or) the Internet web-site owner fail to take these measures, the network address enabling to identify Internet web-sites containing the information prohibited for distribution in the Russian Federation will be decided to be entered into the Register and access will be limited. "
" The information about entering the domain names, Internet web-site page links and network addresses into the Register shall be available on a 24-hour basis at the following Internet address:http://eais.rkn.gov.ru/en/ . "
" Federal Service for Supervision in the Sphere of Telecom,
Information Technologies and Mass Communications (ROSKOMNADZOR). "
See what they just did? Someone in Russia is dictating to the upstream providers of a tiny Portuguese-language website in Canada that they should not be free to openly discuss Russian politics... even though that site has (predictably) no audience in Russia as "Português" is spoken not in Moscow but in São Paulo.
Brazil already has its own severe issues with libel chill and even a spurious claim can take a couple years to get to trial, to the point where doing any serious biography means dancing into a minefield of strategic lawsuits against public participation, but they've lived through dictatorship as recently as the 1980's and I don't see why they should have to relive that nightmare by having Russians control (and presumably censor) their communications.
[ link to this | view in chronology ]
...and the russkies block themselves for good measure
[ link to this | view in chronology ]
So, I'm curious
[ link to this | view in chronology ]
Re: So, I'm curious
As far as I know, nobody is obligated to use ANY DNS services if they don't want to. Does make things difficult for end users, but that's their problem.
[ link to this | view in chronology ]
Re: So, I'm curious
No. They are completely independent systems. DNS is one minor service running OVER the Internet. Conflating the two is really dangerous from a legal standpoint. Any precedent from the entanglement you suggest would have a cascade effect that would be catastrophic.
[ link to this | view in chronology ]
It also gives them the longer term ability to block sites or make it harder at least to find them, imagine all traffic for whitehouse.gov getting redirected to a look-a-like site that has nothing but the rhetoric that Russia is pushing on it. It's citizens could be deceived by this sort of thing.
[ link to this | view in chronology ]