(No.180) Blocking and Filtering Internet DNS Content

Go to Report
Status: 
Accepted
Workshop Theme: 
Security, Openness and Privacy
Theme Question: 

Emerging Issues: #1, #2; Security/Openness: #2, #3.

Concise Description of Workshop: 

The Internet Domain Name System (DNS) is the world's first distributed, reliable, autonomous, heirarchical, coherent database, and it is the authoritative map and guide to the Internet -- which is in turn humanity's global commons. Control of DNS is seen by many as control of the Internet itself, with the additional prospect of influencing global commerce and culture. For others, filtering of DNS content is an essential element of network and end-user security. This workshop will explore the state of the art of blocking or filtering the content of the DNS as it is seen by some population -- whether an entire country, an enterprise or university, or just the customers of an Internet Service Provider.
Discussion topics will include:

  • Current methods for implementing DNS filters
  • Cultural motivations such as blocking controversial top level domains
  • Commercial motivations such as blocking lookups for web sites trafficking in counterfeit or pirated goods
  • Security motivations such as blocking lookups for malicious web sites
  • Impact of government-mandated DNS filtering
  • Current methods for bypassing or circumventing DNS filters
  • Likely future innovations and developments in this area

Background material for this workshop will be the ICANN SSAC report on DNS Blocking and Filtering, to be published Fall 2012.

Backgroung Paper: 
Organiser(s) Name: 

confirmed - Paul Vixie, ICANN SSAC & RSSAC, ARIN Board, ISC
confirmed - Andrei Robachevsky, ISOC [remote participant]

Submitted Workshop Panelists: 
  • Dmitry Burkov - confirmed, FAITID, RIPE NCC [DNS and registry operator]
  • Robert Guerra - confirmed, Citizen Lab [research]
  • Ram Mohan - confirmed, Afilias [DNS and registry operator]
  • David Hughes - confirmed, RIAA [Business, content, IPR holders]
  • John Carr - confirmed, BT Internet [DNS policy and technology]
  • Xiaodong Lee - confirmed, ICANN [DNS policy and technology]
  • Karen Reilly - confirmed, EFF/Tor [Technology policy]

 

Name of Remote Moderator(s): 
Kurtis Lindqvist
Gender Report Card
Please estimate the overall number of women participants present at the session: 
There were very few women participants
To what extent did the session discuss gender equality and/or women's empowerment?: 
It was not seen as related to the session theme and was not raised
Please include any comments or recommendations you have on how to improve the inclusion of issues related to gender equality and: 

Internet Content Filtering via DNS Blocking is not a gender-specific matter.

Report
Reported by: 
Dr. Paul Vixie, ICANN SSAC
A brief substantive summary and the main issues that were raised: 

IGF 2012: Workshop 180
Blocking and Filtering Internet DNS Content
Concise Description of Workshop: 
The Internet Domain Name System (DNS) is the world's first distributed, reliable, autonomous, heirarchical, coherent database, and it is the authoritative map and guide to the Internet -- which is in turn humanity's global commons. Control of DNS is seen by many as control of the Internet itself, with the additional prospect of influencing global commerce and culture. For others, filtering of DNS content is an essential element of network and end-user security. This workshop will explore the state of the art of blocking or filtering the content of the DNS as it is seen by some population -- whether an entire country, an enterprise or university, or just the customers of an Internet Service Provider.

Discussion topics include:

  • Current methods for implementing DNS filters
  • Cultural motivations such as blocking controversial top level domains
  • Commercial motivations such as blocking lookups for web sites trafficking in counterfeit or pirated goods
  • Security motivations such as blocking lookups for malicious web sites
  • Impact of government-mandated DNS filtering
  • Current methods for bypassing or circumventing DNS filters
  • Likely future innovations and developments in this area

 
Brief substantive summary and the main issues that were raised:
This workshop focused on the collateral effects of various kinds of DNS filtering/blocking, as recently highlighted by ICANN SSAC report #056, “Advisory on Impacts of Content Blocking via the Domain Name System.” Panelists described both the inevitability of content filtering via the DNS, and the inevitability of evasion of such content filtering by mainstream and otherwise law abiding citizens of countries where such filtering is or will be practiced. Government policies can support filtering in law as practiced by ISP’s or parents; or can mandate some type of content filtering to protect online content.
In Western democracies, content filtering of content deemed illegal occurs in a variety of jurisdictions. In some countries blocking is mandated, whereas in others it is voluntary. Technical measures have evolved the space where content is distributed has changed over time. The panelist who took Interpol’s place on the panel spoke about the experience of the Internet Watch Foundation (IWF) in the UK. He gave a detailed description of the history of  blocking in the U.K. It evolved from banning USENET newsgroups, which started in 2001, to URL blocking in 2004 when the web became the dominant means of information sharing and dissemination.
When it was first established in 1996 the Internet Watch Foundation (IWF) responded to complaints from the public but any response could be short-lived since demised content could be quickly re-posted over and over, where each takedown event would have to begin with a new complaint. A decision was made by IWF to behave more proactively. Today IWF maintains a list of “bad URLs” (not bad domains, just specific web URL’s, to avoid collateral damage). This is complicated and expensive compared to DNS based filtering or IP address based filtering. The blueprint for this URL-based system is available from British Telecom, free of charge, to responsible network operators.
Disrupting the trade is the real goal of government policy in this area; not stopping committed abusers. In the case of online child abuse materials, the dignity and peace-of-mind of the victims is a priority.
Political, economic, or cultural motives are often not subject to useful debate outside a country where the policy is made and enforced. In practical terms, each country absolutely will exercise self-determination in this matter. It’s also important for each country to pay attention to its CCTLD and to avoid criminal domain registrations, for example domains used for phishing and other electronic crime. ICANN’s slogan, “One world, one Internet” does not mean “One world, one network, one set of rules.”
Collateral impact by policy blocking is inevitable. The continuity and spirit of the Internet asks any nation who mandates Internet filtering to inform Internet users both inside and outside that nation as to the exact nature and method of blocking to be used. Otherwise the Internet operations community could accidentally work around the filtering.
The power of states is greatly reduced online. Blocking DNS while also cutting funding for child protections and failing to investigate corrupt government officials is at best a losing proposition. No technical measures can circumvent good traditional law enforcement.

Conclusions and further comments: 

Conclusions and further comments:
We are concerned about the effects on Internet infrastructure development, for example unforeseen technical constraints on the future usability or total size of the Internet due to government policies made for present day reasons.
Policy makers with a content filtering problem often look at the DNS as a simple solution to that problem, but simply filtering the DNS is both unlikely to succeed and likely to cause other problems.
An example of collateral damage is “balkanization” where the Internet namespace becomes noticeably non-universal and we lose the ability to reach out globally based on a single set of names that mostly just work everywhere. This is an example of “countermeasure overshoot”.
Article 19 of the Universal Declaration on Human Rights requires that communications blockage be described and declared. Article 29 lists some exeptions.
The technical community owes the world’s governments some choices as to how they enforce their laws in the context of the Internet. Simply saying “the Internet must not be blocked” is unrealistic and unhelpful. An IETF RFC BCP (Best Current Practices) document and an ICANN SSAC Advisory, each authored by a team of peers in the technical community, would provide welcome guidance to the world’s governments.
The inaccuracies in “whois” are indirectly responsible for much Internet related government action, since the Internet does not support the kind of recourse and accountability that is present in the real world. ICANN has responsibilities in this area, recently reiterated in the Affirmation of Commitments document, and the ICANN Board knows that it has work to do in this area.
 
Panelists included:

  • Paul Vixie
  • Dmitry Burkov
  • Robert Guerra
  • Ram Mohan
  • David Hughes
  • John Carr
  • Xiaodong Lee 
  • Karen Reilly

 
References mentioned during the workshop
 
SAC 056 : SSAC Advisory on Impacts of Content Blocking  via the Domain Name System
http://www.icann.org/en/groups/ssac/documents/sac-056-en.pdf
 
Internet Watch Foundation (IWF) - http://www.iwf.org.uk/
Open Net Initiative - http://opennet.net/
 
Access contested: Security, Identity, and Resistance in Asian Cyberspace (2001), Edited by Ronald DeibertJohn PalfreyRafal Rohozinski and Jonathan Zittrain
http://mitpress.mit.edu/books/access-contested