There are a lot of bad things on the Internet: spam, child porn, malware, phishing and so on. Until recently, it’s been up to people to protect themselves, using security software or web site blocking. Lately, however, governments and legislators have been calling for service providers to limit where users can go, both to stop criminal activity and to protect naïve surfers from straying onto malicious sites. Recent advances in DNS may soon let carriers comply with such regulations.
In June, three major carriers agreed to purge child pornography hosted on servers their customers operate in their data centers. Having signed New York Attorney General Andrew Cuomo’s Internet code of conduct, every major U.S. ISP has also agreed to eliminate access to certain newsgroups. It’s not just in the U.S., either: Australia’s hotly debated Plan for Cyber Safety blocks content that isn’t child-friendly. Subscribers can opt out, but they’ll still be blocked from content the government deems illegal.
Blocking dangerous destinations is difficult. They change often, so firewalling their addresses doesn’t work well. Inspecting user traffic is CPU-intensive, and deep packet inspection (DPI) has privacy concerns (which hasn’t stopped Sweden.) So it’s been hard for carriers to enforce regulations. Australian regulators acknowledged this, saying that “if there is infrastructure in place to block [a bad site] then it will be required to be blocked” but didn’t specify how carriers would enforce the block.
That infrastructure may be here, thanks to recent advances in DNS. One of the protocols at the core of the Internet, DNS, serves two functions: To distribute huge lists of URLs and their addresses out across the Net, and to turn URLs (“gigaom.com”) into addresses (22.214.171.124). That makes it an ideal tool for limiting the sites people can visit, because it can distribute large lists of banned sites to servers, and then refuse to resolve blocked sites when surfers ask for their addresses.
Nominum, a maker of DNS and DHCP technology for big carriers like Comcast, Verizon, and Deutsche Telecom, has launched new software to do just this. “Carriers may face mandates to not resolve to porn, spyware and so on. This is the first stage of removal for these sites,” said Paul Mockapetris, who created DNS in 1983 and is now the company’s chairman and chief scientist.
In other words, the next time you try to visit a banned site, you’ll simply get an “Address Not Found” error. You’ll also be taking the first step toward a day when your government, your ISP, and even your community will decide what it’s OK for you to visit.
DNS is already important to Internet security. When Comcast decided to run its own mail servers, it was able to block 70 percent of its customers’ incoming spam by looking up sender domains—and doing so only consumed 5 percent of all its anti-spam CPU power. DNS is an increasingly essential tool in light of rising online crime. “Barbarians are coming over the wall,” Mockapetris said.
DNS can also distribute transmit firewall blacklists or redirect Internet users to approved destinations. “As government agencies and industry watchdogs pressure service providers to ensure security while safeguarding privacy, DNS redirection is an indispensable tool,” said Yankee Group analyst David Vorhaus.
ISPs are eager to adopt the new technology. “We plan to leverage [Nominum’s] products to deliver ongoing security and safety from other threats,” said Stefano Maifreni, product manager for Internet access services at Italian ISP COLT. Mockapetris explains that manual DNS blocking is common practice, citing one South American customer that has hundreds of blocked sites. But blocking by hand doesn’t scale. “You need a rapid response, since bad guys come up on new domains and there are billions of names in the name servers.” Nominum’s new software automates the management and distribution of blocked lists, and scales to billions of addresses.
Blocking DNS won’t stop the truly determined surfers, who can simply look up blocked sites on another DNS server. But it will stop innocent surfers from following a malicious link. “This isn’t a long-term solution to eliminating covert channels,” says Mockapetris.
That’s not to say that carriers couldn’t block external DNS requests relatively easily, but Mockapetris is against this idea. While he says he supports letting a carrier supply a safe DNS service, he’s opposed to blocking the ability to reach DNS servers other than those the carriers are running. “Sometimes a compromise lets you move on,” he says. “Sometimes it’s the first step down a slippery slope.”