The Domain Name System and DNS Blocking Malcolm Hutty Head of Public Affairs, LINX February 2011

About LINX A membership association for network operators Based in London, UK One of the largest Internet Exchanges in the world – 400 member networks from over 50 countries – Over 1.2Tb/s peak traffic – Over 70% global Internet routes Public policy role in EU through

The voice of Internet Services Providers in Europe Represents over 1800 ISPs Umbrella structure: – National associations are EuroISPA members – Governed by a Board with one member per association Supported by an advisory forum of large multi-national network and service providers

1. User types domain name into browser

2. Browser asks Access Provider for IP address of What’s the IP address for Access Provider DNS Resolver

3. DNS Resolver asks Root Name Server for IP of a DNS server for.eu Root Name Server Where’s the.eu registry DNS server? Access Provider DNS Resolver

3. DNS Resolver asks Root Name Server for IP of a DNS server for.eu Root Name Server It’s at IP address: It’s at IP address: Access Provider DNS Resolver

4. DNS Resolver asks.eu DNS server for IP of the DNS server for example.eu.eu Registry DNS server Where’s the DNS server for example.eu? Access Provider DNS Resolver

4. DNS Resolver asks.eu DNS server for IP of the DNS server for example.eu.eu Registry DNS server It’s at IP address: It’s at IP address: Access Provider DNS Resolver

5. DNS Resolver asks for the IP address for … DNS example.eu What’s the IP address for Access Provider DNS Resolver

5. DNS Resolver asks for the IP address for … DNS example.eu It’s at IP address: It’s at IP address: Access Provider DNS Resolver

6. … and passes the IP address back to the browser The IP address for is: Access Provider DNS Resolver

7. … which contacts the website host using the IP address Contacting

8. HTTP traffic begins Access Provider DNS Resolver

How DNS blocking works What’s the IP address for Access Provider DNS Resolver

How DNS blocking works No such domain. Access Provider DNS Resolver

How DNS blocking works Or…

How DNS blocking works What’s the IP address for Access Provider DNS Resolver

How DNS blocking works Access Provider DNS Resolver It’s at (cough) IP: (cough) It’s at (cough) IP: (cough)

How DNS blocking works Police controlled server Access Provider DNS Resolver

Technical flaws in DNS blocking

Technical flaws: multiple / changing domain names What’s the IP address for Access Provider DNS Resolver

Technical flaws: multiple / changing domain names Access Provider DNS Resolver No such domain.

Technical flaws: multiple / changing domain names Access Provider DNS Resolver Ok, can I have IP address for

Technical flaws: multiple / changing domain names Root Name Server Access Provider DNS Resolver

Technical flaws: multiple / changing domain names Access Provider DNS Resolver.eu Registry DNS server

Technical flaws: multiple / changing domain names Access Provider DNS Resolver DNS ejemplo.eu

Technical flaws: multiple / changing domain names Access Provider DNS Resolver The IP address for is:

Technical flaws: multiple / changing domain names Access Provider DNS Resolver

Technical flaws: user can bypass DNS by typing IP address directly into browser

Technical flaws: user can bypass DNS by typing IP directly into browser Access Provider DNS Resolver

Technical flaws: many companies run their own DNS resolver Jones & Jones Ltd DNS Resolver Access Provider DNS Resolver What’s the IP address for

Technical flaws: many companies run their own DNS resolver Jones & Jones Ltd Access Provider DNS Resolver Root Name Server DNS Resolver

Technical flaws: many companies run their own DNS resolver Jones & Jones Ltd Access Provider DNS Resolver.eu Registry DNS server DNS Resolver

Technical flaws: many companies run their own DNS resolver Jones & Jones Ltd DNS Resolver Access Provider DNS Resolver DNS example.eu

Technical flaws: many companies run their own DNS resolver Jones & Jones Ltd DNS Resolver Access Provider DNS Resolver The IP address for is:

Technical flaws: many companies run their own DNS resolver Jones & Jones Ltd DNS Resolver Access Provider DNS Resolver

Technical flaws: client can use a third-party DNS resolver Access Provider DNS Resolver

Technical flaws: client can use a third-party DNS resolver

Access Provider DNS Resolver Technical flaws: client can use a third-party DNS resolver 3 rd party DNS Resolver

Access Provider DNS Resolver Technical flaws: client can use a third-party DNS resolver What’s the IP address for 3 rd party DNS Resolver

Technical flaws: client can use a third-party DNS resolver 3 rd party DNS Resolver Root Name Server Access Provider DNS Resolver

Technical flaws: client can use a third-party DNS resolver 3 rd party DNS Resolver.eu Registry DNS server Access Provider DNS Resolver

Technical flaws: client can use a third-party DNS resolver 3 rd party DNS Resolver DNS example.eu Access Provider DNS Resolver

Access Provider DNS Resolver Technical flaws: client can use a third-party DNS resolver 3 rd party DNS Resolver

Technical flaws: client can use a third-party DNS resolver Access Provider DNS Resolver

Technical flaws: web proxies What’s the IP address for ? Access Provider DNS Resolver

Technical flaws: web proxies Root Name Server Access Provider DNS Resolver

Technical flaws: web proxies.example Registry DNS server Access Provider DNS Resolver

Technical flaws: web proxies DNS proxy.example Access Provider DNS Resolver

Technical flaws: web proxies The IP address for is Access Provider DNS Resolver

Technical flaws: web proxies Access Provider DNS Resolver DNS Resolver

Technical flaws: web proxies Enter the URL you wish to access:

Technical flaws: web proxies Access Provider DNS Resolver DNS Resolver Where is www. example.eu ? Where is www. example.eu ?

Technical flaws: web proxies Access Provider DNS Resolver DNS Resolver Root Name Server

Technical flaws: web proxies Access Provider DNS Resolver DNS Resolver.eu Registry DNS server

Technical flaws: web proxies Access Provider DNS Resolver DNS Resolver DNS example.eu

Technical flaws: web proxies Access Provider DNS Resolver DNS Resolver

Technical flaws: web proxies Enter the URL you wish to access:

Other tools use the proxy principle

Conclusions “DNS blocking” is a technical term – It describes a technical procedure, not an outcome – It is not synonymous with “preventing access using DNS” – It is unlikely to prevent users from reaching content they are actively seeking There is a big difference between seeking to protect users from content they wish to avoid, and seeking to obstruct users from reaching content they seek – In the first case, you can enlist the support of users and the software and services they use – In the latter, there is always a way around any impediment, and these ways can and will be made easy for anyone to use