Download presentation
Presentation is loading. Please wait.
1
The Domain Name System and DNS Blocking Malcolm Hutty Head of Public Affairs, LINX http://publicaffairs.linx.net February 2011
2
About LINX A membership association for network operators Based in London, UK One of the largest Internet Exchanges in the world – 400 member networks from over 50 countries – Over 1.2Tb/s peak traffic – Over 70% global Internet routes Public policy role in EU through
3
The voice of Internet Services Providers in Europe Represents over 1800 ISPs Umbrella structure: – National associations are EuroISPA members – Governed by a Board with one member per association Supported by an advisory forum of large multi-national network and service providers
4
www.example.eu 1. User types domain name into browser
6
2. Browser asks Access Provider for IP address of www.example.eu What’s the IP address for www.example.eu? Access Provider DNS Resolver
7
3. DNS Resolver asks Root Name Server for IP of a DNS server for.eu Root Name Server Where’s the.eu registry DNS server? Access Provider DNS Resolver
8
3. DNS Resolver asks Root Name Server for IP of a DNS server for.eu Root Name Server It’s at IP address: 198.51.100.56 It’s at IP address: 198.51.100.56 Access Provider DNS Resolver
9
4. DNS Resolver asks.eu DNS server for IP of the DNS server for example.eu.eu Registry DNS server Where’s the DNS server for example.eu? Access Provider DNS Resolver
10
4. DNS Resolver asks.eu DNS server for IP of the DNS server for example.eu.eu Registry DNS server It’s at IP address: 203.0.113.185 It’s at IP address: 203.0.113.185 Access Provider DNS Resolver
11
5. DNS Resolver asks for the IP address for www.example.eu … DNS example.eu What’s the IP address for www.example.eu? Access Provider DNS Resolver
12
5. DNS Resolver asks for the IP address for www.example.eu … DNS example.eu It’s at IP address: 192.0.2.12 It’s at IP address: 192.0.2.12 Access Provider DNS Resolver
13
6. … and passes the IP address back to the browser The IP address for www.example.eu is: 192.0.2.12 Access Provider DNS Resolver
14
7. … which contacts the website host using the IP address Contacting 192.0.2.12
15
8. HTTP traffic begins www.example.eu 192.0.2.12 Access Provider DNS Resolver
17
How DNS blocking works What’s the IP address for www.example.eu? Access Provider DNS Resolver
18
How DNS blocking works No such domain. Access Provider DNS Resolver
19
How DNS blocking works Or…
20
How DNS blocking works What’s the IP address for www.example.eu? Access Provider DNS Resolver
21
How DNS blocking works Access Provider DNS Resolver It’s at (cough) IP: 203.0.113.234 (cough) It’s at (cough) IP: 203.0.113.234 (cough)
22
How DNS blocking works Police controlled server Access Provider DNS Resolver 203.0.113.234
23
Technical flaws in DNS blocking
24
Technical flaws: multiple / changing domain names What’s the IP address for www.example.eu? www.example.eu www.ejemplo.eu Access Provider DNS Resolver
25
Technical flaws: multiple / changing domain names www.example.eu www.ejemplo.eu Access Provider DNS Resolver No such domain.
26
Technical flaws: multiple / changing domain names www.example.eu www.ejemplo.eu Access Provider DNS Resolver Ok, can I have IP address for www.ejemplo.eu?
27
Technical flaws: multiple / changing domain names www.example.eu www.ejemplo.eu Root Name Server Access Provider DNS Resolver
28
Technical flaws: multiple / changing domain names www.example.eu www.ejemplo.eu Access Provider DNS Resolver.eu Registry DNS server
29
Technical flaws: multiple / changing domain names www.example.eu www.ejemplo.eu Access Provider DNS Resolver DNS ejemplo.eu
30
Technical flaws: multiple / changing domain names www.example.eu www.ejemplo.eu Access Provider DNS Resolver The IP address for www.ejemplo.eu is: 192.0.2.12
31
Technical flaws: multiple / changing domain names www.example.eu www.ejemplo.eu Access Provider DNS Resolver
32
192.0.2.12 Technical flaws: user can bypass DNS by typing IP address directly into browser
34
Technical flaws: user can bypass DNS by typing IP directly into browser www.example.eu 192.0.2.12 Access Provider DNS Resolver
35
Technical flaws: many companies run their own DNS resolver Jones & Jones Ltd DNS Resolver Access Provider DNS Resolver What’s the IP address for www.example.eu?
36
Technical flaws: many companies run their own DNS resolver Jones & Jones Ltd Access Provider DNS Resolver Root Name Server DNS Resolver
37
Technical flaws: many companies run their own DNS resolver Jones & Jones Ltd Access Provider DNS Resolver.eu Registry DNS server DNS Resolver
38
Technical flaws: many companies run their own DNS resolver Jones & Jones Ltd DNS Resolver Access Provider DNS Resolver DNS example.eu
39
Technical flaws: many companies run their own DNS resolver Jones & Jones Ltd DNS Resolver Access Provider DNS Resolver The IP address for www.example.eu is: 192.0.2.12
40
Technical flaws: many companies run their own DNS resolver Jones & Jones Ltd DNS Resolver Access Provider DNS Resolver www.example.eu 192.0.2.12
41
Technical flaws: client can use a third-party DNS resolver Access Provider DNS Resolver
42
Technical flaws: client can use a third-party DNS resolver
45
Access Provider DNS Resolver Technical flaws: client can use a third-party DNS resolver 3 rd party DNS Resolver
46
Access Provider DNS Resolver Technical flaws: client can use a third-party DNS resolver What’s the IP address for www.example.eu? 3 rd party DNS Resolver
47
Technical flaws: client can use a third-party DNS resolver 3 rd party DNS Resolver Root Name Server Access Provider DNS Resolver
48
Technical flaws: client can use a third-party DNS resolver 3 rd party DNS Resolver.eu Registry DNS server Access Provider DNS Resolver
49
Technical flaws: client can use a third-party DNS resolver 3 rd party DNS Resolver DNS example.eu Access Provider DNS Resolver
50
Access Provider DNS Resolver Technical flaws: client can use a third-party DNS resolver 3 rd party DNS Resolver
51
Technical flaws: client can use a third-party DNS resolver www.example.eu 192.0.2.12 Access Provider DNS Resolver
52
Technical flaws: web proxies What’s the IP address for www.proxy.example ? Access Provider DNS Resolver
53
Technical flaws: web proxies Root Name Server Access Provider DNS Resolver
54
Technical flaws: web proxies.example Registry DNS server Access Provider DNS Resolver
55
Technical flaws: web proxies DNS proxy.example Access Provider DNS Resolver
56
Technical flaws: web proxies The IP address for www.proxy.example is 198.51.100.207 Access Provider DNS Resolver
57
Technical flaws: web proxies www.proxy.example 198.51.100.207 Access Provider DNS Resolver DNS Resolver
58
Technical flaws: web proxies Enter the URL you wish to access: www.example.eu
59
Technical flaws: web proxies www.proxy.example 198.51.100.207 Access Provider DNS Resolver DNS Resolver Where is www. example.eu ? Where is www. example.eu ?
60
Technical flaws: web proxies www.proxy.example 198.51.100.207 Access Provider DNS Resolver DNS Resolver Root Name Server
61
Technical flaws: web proxies www.proxy.example 198.51.100.207 Access Provider DNS Resolver DNS Resolver.eu Registry DNS server
62
Technical flaws: web proxies www.proxy.example 198.51.100.207 Access Provider DNS Resolver DNS Resolver DNS example.eu 192.0.2.12
63
Technical flaws: web proxies www.proxy.example 198.51.100.207 Access Provider DNS Resolver DNS Resolver www.example.eu
64
Technical flaws: web proxies Enter the URL you wish to access: www.example.eu
65
Other tools use the proxy principle
66
Conclusions “DNS blocking” is a technical term – It describes a technical procedure, not an outcome – It is not synonymous with “preventing access using DNS” – It is unlikely to prevent users from reaching content they are actively seeking There is a big difference between seeking to protect users from content they wish to avoid, and seeking to obstruct users from reaching content they seek – In the first case, you can enlist the support of users and the software and services they use – In the latter, there is always a way around any impediment, and these ways can and will be made easy for anyone to use
Similar presentations
