[dns-operations] DNS-based site blocking in the UK

Wes Hardaker wjhns1 at hardakers.net
Tue Aug 9 14:48:19 UTC 2011

>>>>> On Mon, 8 Aug 2011 15:29:56 +0100, Jim Reid <jim at rfc1035.com> said:

>> Couldn't you just tell your own resolvers to "trust" your faked DNS
>> entries blocking the given names?

JR> Not if DNSSEC is deployed. Which the Ofcom report recognises.


1) They only poison the DNS with fake entries, working through the
   registry or registrar, then they can also poison the DS record and
   redirect to their own "anti-piracy" site.

2) If they're doing it via working with the ISPs, then they can't change
   the DS record without disturbing DNSSEC, but they still achieve their
   goal: stop the people from getting to the pirating site.  They just
   can't replace the site (assuming a validating client) with a
   "anti-piracy" site.

In a world where the government will always have a say in the last hop,
it's probably not possible to stop them from affecting the last hop.
The best that can be done is to make disturbing the last hop difficult:
allow the clients to resolve things themselves, but that won't prevent
future legislation from requiring all ISPs to block outgoing traffic to
port 53 so that all ISPs can serve properly-poisoned (TM) records.

It's a slippery slope to painful places.

Wes Hardaker

More information about the dns-operations mailing list