[dns-operations] DNS filtering in the UK

Jim Reid jim at rfc1035.com
Wed Sep 14 14:56:20 UTC 2016

> On 14 Sep 2016, at 13:51, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> http://www.bbc.com/news/technology-37353835
> "The centre is also exploring scaling up DNS filtering - a method of
> screening web addresses for malware and other malicious content - to
> help providers protect their customers (with the public able to choose
> if they wanted to take part)."
> This is not very clear. Does it mean the british government will
> publish a RPZ zone (or a similar technology) and "kindly encourage"
> the ISP to slave it and therefore to automatically implement DNS lying
> on their resolvers?

This was briefly mentioned in a presentation at UKNOF35 last week by Ian Levy, Technical Director of the UK's National Cyber Security Centre. Sadly, no slides are available (yet?) and his talk wasn’t recorded.

NCSC’s plan will begin by putting Her Majesty's resolvers behind this filtering platform: presumably central government first, then local authorities, schools, hospitals, etc. [An RFP for that is due soon.] It might then be offered to ISPs as an opt-in and then maybe to the general public in something similar to existing public resolver services. Ian said whatever blocklists NCSC uses will be published so that others can have confidence in those data.

The BBC story above seems to be based on a speech by NCSC’s Chief Executive at yesterday's Billington Cyber Security Summit in Washington DC. A transcript of that is on-line here:

BTW, the big UK ISPs have been implementing DNS lying for years. Though AFAICT they’ve done this themselves rather than pick up a government-supplied RPZ or whatever.

More information about the dns-operations mailing list