Tag Archives: DNS

The Battle over DNS

One of the hottest topics in the computer world this year is controversy over DNS-over-HTTPS (or DoH). DNS stands for domain name system and is the protocol that acts like the telephone directory for the web. The DNS system translates domain names, such as ‘https://www.google.com/’ to an IP address so that the request can be routed over the Internet. Every device connected to the Internet has a unique IP address, and the DNS system helps to establish a 2-way connection across the web, in this example, between a Google server and a user.

DNS is one of the oldest protocols on the web and hasn’t changed much since it was created. Domain name requests are sent in plain text to an ISP which then converts the domain name to an IP address and routes the user’s request to connect.

DoH takes the ISP out of the picture since web browsers will initiate the DSN lookup. Currently, DoH is built into a few browsers such as Mozilla Firefox and Google Chrome, and most of the major browsers have plans to enable DoH. A web brower will use the DoH protocol to encrypt a domain name request and send it to a third party DNS database provider for routing.

Proponents of DoH cite several advantages of the new routing protocol. First, DoH stops ISPs from recording browser history – one of the biggest privacy concerns, since an ISP knows every web site visited. A user’s browser history reveals a huge amount of information. Of course, some new entity will take over the role of DNS routing and could also create a browser history. Mozilla is using Cloudflare to route DNS, and Cloudflare says that it deletes all browser history every day. This same promise of privacy may not be true for all DoH providers and users might want to think twice before choosing somebody like Google to initiate DoH and collect browser history.

DoH also stops man-in-the-middle attacks. That’s where somebody intercepts a DNS request and sends the user to a different web site. There have been cases in the past where viruses rerouted user traffic to specific web sites to stimulate web usage. Other schemes have rerouted traffic to fake banking or shopping sites to try to coax credit card or account numbers out of users.

DoH also makes it harder for ISPs to engage in targeted advertising. This is something the big ISPs have been eyeing as they try to chip away at the huge advertising revenues earned by Google and Facebook. One of the most interesting benefits of DoH is that it makes it harder for authoritarian regimes to track the web activity of dissidents.

DNS-over-HTTPS is not the only alternate DNS routing protocol and web companies are also exploring DNS over TLS (DoT), which uses the transport layer security protocol on the web to encrypt the DNS request. Over time, the safest alternate protocol will likely prevail, but the goal of both of these new protocols is to encrypt the DNS process to make it safer, with a secondary goal of improving privacy.

Many big ISPs clearly hate the alternate DNS routing schemes since they lose access to customer browsing history. Vice recently reported about a big lobbying effort by Comcast to convince lawmakers to disallow DoH. The protocol is causing controversy in Great Britain where ISPs are required to block pornography unless a user specifically allows it. For now, Mozilla does not offer DoH in Great Britain, but there will be no easy way to stop it after it gets built into the core Android browser and other ubiquitous platforms. Corporate IT staff are also worried about DoH because it makes it more difficult to track employees visiting social media during work hours or browsing dangerous parts of the dark web.

There will be more public discussion about DoH routing as more web browsers include the protocol. Before the dust settles there is likely to be an ongoing tug-of-war between big ISPs, big web companies, and users as the public demands privacy.

Disintegration of the World Wide Web

The BRICS nations (Brazil, Russia, India, China and South Africa), which represent the emerging major economies of the world are planning to create their own DNS routing. DNS (Domain Name System) is the large database that associates IP addresses with specific web site or with physical hardware like routers or computers. There is currently one worldwide DNS system that is used to route all Internet traffic.

Russia approved this change in October and set a deadline of August 1, 2018 to have the alternate DNS system online. The reason Russia gives for the change is that the West has the power to disrupt their Internet by changing the current DNS system. While that’s true, the US no longer controls DNS routing and handed over the operation of DNS last year to ICANN, an international coalition of many countries, including the BRICS members.

But there is a lot more to this than just fear of having DNS cut off to a given country and that excuse is mostly just a political cover story. A BRICS DNS system would give the member companies total control over the Internet routing within their country. Many countries already curtail and block some Internet usage today, with the most prominent example being the Great Firewall of China. The Chinese control web usage by monitoring and intercepting traffic at Internet hubs.

But control of DNS is a more foolproof way for a country to curtail web usage. If they block a website from the DNS system then it no longer exists within the country and there is no backdoor way to get to such web sites. Controlling the DNS gives a country complete control of what’s allowed on the web. DNS control would make it easy to block a company like Google, a topic such as politics or pornography, or even traffic from an entire other country from participating in the web within a country.

Controlling the DNS also would allow a country to maintain web sites within the country that could not be reached from outside the country. That would be a safer way for a country to keep information away from cyberhackers, or to just hide websites from foreigners.

Another benefit to controlling DNS is that it can be used to control the dark web. DNS could be used to make the dark web disappear within a country. Or it could alternatively be used to allow it, but make it open to inspection. A country controlling the DNS could also establish a new dark web specific to their country to be used by the government or anybody else they favor.

The BRICS countries say that they would only initially use an alternate DNS to use in case of some DNS emergency, like an external cyberattack. But the it’s going to be hard for regimes like China or Russia to pass up the temptation to take more control over the web and over their citizens. For example, controlling the DNS would allow for an easy way to squelch on-line dissent.

This change would be the first real splintering of the web. Until now come countries like China have blocked web sites and restricted access to some parts of the web. But taking control of DNS lets a country go further to micromanage the web within their country. And that ability is going to tempting to any repressive regime.

Once this happens there is really nothing to stop other countries or regions to also create their own DNS. And that means we no longer would have a worldwide web, but rather a series of separate webs that share selectively with each other. That would disadvantage the whole world in countless ways.

Control of the Internet

The InternetIf you follow presidential politics you may have heard a few candidates claim that the US government is giving away control of the Internet. This one puzzled me, and it turns out what they are talking about the transition of the control of the DNS function from US control to a non-profit international body. It turns out that this is something that has been in the works for decades.

The issue involves DNS, or the Domain Name System. This is the system that matches the name of a web site with an IP address. This system allows you to go to the amazon.com website by typing the name address “amazon.com” into your browser instead of having to know the numerical IP address for Amazon.

DNS is essential to ISPs because it tells them how to route a given request on the web. There is one master file of all worldwide web names and the associated IP addresses. And obviously somebody has to be in charge of that directory to add, delete and make changes to web names and IP addresses.

After the early days of the Internet this function went to a group called IANA, the Internet Assigned Numbers Authority. This group was largely managed by a few staffers, academics, and help from some of the early web companies – all techies who only wanted to make sure that the burgeoning web worked well. And although they didn’t exert any control, the group was loosely under the auspices of the NTIA (National Telecommunications and Information Administration), a part of the Department of Commerce which had veto power over anything done by IANA.

This power was rarely exercised, but there were many around the world that were uncomfortable with the US Government being in charge of a vital web function. There was a push for an international group to take over the DNS function and in 1998 the function was transferred to ICANN, the Internet Corporation for Assigned Names and Numbers. ICANN brought in Board members from around the world and the group has effectively since then been operated with international consensus. But the NTIA still maintained a veto power over things done by the group.

But since it was founded there has been a planned transition to a fully international ICANN with no ties to the US government and on October 1 control of ICANN changed hands and is now operated only by an international Board without oversight from the US government.

Just a few weeks before the planned transfer four states sued to stop the transfer in the US District Court in Texas. Their argument was that the directory of IP names and addresses belonged to the US and could not be given away without approval from Congress.

The opponents to this suit argued that not turning over the control of ICANN was a much bigger threat because it might lead to other countries developing their own DNS databases – and the ability of anybody in the world to reach any web address using the same nomenclature is vital to the concept of an open and free Internet. Interestingly, it was this same concept a century ago – that anybody with a telephone ought to be able to call any other telephone number in the world – that was a driving principle in creating an efficient worldwide telephone network.

The suit was processed quickly and the judge came down on the side of the open Internet and the transition to ICANN. In the end this fight was more about politics than anything substantial. At the end of the day the DNS database is nothing more than the equivalent of a gigantic white pages listing of every address on the Internet. All that really matters is that this database be kept up to date and be available to the whole world. ICANN has had the same international board of techies since 1998 and this transition was planned for a long time. So there is no threat to the US losing control of the Internet folks that saw the headlines can sleep well knowing that this issue was about politics and not about a real threat.

Our Aging Internet Protocols

HeartbleedThe Internet has changed massively over the last decade. We now see it doing amazing things compared to what it was first designed to do, which was to provide communications within the government and between universities. But the underlying protocols that are still the core of the Internet were designed in an on-line world of emails and bulletin boards.

Those base protocols are always under attack from hackers because the protocols were never designed with safety in mind or designed for the kind of uses we see today on the Internet. The original founders of the Internet never foresaw that people with malicious intent would ever attack the underlying protocols and wreak havoc. In fact, they never expected it to grow much outside their cosy little world.

There is one group now looking at these base protocols. The Core Infrastructure Initiative (CII) was launched in April of 2014 after the Heartbleed virus wreaked havoc across the Internet by attacking OpenSSL. There are huge corporations behind this initiative, but unfortunately not yet huge dollars. But companies like Amazon, Adobe, Cisco, Dell, Facebook, Google, HP, IBM, Microsoft and about every other big name in computing and networking is a member of the group. The group currently is funding proposals from groups who want to research ways to upgrade and protect the core protocols underlying the Internet. There is not yet a specific agenda or plan to fix all of the protocols, but rather some ad hoc projects. But the hope is that somebody will step up to overhaul these old protocols over time to create a more modern and safer web.

The genesis of the CII is to be able to marshall major resources after the next Heartbleed-like attack. It took the industry too long to fix Heartbleed and the concept is that if all of the members of the organization mobilize, then major web disruptions can be diagnosed and fixed quickly.

Following are some of the base protocols that have been around since the genesis of the Internet. At times each of these has been the target of hackers and malicious software.

IPv4 to IPv6. I just wrote last week about the depletion of IPv4 IP addresses. At some future point in time the industry will throw the switch and kill IPv4 and there is major concern that hackers have already written malicious code to pounce on networks that first day they are solely using IPv6. Hackers have had years to think about how to exploit the change while companies have instead been busy figuring out how to get through the conversion.

BGP: Border Gateway Protocol. BGP is used to coordinate changes in Internet topology and routing. The problem with the protocol is that it’s easily spoofed because nobody can verify if a specific web address belongs to a specific network. Fixing BGP is a current priority at the Core Infrastructure Initiative.

DNS: Domain Name System. This is the system that translates IP addresses into domain names. DNS is often the target of hacking and is how the Syrian Electronic Army hacked the New York Times. There are serious flaws in the DNS protocol that have been hastily patched but not fixed.

NTP: Network Time Protocol. NTP’s function is to keep clocks in sync between computer networks. In the past, flaws in the system have been used to launch denial-of-service attacks. It appears that this has been fixed for now, but the protocol was not designed for safety and could be exploited again.

SMTP: Simple Mail Transfer Protocol. SMTP is a protocol used to transfer emails between users. The protocol has no inherent safety features and was an early target of hackers. Various add-ons are now used to patch the protocol, but any server not using these patches (and many don’t) can put other networks at risk. Probably the only way to fix this is to find an alternative to email.

SSL: Secure Sockets Layer. SSL was designed to provide encryption protection for application layer connections like HTTP. Interestingly the protocol has had a replacement in place since 1997 – Transfer Layer Security. But SSL is still included in most networks to provide backward compatibility and 0.3% of web traffic still uses it. SSL was exploited in the infamous POODLE attack and the easiest way to make this secure would be to finally shut it down.