The Domain Name System and DNS Blocking Malcolm Hutty Head of Public Affairs, LINX February 2011.
-
Upload
myrtle-snow -
Category
Documents
-
view
214 -
download
0
Transcript of The Domain Name System and DNS Blocking Malcolm Hutty Head of Public Affairs, LINX February 2011.
The Domain Name System and DNS Blocking
Malcolm HuttyHead of Public Affairs, LINX
http://publicaffairs.linx.net
February 2011
About LINX
• A membership association for network operators• Based in London, UK• One of the largest Internet Exchanges in the world–400 member networks from over 50 countries–Over 1.2Tb/s peak traffic–Over 70% global Internet routes
• Public policy role in EU through
• The voice of Internet Services Providers in Europe• Represents over 1800 ISPs• Umbrella structure: –National associations are EuroISPA members–Governed by a Board with one member per association
• Supported by an advisory forum of large multi-national network and service providers
2. Browser asks Access Provider for IP address of www.example.eu
What’s the IP address for
www.example.eu?
What’s the IP address for
www.example.eu?
Access Provider
DNSResolver
3. DNS Resolver asks Root Name Server for IP of a DNS server for .eu
RootNameServer
Where’s the .eu registry DNS
server?
Where’s the .eu registry DNS
server?
Access Provider
DNSResolver
3. DNS Resolver asks Root Name Server for IP of a DNS server for .eu
RootNameServer
It’s at IP address:198.51.100.56
It’s at IP address:198.51.100.56
Access Provider
DNSResolver
4. DNS Resolver asks .eu DNS server for IP of the DNS server for example.eu
.eu RegistryDNS server
Where’s the DNS server for
example.eu?
Where’s the DNS server for
example.eu?
Access Provider
DNSResolver
4. DNS Resolver asks .eu DNS server for IP of the DNS server for example.eu
.eu RegistryDNS server
It’s at IP address:203.0.113.185
It’s at IP address:203.0.113.185
Access Provider
DNSResolver
5. DNS Resolver asks for the IP address for www.example.eu …
DNSexample.euWhat’s the IP
address for www.example.eu?
What’s the IP address for
www.example.eu?
Access Provider
DNSResolver
5. DNS Resolver asks for the IP address for www.example.eu …
DNSexample.eu
It’s at IP address:192.0.2.12
It’s at IP address:192.0.2.12
Access Provider
DNSResolver
6. … and passes the IP address back to the browser
The IP address for www.example.eu
is: 192.0.2.12
The IP address for www.example.eu
is: 192.0.2.12
Access Provider
DNSResolver
How DNS blocking works
What’s the IP address for
www.example.eu?
What’s the IP address for
www.example.eu?
Access Provider
DNSResolver
How DNS blocking works
What’s the IP address for
www.example.eu?
What’s the IP address for
www.example.eu?
Access Provider
DNSResolver
How DNS blocking works
Access Provider
DNSResolver
It’s at (cough) IP:203.0.113.234
(cough)
It’s at (cough) IP:203.0.113.234
(cough)
Technical flaws: multiple / changing domain names
What’s the IP address for
www.example.eu?
What’s the IP address for
www.example.eu?
www.example.euwww.ejemplo.eu
Access Provider
DNSResolver
Technical flaws: multiple / changing domain names
www.example.euwww.ejemplo.eu
Access Provider
DNSResolver
No such domain.No such domain.
Technical flaws: multiple / changing domain names
www.example.euwww.ejemplo.eu
Access Provider
DNSResolver
Ok, can I have IP address for
www.ejemplo.eu?
Ok, can I have IP address for
www.ejemplo.eu?
Technical flaws: multiple / changing domain names
www.example.euwww.ejemplo.eu
RootNameServerAccess Provider
DNSResolver
Technical flaws: multiple / changing domain names
www.example.euwww.ejemplo.eu
Access Provider
DNSResolver
.euRegistryDNS server
Technical flaws: multiple / changing domain names
www.example.euwww.ejemplo.eu
Access Provider
DNSResolver DNS
ejemplo.eu
Technical flaws: multiple / changing domain names
www.example.euwww.ejemplo.eu
Access Provider
DNSResolver
The IP address for www.ejemplo.eu
is: 192.0.2.12
The IP address for www.ejemplo.eu
is: 192.0.2.12
Technical flaws: multiple / changing domain names
www.example.euwww.ejemplo.eu
Access Provider
DNSResolver
Technical flaws: user can bypass DNS by typing IP directly into browser
www.example.eu
192.0.2.12
Access Provider
DNSResolver
Technical flaws: many companies run their own DNS resolver
Jones & Jones Ltd
DNSResolver
Access Provider
DNSResolver
What’s the IP address for
www.example.eu?
What’s the IP address for
www.example.eu?
Technical flaws: many companies run their own DNS resolver
Jones & Jones Ltd
Access Provider
DNSResolver
RootNameServer
DNSResolver
Technical flaws: many companies run their own DNS resolver
Jones & Jones Ltd
Access Provider
DNSResolver
.eu RegistryDNS server
DNSResolver
Technical flaws: many companies run their own DNS resolver
Jones & Jones Ltd
DNSResolver
Access Provider
DNSResolver
DNSexample.eu
Technical flaws: many companies run their own DNS resolver
Jones & Jones Ltd
DNSResolver
Access Provider
DNSResolver
The IP address for www.example.eu
is: 192.0.2.12
The IP address for www.example.eu
is: 192.0.2.12
Technical flaws: many companies run their own DNS resolver
Jones & Jones Ltd
DNSResolver
Access Provider
DNSResolver
www.example.eu
192.0.2.12
Access Provider
DNSResolver
Technical flaws: client can use a third-party DNS resolver
3rd partyDNSResolver
Access Provider
DNSResolver
Technical flaws: client can use a third-party DNS resolver
What’s the IP address for
www.example.eu?
What’s the IP address for
www.example.eu?
3rd partyDNSResolver
Technical flaws: client can use a third-party DNS resolver
3rd partyDNSResolver
RootNameServerAccess Provider
DNSResolver
Technical flaws: client can use a third-party DNS resolver
3rd partyDNSResolver
.eu RegistryDNS server
Access Provider
DNSResolver
Technical flaws: client can use a third-party DNS resolver
3rd partyDNSResolver
DNSexample.eu
Access Provider
DNSResolver
Access Provider
DNSResolver
Technical flaws: client can use a third-party DNS resolver
3rd partyDNSResolver
Technical flaws: client can use a third-party DNS resolver
www.example.eu
192.0.2.12
Access Provider
DNSResolver
Technical flaws: web proxies
What’s the IP address for
www.proxy.example?
What’s the IP address for
www.proxy.example?
Access Provider
DNSResolver
Technical flaws: web proxies
The IP address for www.proxy.example
is 198.51.100.207
The IP address for www.proxy.example
is 198.51.100.207
Access Provider
DNSResolver
Technical flaws: web proxies
www.proxy.example
198.51.100.207
Access Provider
DNSResolver
DNSResolver
Technical flaws: web proxies
www.proxy.example
198.51.100.207
Access Provider
DNSResolver
DNSResolver
Where is www.
example.eu?
Where is www.
example.eu?
Technical flaws: web proxies
www.proxy.example
198.51.100.207
Access Provider
DNSResolver
DNSResolver
RootNameServer
Technical flaws: web proxies
www.proxy.example
198.51.100.207
Access Provider
DNSResolver
DNSResolver
.eu RegistryDNS server
Technical flaws: web proxies
www.proxy.example
198.51.100.207
Access Provider
DNSResolver
DNSResolver
DNSexample.eu
192.0.2.12192.0.2.12
Technical flaws: web proxies
www.proxy.example
198.51.100.207
Access Provider
DNSResolver
DNSResolver
www.example.eu
Conclusions
• “DNS blocking” is a technical term– It describes a technical procedure, not an outcome– It is not synonymous with “preventing access using DNS”– It is unlikely to prevent users from reaching content they are
actively seeking
• There is a big difference between seeking to protect users from content they wish to avoid, and seeking to obstruct users from reaching content they seek– In the first case, you can enlist the support of users and the
software and services they use– In the latter, there is always a way around any impediment,
and these ways can and will be made easy for anyone to use