Donate
‹ Back
Deploy360 21 March 2014

Turkey's Ban On Twitter Will Inadvertently Cause A Rise In DNSSEC Validation

Dan York
By Dan YorkDirector, Web Strategy & Project Lead, Open Standards Everywhere

turkey-google-dnsToday the media is buzzing with the news of the Turkish government banning Twitter and even more with the fact that citizens are figuring out ways around that.  “The Internet routes around censorship“, as the saying goes (or close to that). There are predictably MANY tweets out there on hashtags like #TurkeyBlockedTwitter and #TwitterBlockedInTurkey.

And many photos like the one I’m inserting here are appearing not only on Twitter but across the web and other media.   As The Verge notes, it seems the Turkish government is just using a simple DNS block, presumably at all Internet service providers (ISPs) in Turkey, to prevent people from connecting to Twitter.

As the people in Turkey have discovered, this block can be easily circumvented simply by changing your device’s network settings to use public DNS servers such as those operated by Google.

Leaving the politics aside, my first reaction as a DNSSEC advocate was “Cool! Now we’ll see an uptick in DNSSEC-validated DNS queries!

The reason, of course, is that Google’s Public DNS service performs DNSSEC validation by default on ALL DNS queries.  So, not only are all those Turkish citizens getting around the ban on Twitter, but they are also getting more security and ensuring that the responses they get back from DNS for a domain are indeed the correct information entered by the operator of that domain (for companies/organizations that have signed their domain).

Hopefully the situation there in Turkey will stabilize and the ban will be lifted. In the meantime, though, I suspect those people doing DNSSEC measurements will see a burst in DNSSEC validation happening from that region.


P.S. As I pointed out at the bottom of the earlier post about Google Public DNS turning on DNSSEC validation that I reference above, the use of a public DNS resolver performing DNSSEC validation does not completely ensure the security of the results you receive back.  There is still an opportunity for an attacker to inject or modify DNS packets on the path between your device and the distant DNS resolver.  That is why we ideally want to see DNSSEC validation happening at a much closer level such as on the edge of your local network or perhaps even in your actual device.  However, having it happen on public DNS resolvers is a great first step toward making DNS results more secure.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Turkish Hijacking of DNS Providers Shows Clear Need For Deploying BGP And DNS Security
Deploy3601 April 2014

Turkish Hijacking of DNS Providers Shows Clear Need For Deploying BGP And DNS Security

Over the weekend there were extremely disturbing reports out of Turkey of escalations in the attempts by the Turkish government...

Turkish ISPs Hijacking Traffic: This is How an Internet Breaks
Turkish ISPs Hijacking Traffic: This is How an Internet Breaks
Domain Name System (DNS)1 April 2014

Turkish ISPs Hijacking Traffic: This is How an Internet Breaks

While we may be tired of hearing about blocked Internet access, the most recent move in Turkey should make us...

Video: Google DNS Hijacking in Turkey (RIPE 68)
Deploy36019 June 2014

Video: Google DNS Hijacking in Turkey (RIPE 68)

Between March 29 and April 7 of 2014, the Turkish government announced a /32 BGP route for Google's public DNS....

Join the conversation with Internet Society members around the world