‹ Back
Deploy360 21 March 2014

Turkey's Ban On Twitter Will Inadvertently Cause A Rise In DNSSEC Validation

Dan York
By Dan YorkDirector, Online Content

turkey-google-dnsToday the media is buzzing with the news of the Turkish government banning Twitter and even more with the fact that citizens are figuring out ways around that.  “The Internet routes around censorship“, as the saying goes (or close to that). There are predictably MANY tweets out there on hashtags like #TurkeyBlockedTwitter and #TwitterBlockedInTurkey.

And many photos like the one I’m inserting here are appearing not only on Twitter but across the web and other media.   As The Verge notes, it seems the Turkish government is just using a simple DNS block, presumably at all Internet service providers (ISPs) in Turkey, to prevent people from connecting to Twitter.

As the people in Turkey have discovered, this block can be easily circumvented simply by changing your device’s network settings to use public DNS servers such as those operated by Google.

Leaving the politics aside, my first reaction as a DNSSEC advocate was “Cool! Now we’ll see an uptick in DNSSEC-validated DNS queries!

The reason, of course, is that Google’s Public DNS service performs DNSSEC validation by default on ALL DNS queries.  So, not only are all those Turkish citizens getting around the ban on Twitter, but they are also getting more security and ensuring that the responses they get back from DNS for a domain are indeed the correct information entered by the operator of that domain (for companies/organizations that have signed their domain).

Hopefully the situation there in Turkey will stabilize and the ban will be lifted. In the meantime, though, I suspect those people doing DNSSEC measurements will see a burst in DNSSEC validation happening from that region.

P.S. As I pointed out at the bottom of the earlier post about Google Public DNS turning on DNSSEC validation that I reference above, the use of a public DNS resolver performing DNSSEC validation does not completely ensure the security of the results you receive back.  There is still an opportunity for an attacker to inject or modify DNS packets on the path between your device and the distant DNS resolver.  That is why we ideally want to see DNSSEC validation happening at a much closer level such as on the edge of your local network or perhaps even in your actual device.  However, having it happen on public DNS resolvers is a great first step toward making DNS results more secure.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...

Join the conversation with Internet Society members around the world