While we may be tired of hearing about blocked Internet access, the most recent move in Turkey should make us sit up and take notice again, as it represents an attack not just on the DNS infrastructure, but on the global Internet routing system itself.
I would argue that people in Turkey haven’t had real Internet service since mid-March when the Turkish government banned access to, and required the blocking of, Twitter and subsequently YouTube. As reported, in the most recent effort to comply with the Turkish government mandate, Turkish ISPs have taken aim at the open public DNS services provided by companies such as Google. This is fragmenting the Internet — destroying its very purpose — and the Internet Society has been clear in its position that it should be undone.
This latest move attempts to address a perceived problem: many Turkish Internet users were using the well-known IP address of the Google Public DNS service to circumvent the crippled DNS services offered by their ISP. And with that, they could again access Twitter and YouTube.
While the service that is being blocked is an actual DNS server, the blocking is being performed at a lower level, in the routing system itself. To block access to Google Public DNS servers, Turkish ISPs’ routers are announcing an erroneous and very specific Internet route that includes the well-known IP address. With this modification, the Turkish routers are now lying about how to get to the Google Public DNS service, and taking all the traffic to a different destination. They are lying about where the Google service resides — by hijacking the traffic. Apparently, the ISPs are not just null-routing it (sending into oblivion) — but rather sending the traffic to their own DNS servers which then (wait for it) give out the wrong answers. So, these servers are masquerading as the Google Public DNS service.
Both (a) blocking Twitter and YouTube by returning false DNS results and (b) the use of false routing announcements are attacks on the integrity of the Internet’s infrastructure — DNS and routing. Both of these infrastructure services are imperative to have a global Internet, and they are operated by collective agreement to adhere to Internet protocols and best practices — that’s what puts the “inter” in inter-network.
In 2012, when the US government was contemplating laws that would require ISPs to falsify DNS results in an effort to curtail access to websites offering counterfeit goods (SOPA — “Stop Online Piracy Act” and PIPA — “Protect IP Act”), we put together a whitepaper outlining the pitfalls of such DNS filtering. Those concerns apply in the case of the DNS blocking of Twitter and YouTube in Turkey, and there are analogs for the route hijacking approach, too:
Easily circumvented
Users who wish to download filtered content can simply use IP addresses instead of DNS names. As users discover the many ways to work around DNS filtering, the effectiveness of filtering will be reduced. ISPs will be required to implement stronger controls, placing them in the middle of an unwelcome battle between Internet users and national governments.
Doesn’t solve the problem
Filtering DNS or blocking the name does not remove the illegal content. A different domain name pointing to the same Internet address could be established within minutes.
Incompatible with DNSSEC and impedes DNSSEC deployment
DNSSEC is a new technology designed to add confidence and trust to the Internet. DNSSEC ensures that DNS data are not modified by anyone between the data owner and the consumer. To DNSSEC, DNS filtering looks the same as a hacker trying to impersonate a legitimate web site to steal personal information—exactly the problem that DNSSEC is trying to solve.
DNSSEC cannot differentiate legally sanctioned filtering from cybercrime.
Causes collateral damage
When both legal and illegal content share the same domain name, DNS filtering blocks access to everything. For example, blocking access to a single Wikipedia article using DNS filtering would also block millions of other Wikipedia articles.
Puts users at-risk
When local DNS service is not considered reliable and open, Internet users may use alternative and non-standard approaches, such as downloading software that redirects their traffic to avoid filters. These makeshift solutions subject users to additional security risks.
Encourages fragmentation
A coherent and consistent structure is important to the successful operation of the Internet. DNS filtering eliminates this consistency and fragments the DNS, which undermines the structure of the Internet.
Drives service underground
If DNS filtering becomes widespread, “underground” DNS services and alternative domain namespaces will be established, further fragmenting the Internet, and taking the content out of easy view of law enforcement.
Raises human rights and due process concerns
DNS filtering is a broad measure, unable to distinguish illegal and legitimate content on the same domain. Implemented carelessly or improperly, it has the potential to restrict free and open communications and could be used in ways that limit the rights of individuals or minority groups.
The kicker is that this sort of approach to blocking use of (parts of) the Internet just doesn’t work. There are always workarounds, although they are becoming increasingly tortuous (dare I say “byzantine”?) and impede the future growth of the Internet’s technology. If Internet technology is like building blocks, this is like sawing the corners off your whole set of blocks and then trying to build a model with them.
All that this escalation of Internet hostility achieves is: a broken Internet.
In 2010, the Internet Society published a paper based on a thought exercise about what would become of the Internet if different forces prevailed in the Internet’s evolution. We’re seeing escalations on all vectors of the quadrants we outlined in the 2010 scenarios and while we believed it was a thought-experiment at the time, it’s amazing to see how much of the then-barely-imaginable is becoming real in one way or another. Collectively, we should take heed of the outcomes that those scenarios paint — and work together to get beyond this.
In the immediate term, there are technologies available to provide better security of (and, therefore, confidence in) DNS and routing infrastructures — see our related post on the Deploy360 site: Turkish Hijacking of DNS Providers Shows Clear Need For Deploying BGP And DNS Security.