DNS shakeup could kill ISP filters
Architecture changes promise increased security via DNS encryption — at a price
ISPs, regulators and child-protection groups face a fight to maintain control over web traffic as a new DNS system threatens to neuter tools such as porn-blockers and anti-malware tools.
Until now, DNS requests have been unencrypted, meaning ISPs can see domain requests within traffic and block domains on blacklists, or sites known to host malware.
Many experts believe the proposed changes are overdue and represent an improvement in security and privacy. However, the shift threatens services such as the adult content filters operated by all of Britain's major ISPs, because they would no longer have the ability to filter out certain sites.
"Without cross-industry engagement, this step change has the potential to significantly impact operators' online harm protection capabilities, regulatory obligations and cybersecurity capabilities," BT's principal network architect Andy Fidler warned in a presentation to industry figures.
"DNS blocking is the most granular tool in the kit box used by UK ISPs to implement government and regulation blocking orders," he said. "If UK ISPs are no longer in the DNS path, they may not be able to fulfil certain domain-specific, court order blocking requests."
BT declined to comment on the content of the presentation, but said that it was working with the industry and officials to find a solution to a situation that could render anti-piracy and other tools obsolete.
BT referred us to a statement given by the ISP industry group, ISPA, whose chair Andrew Glover said that: "UK broadband providers are actively involved at a national and international level in ensuring that encrypted DNS is implemented in a way that does not break existing protections provided to UK internet users.
"If internet browser manufacturers switch on DNS encryption by default, they will potentially allow harmful online content to go unchecked."
The debate over encrypting DNS has been raging for years amid fears that the system has been open to abuse. Experts claim the "loopholes" in the DNS system used by ISPs to block sites have also been exploited by hackers.
"DNS is fundamentally insecure," said Neil Brown, a network expert lawyer and founder of law firm Decoded Legal. "DNS is used or abused to do a number of things like content controls for court order site blocking. If you ask for the Pirate Bay, the number you get back isn't for the Pirate Bay."
With DoH turned on users could as they can currently choose DNS servers other than their ISP's own, but because the DNS information is encrypted it would bypass ISP monitoring. "Currently, I can choose to use a different DNS server than my ISP, but since DNS is unencrypted, my ISP can still watch ports and requests that I am making," said Brown. "If that is encrypted they cannot do so. It effectively goes through the ISP to the DNS server that you have chosen."
Child abuse concerns
Child protection advocates are angry at what they see as industry arrogance, claiming many site blocks are voluntary and that the system could scupper the Internet Watch Foundation's child-abuse blacklist.
"It has always been possible to opt out of using family filters or other types of protective software," said John Carr, an online child protection professional."There has generally always been an option for individuals to choose alternative DNS servers. But something on the scale now being contemplated, particularly if introduced by default, takes us to a whole other place, and not in a good way," Carr added.
The Internet Watch Foundation was unable to provide details of its plans to remedy the introduction of DNS over HTTPS, although it's understood that the watchdog's tools are more complex than merely blocking domains.
However, with increased pressure from governments to block content globally, many believe DoH is a natural progression to shore up a weakness that could be abused by bad actors. "Who would have thought that anything on the internet, architecture-wise, would stay the same forever?" asked Brown. "These controls have in some ways always been an abuse of the DNS system it may have been an abuse for a good reason but it was still an abuse.
"I'm surprised that anyone thought one solution should be the same forever and would stand still to protect one technical means of parental control, as if the internet should evolve around that one use."