DNS shakeup could kill ISP filters

Architecture changes promise increased security via DNS encryption — at a price

Internet concept

ISPs, regulators and child-protection groups face a fight to maintain control over web traffic as a new DNS system threatens to neuter tools such as porn-blockers and anti-malware tools.

Firefox and Chrome plan to shift from DNS the "telephone book" that translates user page requests into IP addresses to a more secure version called DNS over HTTPS (DoH).

Until now, DNS requests have been unencrypted, meaning ISPs can see domain requests within traffic and block domains on blacklists, or sites known to host malware.

Many experts believe the proposed changes are overdue and represent an improvement in security and privacy. However, the shift threatens services such as the adult content filters operated by all of Britain's major ISPs, because they would no longer have the ability to filter out certain sites.

"Without cross-industry engagement, this step change has the potential to significantly impact operators' online harm protection capabilities, regulatory obligations and cybersecurity capabilities," BT's principal network architect Andy Fidler warned in a presentation to industry figures.

"DNS blocking is the most granular tool in the kit box used by UK ISPs to implement government and regulation blocking orders," he said. "If UK ISPs are no longer in the DNS path, they may not be able to fulfil certain domain-specific, court order blocking requests."

BT declined to comment on the content of the presentation, but said that it was working with the industry and officials to find a solution to a situation that could render anti-piracy and other tools obsolete.

BT referred us to a statement given by the ISP industry group, ISPA, whose chair Andrew Glover said that: "UK broadband providers are actively involved at a national and international level in ensuring that encrypted DNS is implemented in a way that does not break existing protections provided to UK internet users.

"If internet browser manufacturers switch on DNS encryption by default, they will potentially allow harmful online content to go unchecked."

Broken system

The debate over encrypting DNS has been raging for years amid fears that the system has been open to abuse. Experts claim the "loopholes" in the DNS system used by ISPs to block sites have also been exploited by hackers.

"DNS is fundamentally insecure," said Neil Brown, a network expert lawyer and founder of law firm Decoded Legal. "DNS is used or abused to do a number of things like content controls for court order site blocking. If you ask for the Pirate Bay, the number you get back isn't for the Pirate Bay."

With DoH turned on users could as they can currently choose DNS servers other than their ISP's own, but because the DNS information is encrypted it would bypass ISP monitoring. "Currently, I can choose to use a different DNS server than my ISP, but since DNS is unencrypted, my ISP can still watch ports and requests that I am making," said Brown. "If that is encrypted they cannot do so. It effectively goes through the ISP to the DNS server that you have chosen."

Child abuse concerns

Child protection advocates are angry at what they see as industry arrogance, claiming many site blocks are voluntary and that the system could scupper the Internet Watch Foundation's child-abuse blacklist.

"It has always been possible to opt out of using family filters or other types of protective software," said John Carr, an online child protection professional."There has generally always been an option for individuals to choose alternative DNS servers. But something on the scale now being contemplated, particularly if introduced by default, takes us to a whole other place, and not in a good way," Carr added.

The Internet Watch Foundation was unable to provide details of its plans to remedy the introduction of DNS over HTTPS, although it's understood that the watchdog's tools are more complex than merely blocking domains.

However, with increased pressure from governments to block content globally, many believe DoH is a natural progression to shore up a weakness that could be abused by bad actors. "Who would have thought that anything on the internet, architecture-wise, would stay the same forever?" asked Brown. "These controls have in some ways always been an abuse of the DNS system it may have been an abuse for a good reason but it was still an abuse.

"I'm surprised that anyone thought one solution should be the same forever and would stand still to protect one technical means of parental control, as if the internet should evolve around that one use."

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021