DNS Filtering is an American Innovation

Paul Vixie and some of his fellow DNS experts have published a blog post in The Hill’s “Congress Blog” denouncing the DNS blacklisting feature of the rogue site bills currently working their way through Congress, PROTECT-IP and SOPA. In their view, DNS blacklisting is un-American:

[T]he debate over what we as a society ought to do about online piracy and infringement has gone into the weeds – so much so that bills now pending before both houses of the US Congress (S. 936, PIPA; and H.R. 3261, SOPA) seek to compel American Internet Service Providers to alter fundamentally the way their connected customers access the Domain Name System.

This type of mandated filtering is not an American innovation. Strong governments around the world use DNS filtering to signal their displeasure over all kinds of things they don’t like, whether it be untaxed online gambling, or pornography, or political dissent.

It’s interesting to contrast the view in this new blog post with a post Mr. Vixie published last February announcing the addition of a domain blacklisting feature to the Internet’s most popular DNS server software, BIND, a product maintained by his firm, Internet Systems Consortium.

The post, titled “Taking Back the DNS,” highlights the fact that most new domains are malicious and describes a feature newly added to BIND that enables ISPs to make such domains effectively disappear from the Internet. 

Vixie’s rationale was straightforward:

Society’s bottom feeders have always found ways to use public infrastructure to their own advantage, and the Internet has done what it always does which is to accelerate such misuse and enable it to scale in ways no one could have imagined just a few years ago. Just as organized crime has always required access to the world’s money supply and banking system, so it is that organized e-crime now requires access to the Internet’s resource allocation systems. They are using our own tools against us, while we’re all competing to see which one of us can make our tools most useful.

This all seems quite sensible, so Congress has followed Vixie’s lead in including domain blacklisting in PROTECT-IP and in SOPA.

Despite the objections raised by the DNS experts to these bills, domain blacklisting remains a supported feature in BIND, and was recently upgraded from Version 1 to Version 2; the feature’s formal name is “Response Policy Zones” or RPZ.

One likely effect of the passage of PIPA or SOPA would be for vendors of competing DNS systems to adopt the RPZ feature and make it a de facto standard. As Vixie says, it addresses a fundamental lack of accountability in the Internet:

  • The split registry/registrar/registrant model insulates all parties from responsibility, so the global DNS lacks accountability – complaints are ineffective, even with provable crime/losses.
  • This resiliency and unaccountability is of greater benefit to bad actors than their victims

RPZ as presently implemented is not fully compatible with DNSSEC, the “new” 15-year-old DNS security upgrade described in the column. That shortcoming will need to be addressed whether PIPA/SOPA becomes law or not, and it didn’t prevent its creator from releasing it in the interests of the good it can do.

DNS filtering is not only an American innovation, it’s Paul Vixie’s innovation.

In fairness, I have to point out that Vixie sees a major difference between DNS blacklisting that’s voluntary on the user’s part and the government-mandated filtering proposed by PIPA and SOPA. In his view, it’s a question of the alignment of interests, but he ignores the consumers who simply want to buy from legitimate sources (among other things.)

Vixie is a dyed-in-the-wool Ayn Rand libertarian who has maintained an Objectivism repository on his web site for as long as I can remember. It’s safe to say that his objection to government mandating the use of his RPZ mechanism has more to do with his politics than with his technical knowledge.

UPDATE: Rep. Goodlatte read portions of this post in the SOPA markup hearing.

Print Friendly

About the author

Richard Bennett is an ITIF Senior Research Fellow specializing in broadband networking and Internet policy. He has a 30 year background in network engineering and standards. He was vice-chair of the IEEE 802.3 task group that devised the original Ethernet over Twisted Pair standard, and has contributed to Wi-Fi standards for fifteen years. He was active in OSI, the instigator of RFC 1001, and founder, along with Bob Metcalfe, of the Open Token Foundation, the first network industry alliance to operate an interoperability lab. He has worked for leading applied research labs, where portions of his work were underwritten by DARPA. Richard is also the inventor of four networking patents and a member of the BITAG Technical Working Group.
  • Seth Finkelstein

    I think you’re being unfair, reaching for a cheap irony. I know I went through something like this all the time in anti-censorware activism, often quite nastily – “How is censorship different from anti-spam, huh huh huh? What about the rights of people who DON’T want to be subjected to terrorist propaganda, *gotcha!*”There’s a crucial difference between something you use, where it can fail and there’s no legal consequences, versus a mandate with fines and criminal penalties attached to it. And between what you don’t want to see, and what a third-party forbids you to see or to prevent others from seeing. That’s not merely “politics”, but a matter of helping versus fighting the end-user. You’re using the tactic of eliding that difference, then claiming inconsistency and hypocrisy from the false equivalence you created in the first place.

  • Richard Bennett

    It is very much the case that the domain filtering feature in PIPA and SOPA was inspired by Vixie’s “Taking Back the DNS” post, Seth. This is simply giving credit where it’s due.

  • paul vixie

    Richard, you quoted my February article in CircleID but not my August followup to that article in which I wrote:”My proposed answer is the approach that’s protected Skype all these years: Defense in Depth. This is more or less what I meant in my previous article on COICA and Secure DNS when I said: … if someone upstream of you can interfere with your traffic then you’ll have to use anti-censorship tools rather than Secure DNS to frustrate that interference….These observations have policy implications, including one I had not foreseen at the time I wrote my earlier article COICA and Secure DNS when I said:… a below-recursive policy whose goal is to make certain domain names unreachable will always be successful no matter how completely the world deploys Secure DNS.”That article is still online at:http://www.circleid.com/posts/defense_in_depth_for_dnssec_applications/As to my politics or philosophy, I do believe that knowledge is contextual and that we should be willing to challenge and extend what we think we know. That may be unrealistic in the political world but it has served me well in science and engineering.Paul

  • Richard Bennett

    Right Paul, I linked your July follow-up on “Alignment of Interests” but not your later posts which I took to be more political. There’s nothing at all wrong with technical people holding political views and advocating fiercely for their values – we aren’t political eunuchs after all – but there’s often a tricky line between what we know to be true and what we wish to be true. However the PIPA/SOPA fight turns out, I think RPZ is a valuable tool and I’m glad you had the courage to develop it and to stand up to those of your critics who believe that any and all forms of blacklisting, voluntary or mandatory, are evil.There is a group – I can’t say how large – whose interests are aligned with anti-piracy efforts. These are the people who are willing to pay content creators but not to pay content thieves. RPZ is perfect for these people.