Innovation Files has moved! For ITIF's quick takes, quips, and commentary on the latest in tech policy, go to

DNS Integrity in the Real World

botnet example

Those who followed the SOPA and Protect IP copyright law debate in December and January will recall an argument raised by certain members of the tech sector to the effect that enlisting the Internet’s Domain Name System (DNS) in the fight against pirated goods would undermine Internet security. While the SOPA critics said that it’s OK to use DNS blacklists to prevent access to malware sites, sites that sell Hollywood movies without license have an entirely different character.

Critics also argued that beside all of that, DNS blacklisting would be completely ineffective because users would simply shift from legitimate DNS services provided by their ISPs to rogue services operating offshore and outside the reach of U. S. law. Some critics, such as former Bush Administration official Stewart Baker, argued that without any user intervention at all Secure DNS would magically go “casting about the Internet” looking for rogue DNS services to reach the pirate video sites of the user’s preference.

We pushed back on these arguments, pointing out that there’s extremely high overlap between the criminal sites that sell patent-protected and copyright goods without license and those that infect computers with malware; and that the typical user lacks the real technical skills necessary to change the DNS servers assigned by their ISP to their home router to some other specific pair of DNS servers.

A blog post on Circle ID about the DNS Changer botnet shows that we were right and our critics were wrong. The post chronicles the struggle to take down a botnet that changed the DNS servers in user computers and home routers to rogue DNS servers, which it then used to redirect users to bogus versions of financial web sites. That enabled the criminals to steal credit card numbers and banking logins.

But how did this malicious software get installed in user systems to begin with? According to the FBI indictment, the key was offering pirated video content:

Victims’ computers became infected with the Malware when they visited certain websites or downloaded certain software to view videos online. The Malware altered the DNS server settings on victims’ computers to route the infected computers to rogue DNS servers controlled and operated by the defendants and their co-conspirators.

That’s what we said was happening, and the DNS Changer botnet episode is one clear example.

And how easy has it been to change the DNS servers installed by the botnet to legitimate ones? Not easy at all:

Most Internet users do not have the skills necessary to check and repair the configuration of their home routers, and most Windows users are also unwilling to reinstall Windows. So, even when we could identify and notify a victim, we had a hard time “closing the deal”.

This is a far cry from the “one click of a mouse” story that SOPA critics told Congress and in a different reality than Stewart Baker’s “magically casting about the Internet” story.

The most shocking parts of this story are the timeline and the people involved. The takedown of DNS Changer took place in November, 2011, the month before the DNS security arguments were presented to Senate staffers and members of the House Judiciary Committee at the SOPA markup hearings.

So well-informed critics would have known about DNS Changer while they were arguing that SOPA represented a bigger threat to Internet security than rogue sites do themselves. The information about DNS Changer was not made public at the time, but the principal technologist working on the takedown, Paul Vixie, was vigorously lobbying against SOPA. In fact, Vixie is the man with DNS expertise who supplied the primary security arguments against the bill that were simply parroted by other critics with less DNS knowledge.

I fail to see how anyone with DNS knowledge could make the arguments that were made against the SOPA DNS blocking provision with a straight face, especially when the DNS Changer circumstances were staring into that very same face.

The takeaway from this sorry episode is that technologists have the same ability to edit the facts to suit their biases that every other human has, and while engineers need to be involved in tech policy debates, others need to take their opinions with the same skepticism that they apply to others, across the board.

It also appears that the DNS Changer botnet takedown was bungled, as the most efficient way to repair the damage it did to end user systems would have been to use the botnet itself to restore the proper condition.  That remedy may still be available, but it’s a story for another post.


Image from Wikimedia Commons user Tom B

Print Friendly, PDF & Email