This is being shared with permission of CodeBastard
Redgrave, and all the information that this post contains was pulled from the
plurk page located at http://www.plurk.com/p/fctraw
. Only minor adjustments have been made for readability by way of spelling and
some grammar correction. None of the actual information was changed.
So. DNS Blacklisting.
How does it work, and how does it affect the internet? Let me explain all of
that to you. First and foremost, to understand SOPA and how bad its whole basis
is, you have to understand what a DNS server is and how it works.
See, all websites on the internet are accessed through what
is called TCP/IP, the basic internet protocol. But TCP/IP only deals with
numbers. IP addresses are constituted of 4 8bit numbers separated by a dot,
looking something like 192.67.23.121 (this address is fake, the 192 Class A is
reserved for internal LAN uses and doesn't exist on the net).
so, of course, numbers being not really practical for humans
to remember beyond a phone number, the engineers thought about some kind of
universal internet Yellow Book, a glue that would take every name and translate
them into an IP address, and vice versa. Enter DNS, the Domain Name System,
through which we can affectionately use a common name like plurk.com, and DNS
resolves it to an IP. Your web browser then knows where the website is located
by its IP, and magic! You can now view your beloved web page.
Unfortunately, DNS had to be centralized some way or else
nobody would have had consistent results as for their DNS queries. Enter the
ROOT DNS servers. Those are a bunch of central DNS servers that are fed by a
plethora of other DNS servers in the world. The ROOT DNS belong mostly to a
handful of American companies but some root servers are also hosted elsewhere
in the world.
Every ISP and hosting
providers have their own DNS servers, which are in Master mode, so when the
Root server gets a query on a non-authoritative domain, the request is simply
sent to the DNS server the domain is pointing to, and voila, it replies to the
query.
Simple enough I hope? Now you can see that the whole
interwebs is stuck together by merely a
handful of DNS servers, the Root servers. This is a weakness but also a force
of the internet, as there is little to no intervention on them, as long as they
are up everybody can count on them to serve then the webpage.
(Quick pause in the thread’s progression with a comment of “btw,
people, this also explains why sometimes your browser doesn't seem to work but
your Skype does (Skype uses IP addresses) when your ISP's DNS goes kaput” and
the response of “^ definitely true. Some applications use IP directly instead
of DNS for more "reliability" as DNS is an extra point of failure.”)
Anyways, enter SOPA…
SOPA's whole concept is based on what is called DNS
blacklisting, which only exists at a lower DNS level than root servers for
example China and Syria uses a DNS blacklist since the whole country is behind
a firewall, the government controls all of the DNS servers being used to
resolve domain names for that country. So if they add something on that list,
boom, nobody is able to resolve it anymore, and the website is effectively
blocked. Imagine going to open very popular websites and see them vanish, while
the rest of the world can see them. Scary, innit?
Think that is scary? This is still on a local point, this particular
country's DNS. If they added Google to their own blacklist, only their own
country would be blocking it. But imagine if it affected the whole internet?
More discussion ensues:
Question: is there a theoretical possibility to somehow
decentralize root servers? As in torrent decentralized?
Answer: That's what the SOPA/PIPA have in planning, putting
blacklist software on the ROOT DNS servers.
Asker: Sure, that torrent would be huge... but still sounds
nice
Answerer: (asker): yes and yes, it's actually being
discussed by several engineers, but it needs a complete re-engineering of the
DNS system. There are several propositions in that way and i hope they will be
implemented pronto.
Second Answerer: (Asker): a lot has to do with traffic minimization
too. DNS' update themselves only as rarely as they can afford to (diff. levels
etc) traffic "costs money", so you want to keep that battened down
Answerer: yes true (Second), actually the root servers mainly
replies with other DNS servers as authoritative and rarely replies to requests
directly. They are like the glue that holds the DNS system together
Second Answerer: imagine if all the buses decided to talk to
each other ALL THE TIME to sort out their schedule instead of having a
centralised routine. don't know about buses in your city, but yeah...NOT IN MY
TOWN.
Back to the original discussion line…
So, we got that scary new software installed that would
allow global blocking of all root servers for any given domain. Can someone see
an immediately worrying issue with that? Well, the internet is fragile. You
think the root servers can't be hacked? Think again. It happens REGULARLY; so
often that the root servers are now multi cluster virtual machines that can be
snapshotted and restored. So, compromising those lists by hackers, which will
ALL go after that blacklist, trust me. It will become better than hacking the
NASA. Gaining access to those lists would mean controlling what people can and
cannot view. Imagine the blackmail possibilities!
Discussion continues….
Comment: So essentially they’ll break everything. Yay.
Reply 1: Quite indeed. Not only break, but endanger the
single system that holds the internet together.
Reply 2: The internet was built on the principle of neutral openness
of information and resource, each censorship sets back that original ethos a
bit.
Comment: It’s the content industry’s failure to offer
reasonable alternatives to piracy and adopt new business models. They tend to
seek limitations and restrictions through DRMs, content restriction than just
do business in new ways.
Comment: Think about
how that same industry that lobbied it will be able to also control who
criticizes them.
Comment: Consumers want unfettered affordable access to
resources. Not controlled by large corporate who are answerable to stakeholders
who want $$
Comment: Yes. That’s what scares me. Like China’s firewall.
How they restrict their media. Americans used to say that was barbaric, look at
this crap now.
Comment: Just shows how little our representatives know
about the technology, and how much they’re pocketing from special interest.
Comment: Want a good example? Check the Youtube VEVO/BMG
arrangement that grants UMG a blacklist right on any Youtube video.
Comment: Thanks for the clear explanation! I think their
real goal is censorship, not IP rights.
Comment: Really, what comes down to it is simply the US
government answering not to the people, for the people, but to profit-seeking
shareholders
Comment: Yeah..."piracy is costing us billion of
dollars!" Well, keep charging me $15 a movie then, you dicks.
Comment: Yeah, imagine a net w/out Youtube, Vimeo,
Wordpress, Blogger, StumbleUpon, DeviantArt, Wikipedia, Grooveshark, OpenSim
Comment (in addition): Twitter, Plurk, Allrecipes, Pandora,
Sourceforge, Mozilla
Comment: Imagine a web without all the good stuff, and the
only sites you can get to are corporate sites full of ads trying to sell you
stuff
Comment: But what I really don't get is the global thing,
like it's a US bill. Why are they trying to control the world's internet? Well
I guess as I was told, most websites or the content are US based.
Response to above: Most regulatory bodies of the net are
based in the US (they DID invent the internet, pretty much). It's the concept
that might spread to other countries, that is the threat.
And then came the following additional information, from
another plurker:
Okay. I was going to stay out of this, but since it got
really interesting, I'm gonna dive in. HERE IS THE OTHER PART OF THE STORY: DNSSEC.
DNSSEC is a set of security improvements to DNS. It provides
specifications for end-to-end encryption of domain names, data integrity, etc. In
1990, security researchers discovered fundamental flaws in the architecture of
DNS that could lead to malicious users hijacking or disabling the entire
internet. Not exaggerating: entire internet, at least the way we know it. This
discovery led to the development of DNSSEC, which was designed to protect DNS
clients from forged DNS data, such as that created by DNS cache poisoning.
Remember that; there'll be a pop quiz.
Anyway, how it works: All answers in DNSSEC are digitally
signed. By checking the digital signature, a DNS resolver is able to check if
the information is identical (correct and complete) to the information on the
authoritative DNS server. DNSSEC is, at this point, fairly widely deployed;
many countries have already adopted it. The US government has been sponsoring a
"DNSSEC Deployment Initiative" as part of its cyber-security efforts,
and it has been deployed on .gov sites since 2008. It is considered a priority.
So let's go back to what CENSORED was saying about how SOPA
and PIPA deal with allegedly piratical domain names. They require DNS
redirects, right? Okay. This requirement isn't compatible with DNSSEC; it completely
undermines efforts to build a secure domain name service. Remember the bit
about DNSSEC being designed to protect from forged DNS data? A domain name
service designed to protect against forged DNS data can't tell the difference
between data forged by malicious attackers and data forged by the government or
the internet service provider. The only work-around is to punch holes in the
basic security of DNSSEC, which thus leaves the internet itself vulnerable to
attack.
(There's another work-around which involves deep packet
inspection, but I've plurkjacked enough for today, I think.)
My commentary add-on:
SOPA and PIPA are two dangerous pieces of
legislation that threaten the accessibility of the internet as we currently
know it, not just in America, but in the world. If you’re not, at this point,
aware of what’s going on, please take a little time to check out websites such
as http://americancensorship.org/supporters.html, http://sopablackout.org/learnmore/, and http://americancensorship.org/infographic.png.
No comments:
Post a Comment