DNS shakeup could kill ISP filters

Architecture changes promise increased security via DNS encryption — at a price

Internet concept

ISPs, regulators and child-protection groups face a fight to maintain control over web traffic as a new DNS system threatens to neuter tools such as porn-blockers and anti-malware tools.

Firefox and Chrome plan to shift from DNS the "telephone book" that translates user page requests into IP addresses to a more secure version called DNS over HTTPS (DoH).

Advertisement - Article continues below

Until now, DNS requests have been unencrypted, meaning ISPs can see domain requests within traffic and block domains on blacklists, or sites known to host malware.

Many experts believe the proposed changes are overdue and represent an improvement in security and privacy. However, the shift threatens services such as the adult content filters operated by all of Britain's major ISPs, because they would no longer have the ability to filter out certain sites.

"Without cross-industry engagement, this step change has the potential to significantly impact operators' online harm protection capabilities, regulatory obligations and cybersecurity capabilities," BT's principal network architect Andy Fidler warned in a presentation to industry figures.

"DNS blocking is the most granular tool in the kit box used by UK ISPs to implement government and regulation blocking orders," he said. "If UK ISPs are no longer in the DNS path, they may not be able to fulfil certain domain-specific, court order blocking requests."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

BT declined to comment on the content of the presentation, but said that it was working with the industry and officials to find a solution to a situation that could render anti-piracy and other tools obsolete.

BT referred us to a statement given by the ISP industry group, ISPA, whose chair Andrew Glover said that: "UK broadband providers are actively involved at a national and international level in ensuring that encrypted DNS is implemented in a way that does not break existing protections provided to UK internet users.

"If internet browser manufacturers switch on DNS encryption by default, they will potentially allow harmful online content to go unchecked."

Broken system

The debate over encrypting DNS has been raging for years amid fears that the system has been open to abuse. Experts claim the "loopholes" in the DNS system used by ISPs to block sites have also been exploited by hackers.

"DNS is fundamentally insecure," said Neil Brown, a network expert lawyer and founder of law firm Decoded Legal. "DNS is used or abused to do a number of things like content controls for court order site blocking. If you ask for the Pirate Bay, the number you get back isn't for the Pirate Bay."

Advertisement - Article continues below

With DoH turned on users could as they can currently choose DNS servers other than their ISP's own, but because the DNS information is encrypted it would bypass ISP monitoring. "Currently, I can choose to use a different DNS server than my ISP, but since DNS is unencrypted, my ISP can still watch ports and requests that I am making," said Brown. "If that is encrypted they cannot do so. It effectively goes through the ISP to the DNS server that you have chosen."

Child abuse concerns

Child protection advocates are angry at what they see as industry arrogance, claiming many site blocks are voluntary and that the system could scupper the Internet Watch Foundation's child-abuse blacklist.

"It has always been possible to opt out of using family filters or other types of protective software," said John Carr, an online child protection professional."There has generally always been an option for individuals to choose alternative DNS servers. But something on the scale now being contemplated, particularly if introduced by default, takes us to a whole other place, and not in a good way," Carr added.

Advertisement - Article continues below

The Internet Watch Foundation was unable to provide details of its plans to remedy the introduction of DNS over HTTPS, although it's understood that the watchdog's tools are more complex than merely blocking domains.

However, with increased pressure from governments to block content globally, many believe DoH is a natural progression to shore up a weakness that could be abused by bad actors. "Who would have thought that anything on the internet, architecture-wise, would stay the same forever?" asked Brown. "These controls have in some ways always been an abuse of the DNS system it may have been an abuse for a good reason but it was still an abuse.

"I'm surprised that anyone thought one solution should be the same forever and would stand still to protect one technical means of parental control, as if the internet should evolve around that one use."

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020