Saturday, December 15, 2012

It's time to fix DNS

The Domain Name System- DNS- has been with us since the dawn of the Internet. It's one of the simpler protocols. You give it a name like "" and it gives you the IP address of that domain. Sounds simple, right? The way DNS works is actually fairly elegant, especially considering its age. It's a hierarchy, where each DNS server can kick the request up the chain of command, until an "authoritative" server-one which has the authority to speak on behalf of that domain- is found. But the functionality is simple conceptually: give DNS a domain name and it gives you back an IP address. That is supposed to be its only function.

What DNS has turned out to be, though, is the main front in the war to control what you, the Internet user, can see, interact with, and more importantly, purchase. Governments want to tinker with DNS to bring about censorship. They can for example redirect you to a warning page if they don't want you to visit That's pretty scary to type in a web address and see a large government logo warning you that you can be arrested, fined, tortured and so forth, just for visiting this so-called illegal content, the legality of which can even vary from place to place.

Corporations and large commercial interests like the entertainment industry also wish (intend) to use DNS for censorship. It's a different form of censorship from what governments do, but that's what it is - censorship. Instead of "illegal" bits of 0's and 1's, they would censor you from "infringing" content. Doesn't sound too scary so far, right? If we can use DNS to stop people from visiting child porn sites or downloading a movie without paying for it, then it's a small price to pay, right?

No, for a number of reasons. First off, there isn't and mostly likely won't ever be accountability for getting it wrong. There's just too much temptation and potential for abuse. Think about it: If it's in a company's best financial interests to abuse something, and there's no consequences to abusing it, then it's simply human nature. Your daughter will do a book report on the book Little Women, and the automated repress-o-matic system (tm) will incorrectly flag your content as unacceptable. And that'll be it. Without due process to protect you, the burden of proof is now on you to show that your book report isn't kiddie porn.

Or you might be a writer. You write a story, put it on your blog and some huge content mega-conglomerate simply flags your content as its own. Why? Maybe you made some reference to something copyrighted, even one that's considered fair use. Your work is no longer accessible. This kind of thing already happens to some extent. But add DNS censorship to the mix, and not only will some mega-corporation claim your content, but now when users type in the address for your web site, they are directed to an FBI logo telling that user that they are visiting an infringing web site. Left unopposed, these huge content providers will claim all content in existence, and turn the entire Internet into a pay-for broadcast medium where everything you click on deducts from your bank account.

It's already happened where a web site which was found legal by the court of the country it was operating in was set to redirect to a scary US government logo page informing those users that they were trying to visit an illegal site. They could do that because the US controls the DNS infrastructure, much to the chagrin of the rest of the world. So, it's already starting to happen. It's just a matter of time before scenarios like powerful people and companies using it to silence critics or harm their competition.

But in a sense, it doesn't matter. All DNS does is simply map a name to an IP address. It's a simple protocol. If people stop using/trusting it (which is already happening) then they will just trade those mappings as another form of illicit information. It's still a meaningful form of censorship, but it's debatable whether it's a viable one.

The problem with using a common Internet protocol as a tool of censorship, is that it essentially breaks the Internet, in this case in a misguided attempt to enact a form of censorship that's easy to bypass. A famous nerd, John Gilmore once said: "The Net sees censorship as damage and routes around it." So, by breaking the Internet, they are only forcing its improvement by driving innovation.

The problem with DNS, and the main reason it needs to be overhauled, is that it's one of the few centralized points in the mostly decentralized Internet. Take away the enormous DNS cash cow of ICANN away, with the behind-the-scenes control that goes with it, and the Internet is pretty much just a bunch of computers all connected straight to each other, without a need for any central authority to mediate those connections. Somewhere along the line, this simple protocol became about controlling you, the user.

Decentralize DNS, Pretty Please, And Pronto!

Before we address other problems with DNS, we first need to think of decentralizing it. There's really no choice. The Utopian central authority doesn't exist, and besides, it's already starting to fray at the seams. If we do nothing, my guess is that DNS is going to just dissolve. At that point, the Internet will be less useful.

There are people already working on this problem. Solutions like ODDNS look promising.

Now, Make DNS More Secure

A protocol this important needs to be encrypted. If you can't DNS it to give you the address of something or a financial institution, we're all pretty much screwed. It's almost too late for us not to use the Internet for our sensitive financial information.

The solution of course lies in encryption. Personally, I wouldn't trust SSL for the job, as it also needs an overhaul. But maybe the next generation of SSL, if there is one, would work. Whatever we use should have a really big key size too. Otherwise, anyone with a supercomputer could go right back to tinkering with it.

I would also make it algorithm agnostic, meaning that it should work with whatever encryption algorithm is the most secure at any given time.

I would also make it only use open source encryption algorithms.

Just like for decentralization, there are lots of people already working on DNS encryption solutions, such as DNSCrypt.

How Will It Play Out?

That's the million dollar question. Governments, corporations and international organizations like the ITU are all vying for centralized control over DNS. This should make it clear to anyone with half a brain that DNS cannot be allowed remain centralized, lest the Internet decay into a bunch of so-called "darknets." Traditionally, technical policy is made by those with the least amount of technical understanding. We need to look to another segment, the people who invented DNS in the first place; the Nerds. Outdated protocols like DNS need to be modernized, and pronto. Otherwise, everything we Nerds built will be turned into a paywalled sandbox, with content only suitable for the lowest common denominator.

It is my sincere hope that the Nerds will continue to mobilize, and pull the rug out from under these assholes. Fix DNS now, please, and thanks in advance.

No comments:

Post a Comment