The telcos/ISPs don’t control the root name servers. Any successful takedown order would only affect the named ISP’s DNS, and if this scheme comes anywhere near fruition instructions on how to change your machine’s DNS provider (a very simple task) will be even more widespread than they are already.
That’s why I am running my own resolver that directly queries the roots instead of being dependent on third parties. And, paired with own DNS server, it allows me doing e.g. MITM attacks on devices that try to talk with some mothership and redirect them to my own infrastructure for tests.
Some ISPs are reported to redirect the port 53 traffic to their own servers, so using of other ones is not normally possible. I have a thought… what about some DNS resolver servers that serve data on ALL ports (or a substantial range) instead of just the 53? Still could be filtered by IP and by deep packet inspection, but would require more effort (and money).
Then there’s the good ol’ VPN approach, with getting the DNS traffic through the VPN itself. A free OpenVPN will do the job here. The wart is that you need a machine outside of the ISP’s infrastructure; but a few people could hire their own virtual host on a colocation in a different jurisdiction.
What we need is a simple API to point to a different set of root name servers. It’d be dangerous though.
The problem is that 99.9 percent of the people using the internet right now have zero idea what you just said.
They will learn fast. They are capable to, when they must.
If we could get people to leave Instagram and Snapchat alone long enough, we might be able to explan things like DNS to them.
I see the rest of the world routing around the U.S. if they ever manage to get this through.
I’ve totally had it with the MPAA’s bullshit. It 's time to send a message to these asshats that we don’t appreciate their attempts to sabotage the internet.
Stop supporting anything that has to do with the MPAA; don’t go to their movie theaters, don’t buy their lousy popcorn and overpriced candybars; don’t buy their DVD’s or BluRays.
That’s the only language they can understand; if it affects their bottom line they may finally get a hint that their actions are NOT appreciated! It’s definitely time to send this message, folks!!!
There are many good ideas here.
DNS has been a good protocol, but it’s also a bit dodgy; a rogue server is easy and completely disruptive, It’s subsceptible to drop and insert / man in the middle. it’s easy to filter. speculation on names is just icky.
it’s also hugely important.
So maybe it’s time to look into other encrypted, distributed and smurf resistant ideas. Meshs and namecoin, of all things, come to mind.
Sometimes the vulnerabilities are useful. You may want to attack your own devices - a book reader or a wifi enabled camera that insists on uploading only to The Holy Cloud, or TV firmware updates, or an applet running on your “smart TV” that you want to feed with your own data.
Remember, citizen, you don’t own that book reader or that wifi enabled camera. You were granted a non-transferable, non-exclusive, non-sublicensable, limited right to use the equipment in a manner compatible with the EULA, whose terms may be changed without notice…
I possess it, I can get inside, I will get inside, that’s what matters. The rest is only words.
The corporate lawyers have only words. The engineers are those who ultimately control and shape the reality.
I’m happily using dnssec-trigger with unbound on my Fedora Linux hosts. unbound is a local recursive, caching nameserver, and dnssec-trigger is a plugin for NetworkManager that catches the nameservers pushed by DHCP and uses them as referrers, falling back to querying the root nameservers, to ensure dnssec validation whenever possible.
I’d noticed that DNS lookups with my OpenVPN provider were quite slow, so I’d just wanted to speed it up a bit, and I thought I’d look into lightweight alternatives to bind. I came across some discussion of including these tools as part of the default Fedora distribution for workstations.
dnssec is a suite of extensions to the DNS protocol, that involves cryptographic signatures for domain name records, to guard against man-in-the-middle attacks. The main problems with it are that uptake is slow, and end users might not understand why their browser can’t access a site when DNSSEC validation fails.
It was pretty trivial to install dnssec-trigger and unbound in Fedora, except that I had to enable the unbound service myself.
In principle, you should be able to create a similar package for any operating system, so that users simply have to install it in order to gain some security against DNS spoofing and meddling with intermediate nameservers. More challenging would be getting more site admins to sign their name records in accordance with DNSSEC.
EDIT: Duh. They’ve already got versions of dnssec-trigger for Windows and OS X.
It’s been a while since I’ve looked at DNSSEC deployment. With the help of a browser plugin to make it more convenient, I’ve been checking various technology related Websites, and in an hour of looking, the only sites I’ve found that actually use DNSSEC are sites for testing whether you’re configured to validate DNSSEC, and https://www.nlnetlabs.nl. Not even Websites that advocate the use of DNSSEC use it, nor does my domain registrar which offers DNSSEC signing for name records as a premium service.
So that’s a problem.
I would have thought that DNS could be argued to no more be an information system than the routing systems of a telephone exchange:
The routing system takes a request to connect to a given telephone number, and routes that to a particular pair of wires at a particular exchange. The DNS system takes a request to connect to a given URL, and routes that to a particular server.
Surely we should be arguing that an IP number is functionally equivalent to “pair X at such and such an exchange”, or at least to the routing instruction to connect a call to that pair?
The only problem with that, of course, is the MAFIAA arguing it the other way round, and demanding the privilege of stopping calls being routed to people whom they dislike.
[quote=“leehb9, post:9, topic:48625, full:true”]
Stop supporting anything that has to do with the MPAA; don’t go to their movie theaters, don’t buy their lousy popcorn and overpriced candybars…[/quote]
Note that content providers (i.e., the studios and the MPAA) generally don’t own theatres, and in fact the theatre-owners are often in a quasi-adversarial relationship with them. Refusing to purchase concessions will affect theatre-owners, but will have virtually no effect on the MPAA.
Well just about every Netflix subscriber in Canada (and elsewhere) has figured this out, in order to get the American catalog.
Isn’t deregulation the current policy? If it didn’t have this effect already why would it have it tomorrow?
The horrible no good terrible part of this whole situation is we can beat back the MPAA and RIAA a million times and they will keep coming back. No victory will ever be total victory. It’s like a form of terrorism or guerilla warfare where the enemy is never defeated, only repelled for a short while. Fortunately, the EFF has taken up the fight along with other organizations so there will always be (so long as we support them) a vigilant guard.