SlideShare a Scribd company logo

Consequences of dns-based Internet filtering

Afnic
Afnic

The AFNIC Scientific Council has studied the technique of DNS-based Internet filtering and is sharing its report.

1 of 6
Download to read offline
Consequences of DNS-based Internet filtering 1 Report of the Afnic Scientific Council Consequences of DNS- based Internet filtering Association Française pour le Nommage Internet en Coopération | www.afnic.fr | contact@afnic.fr Twitter : @AFNIC | Facebook : afnic.fr
Consequences of DNS-based Internet filtering 2 Consequences of DNS-based Internet filtering1 In France and around the world, Internet filtering has been a central issue in several recent events 2 and has been addressed in numerous decrees or bills (ARJEL 3, LOPPSI2 4, SOPA 5, PIPA 6, etc.). These legislative or regulatory initiatives involve various areas, from protecting against viruses and malware, to protecting children against pedo-pornography, prohibiting access to unauthorized online gaming sites, or the fight against piracy. Filtering, or blocking, can be done at IP address level as well as at domain name level. In this paper, the Afnic Scientific Council provides a situation report on the techniques that can be used when filtering is used at the naming level in the DNS (Domain Name System), and the foreseeable consequences of such measures. 1. Filtering of domain names Filtering consists in modifying the normal resolution of a name on a server to an IP address, either by blocking the response, or by replying with an error message, or by returning the address of another server generally indicating that access to the website in question is prohibited. Unlike telephone networks, which rely on a dedicated infrastructure, the DNS service, like the other services that use it (Web, Mail, etc.), relies on the Internet itself to exchange data. It should be noted that the DNS arrived relatively late in the history of the Internet, when the names of the devices connected could no longer be stored in a single file 7. 1 This text is based on excerpts from a reference document produced by the Council of European National Top-Level Domain Registries (CENTR), http://centr.org/system/files/agenda/attachment/centr-paper-blocking- 20120302.pdf 2 For information purposes only, see the following affairs : “Pirate Bay” (http://money.cnn.com/2012/01/20/technology/pirate_bay/index.htm), wikileaks (http://fr.wikipedia.org/wiki/WikiLeaks), copwatch (http://abonnes.lemonde.fr/societe/article/2011/10/14/la- justice-interdit-le-site-web-copwatch_1588162_3224.html)... 3 http://www.arjel.fr/ 4 http://fr.wikipedia.org/wiki/Loi_d'orientation_et_de_programmation_pour_la_performance_de_la_s%C3%A9 curit%C3%A9_int%C3%A9rieure 5 http://en.wikipedia.org/wiki/Stop_Online_Piracy_Act 6 http://en.wikipedia.org/wiki/PROTECT_IP_Act 7 Historically, this information was stored in a hosts.txt file that is given priority over the DNS, even in the Association Française pour le Nommage Internet en Coopération | www.afnic.fr | contact@afnic.fr Twitter : @AFNIC | Facebook : afnic.fr
Consequences of DNS-based Internet filtering 3 The DNS works in a distributed manner, according to an architecture in which the reference information is delegated to a very large number of stakeholders. Registries such as Afnic refer to servers that perform the mapping between domain names and IP addresses. To make the system both more robust and more efficient, three mechanisms are used: structuring the information hierarchically, the use of multiple server replicas, and the caching of the responses obtained. Information hierarchy is based on the structure of the domain name. For example, in order to resolve the name www.wikipedia.fr, a server, known as the root, is queried in order to refer to the name servers of the .fr zone, called a "Top-level" zone. One of the .fr servers in queried in turn in order to refer to the name servers of the wikipedia.fr zone (a zone delegated under the .fr zone). Finally, one of the name servers of wikipedia.fr in queried in turn. The latter then returns the IP address being sought (that of www.wikipedia.fr). Resolvers are used to iteratively process the queries described above. They require a minimal configuration, in particular having the list of the root servers IP addresses, and can be used to cache the responses in order to avoid overloading the DNS architecture. Public ISPs implement resolvers to be used by their customers. The addresses of those resolvers are provided to customers alongwith the other configuration settings. But the customers can easily configure another resolver address either on their home gateway (aka "box"), or on their computer. The number of resolvers in the world is very large (around ten million) and is steadily growing 8. Google 9 and OpenDNS currently provide this service. Users can even install their own resolvers on their computers. Blocking the mapping between domain names and IP addresses can therefore be done in two places, either at the level of the registry by no longer publishing information which will therefore gradually disappear from caches, or at the level of the resolvers. On the latter, filtering can be done by Black Lists provided by governmental or judicial authorities. This system depends on the cooperation of ISPs and other resolver operators to maintain the list in the configuration of the resolvers. In technical terms, blocking a resolution is available in some software distributions such as BIND (one of the most used), but this feature is not standardized 10. Note that we have very little hindsight with which to assess the impact of filtering at the country level. most modern operating systems.. 8 ICANN estimates their number to be about 10 million worldwide (http://blog.icann.org/2012/03/ten- million-dns-resolvers-on-the-internet/) 9 https://en.wikipedia.org/wiki/Google_Public_DNS 10 Since 2011 this software contains the RPZ option (Response Policy Zone) allowing a server to lie during the resolution process, either by returning an error message or another value. Association Française pour le Nommage Internet en Coopération | www.afnic.fr | contact@afnic.fr Twitter : @AFNIC | Facebook : afnic.fr
Consequences of DNS-based Internet filtering 4 2. Filtering is relatively ineffective As long as the content remains online 11, filtering a domain name does not completely fulfill its objective. Users can still access the required content, either by directly entering the IP address of the server, or by putting the name-to-address mapping in a file on their machine. The site may also create alternative names that are not part of the list of blocked sites 12. If name resolution is filtered in a country, anonymous proxy https can be used to access (usually free of charge) content from another country. Search engines offer lists of proxies. The use of VPN (virtual private networks) is more complex, but offers more stability and fewer risks than the anonymous proxy http mechanism. This is because VPNs allow users to appear to be connected from another location. They often require a fee-paying account, but it is easily conceivable that a commercial site such as an online casino will pay this in exchange for its customers’ subscriptions. Users can also configure their machine or their box to use an alternative DNS resolver such as those available from Google or OpenDNS. In this case, the filtering performed by the operator becomes ineffective, unless the DNS lookups are blocked as well 13. In addition, for institutions using their own resolvers, blocking ISP resolvers has no effect. 3. Filtering increases the exposure of the user to threats The basic principle behind the DNS is that users must obtain the information they seek and enable them to access the required site. This is the reason why many security messages advise the user to check the name of the site in the URL bar before entering confidential data. Filtering and redirection weaken this rule. Users lose one of the trust seals when they consult a web site or receive email. Users may find that the content they want to access is still online, but the rules used to access it have changed. By changing the behavior of their browser or their machine (as indicated above), they can once again have access. These changes are likely to develop on a large scale. A proxy configured in this way can, without the user knowing it, divert traffic to another site, capture user traffic, and obtain confidential data. In most cases, the use made of these data, 11 It may even be replicated as shown by the case of Wikileaks or Copwatch. 12 The list of these workarounds is long, such as the piratebay servers, which can be accessed via the URL http://www.baiedespirates.be/ 13 Several protocols are currently being defined to encrypt requests to another resolver either by using TLS or by using as a resolution protocol a currently more standard format such as XML rather than HTTP. Association Française pour le Nommage Internet en Coopération | www.afnic.fr | contact@afnic.fr Twitter : @AFNIC | Facebook : afnic.fr
Consequences of DNS-based Internet filtering 5 which are often personal, by the providers of these services is not controlled by the user. The implementation of alternative resolvers can also increase the risk of phishing. Take the case of users configuring their systems to access an online gaming site. A few days later, wishing to connect to their bank, they could be directed to a fake site, without realizing the relationship between the two events. Indirectly, blocking therefore expose the users to new threats. Filtering can also have significant side effects. Domain name-based blocking using the DNS cannot block a subset of pages or URLs for a site 14. On the contrary, blocking a domain name blocks all of the URLs using that name, i.e. a complete website. This is called overblocking. For example, one can easily imagine the disruption that would be caused by the complete blockage of Wikipedia, Facebook, or Dailymotion after the publication of specific illegal content (as was the case in the UK for an article on the music album "Virgin Killer" 15). Such opportunities for denial of service by complete blockage could result in abusive use. Numerous examples show that configuration errors or incorrect filtering can have adverse effects. For example, in 2006, bizar.dk, a Danish site, found itself blocked by error 16, which led the holder to threaten to sue the Danish police for libel, until the authorities apologized and removed the site from the block list. 4. The results of the AFNIC survey In 2012 Afnic published the latest edition of its "Technology Backdrop" 17 survey on the foreseeable technological trends and developments over the next ten years for Internet professionals and experts. Two of the survey’s questions are particularly relevant to this document. The questions are set out in the form of predictive assertions, and require an answer expressing the respondent’s level of agreement with the assertions. The first question / assertion (Q70 of the survey) is as follows: "Local DNS resolvers (caches installed on user machines) will take a significant part (25% or more) compared with ISP resolvers or "open" resolvers of the Google DNS type". The results of the survey show a 14 For a finer granularity, HTTP requests must be blocked, which results in significant additional cost. 15 http://www.ecrans.fr/Wikipedia-victime-collaterale-de,5883.html 16 http://translate.google.com/translate?hl=en&sl=da&tl=en&u=http%3A%2F%2Fwww.computerworld.dk %2Fart%2F33184%2Fpolitiet-erkender-censurbroeler-paa-nettet 17 http://www.afnic.fr/en/about-afnic/news/general-news/6391/show/the-internet-in-10-years- professionals-answer-the-afnic-survey.html Association Française pour le Nommage Internet en Coopération | www.afnic.fr | contact@afnic.fr Twitter : @AFNIC | Facebook : afnic.fr
Consequences of DNS-based Internet filtering 6 divergence of forecasts between two "schools" (40% of the respondents agreed, 42% disagreed and 18% were undecided). We can nonetheless retain that 40% of the respondents still foresee the use of individual resolvers to replace common resolvers (whether they are those of the ISPs or those of an alternative provider such as Google DNS). The second question / assertion (Q71 of the survey) is as follows: "In the case of DNS requests sent through a third party (ISPs or suppliers of alternative solvers), the use of alternative solvers will exceed the use of one’s own ISP resolver service". Here again, there is a divergence between "two schools" (41% of the respondents agreed, 39% disagreed and 20% were undecided). Again, it can be noted that almost half of those who made a prediction foresee a gradual erosion of the use of the ISP resolvers in favor of alternative suppliers, leading to a reversal in the balance of power. In addition, the respondents who agreed with either of the two assertions above were questioned about the motivations for their response. A majority of them believe on the one hand that it will "allow a better guarantee of the integrity of responses," and on the other that it will "enable better performance." This illustrates the credit they give these alternative methods compared with the resolver of their own ISP. 5. Conclusion The DNS is an essential component in the architecture of the Internet. Many efforts are made to secure it, such as the introduction of cryptography to validate the responses with DNSSEC. The technical security provided by DNSSEC to protect the end-to-end integrity of the DNS against attacks by malicious intermediaries risks being disturbed by the introduction of filtering by altering the responses, and may compromise the adoption of these security extensions. In addition, for years, ISPs and e-commerce sites have educated users about common risks. By compromising the name resolution mechanism, and thus encouraging risky behavior, DNS filtering may reduce users’ confidence in e-commerce as a whole. The DNS was not designed to filter content. If a decision on the use of blocking based on the DNS or other techniques were to be contemplated, it should be evaluated in terms of the proportionality between the objective and the relative effectiveness of the measure, and take into account the consequences outlined above 18. 18 http://www.securityweek.com/dns-blocking-where-technical-considerations-meet-political-considerations Association Française pour le Nommage Internet en Coopération | www.afnic.fr | contact@afnic.fr Twitter : @AFNIC | Facebook : afnic.fr

Recommended

DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and Analysis
CSCJournals
 
Common Network Services
Common Network ServicesCommon Network Services
Common Network Services
ŐŔaṉģ Zaib
 
Internet Introduction
Internet IntroductionInternet Introduction
Internet Introduction
Dr Vijay Pithadia Director
 
Securing Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocolSecuring Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocol
Afnic
 
CIS 1203 Introduction to the Web
CIS 1203 Introduction to the WebCIS 1203 Introduction to the Web
CIS 1203 Introduction to the Web
Ross University School of Medicine
 
Lecture 3
Lecture 3Lecture 3
Lecture 3
M. Raihan
 
Application layer
Application layerApplication layer
Application layer
reshmadayma
 
Internet
InternetInternet
Internet
Mukul Kumar
 

Recommended

DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and Analysis
CSCJournals
 
Common Network Services
Common Network ServicesCommon Network Services
Common Network Services
ŐŔaṉģ Zaib
 
Internet Introduction
Internet IntroductionInternet Introduction
Internet Introduction
Dr Vijay Pithadia Director
 
Securing Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocolSecuring Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocol
Afnic
 
CIS 1203 Introduction to the Web
CIS 1203 Introduction to the WebCIS 1203 Introduction to the Web
CIS 1203 Introduction to the Web
Ross University School of Medicine
 
Lecture 3
Lecture 3Lecture 3
Lecture 3
M. Raihan
 
Application layer
Application layerApplication layer
Application layer
reshmadayma
 
Internet
InternetInternet
Internet
Mukul Kumar
 
Application layer
Application layerApplication layer
Application layer
AnithaRaj31
 
Bioinformatics - Internet
Bioinformatics - InternetBioinformatics - Internet
Bioinformatics - Internet
Dr.K.RameshKumar, Assistant Professor,Vivekananda College,Tiruvedakam West, Madurai
 
Protocol
ProtocolProtocol
Protocol
Dhairya Joshi
 
Ch02 e commerce
Ch02 e commerceCh02 e commerce
Ch02 e commerce
Muzammil Faisal
 
Assignment 01
Assignment 01Assignment 01
Assignment 01
JannatunFerdowsWilly
 
Web Technology Management Lecture II
Web Technology Management Lecture IIWeb Technology Management Lecture II
Web Technology Management Lecture II
sopekmir
 
Implementation Of real testbed of DDOS
Implementation Of real testbed of DDOSImplementation Of real testbed of DDOS
Implementation Of real testbed of DDOS
Jatin Singh
 
Assignment 01
Assignment 01Assignment 01
Assignment 01
MosharafHossen9
 
Tragbares Designsprech
Tragbares DesignsprechTragbares Designsprech
Tragbares Designsprech
Benny Reimold
 
Trat a psicosis
Trat a psicosisTrat a psicosis
Trat a psicosis
Guzman Madriz
 
Langstrecke Gesamt
Langstrecke GesamtLangstrecke Gesamt
Langstrecke Gesamtbw2011
 
Hochzeitsmappe Schlosshotel Mondsee
Hochzeitsmappe Schlosshotel MondseeHochzeitsmappe Schlosshotel Mondsee
Hochzeitsmappe Schlosshotel Mondsee
Hotel Schloss Mondsee
 
HSG Gastvortrag Storytelling Praxis
HSG Gastvortrag Storytelling PraxisHSG Gastvortrag Storytelling Praxis
HSG Gastvortrag Storytelling Praxis
Corporate Dialog GmbH
 
La ville en marche - Etudes Urbaines - EIVP 2012
La ville en marche - Etudes Urbaines - EIVP 2012La ville en marche - Etudes Urbaines - EIVP 2012
La ville en marche - Etudes Urbaines - EIVP 2012
Brice Marquet
 
PSFK Future of Retail 2015 Report - Summary Presentation
PSFK Future of Retail 2015 Report - Summary PresentationPSFK Future of Retail 2015 Report - Summary Presentation
PSFK Future of Retail 2015 Report - Summary Presentation
PSFK
 
Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152
huynhvanphuc
 
Serverless (Distributed computing)
Serverless (Distributed computing)Serverless (Distributed computing)
Serverless (Distributed computing)
Sri Prasanna
 
O.s. lab all_experimets
O.s. lab all_experimetsO.s. lab all_experimets
O.s. lab all_experimets
Guru Janbheshver University, Hisar
 
Introduction to Information Technology Lecture Slides PPT
Introduction to Information Technology Lecture Slides PPTIntroduction to Information Technology Lecture Slides PPT
Introduction to Information Technology Lecture Slides PPT
Osama Yousaf
 
Network Testing ques
Network Testing quesNetwork Testing ques
Network Testing ques
Pragya Rastogi
 
untitled_document.pptx
untitled_document.pptxuntitled_document.pptx
untitled_document.pptx
RuuSpy
 
M4 internet systems & applications I
M4 internet systems & applications IM4 internet systems & applications I
M4 internet systems & applications I
Josep Bardallo
 

More Related Content

What's hot

Application layer
Application layerApplication layer
Application layer
AnithaRaj31
 
Bioinformatics - Internet
Bioinformatics - InternetBioinformatics - Internet
Bioinformatics - Internet
Dr.K.RameshKumar, Assistant Professor,Vivekananda College,Tiruvedakam West, Madurai
 
Protocol
ProtocolProtocol
Protocol
Dhairya Joshi
 
Ch02 e commerce
Ch02 e commerceCh02 e commerce
Ch02 e commerce
Muzammil Faisal
 
Assignment 01
Assignment 01Assignment 01
Assignment 01
JannatunFerdowsWilly
 
Web Technology Management Lecture II
Web Technology Management Lecture IIWeb Technology Management Lecture II
Web Technology Management Lecture II
sopekmir
 
Implementation Of real testbed of DDOS
Implementation Of real testbed of DDOSImplementation Of real testbed of DDOS
Implementation Of real testbed of DDOS
Jatin Singh
 
Assignment 01
Assignment 01Assignment 01
Assignment 01
MosharafHossen9
 

What's hot (8)

Application layer
Application layerApplication layer
Application layer
 
Bioinformatics - Internet
Bioinformatics - InternetBioinformatics - Internet
Bioinformatics - Internet
 
Protocol
ProtocolProtocol
Protocol
 
Ch02 e commerce
Ch02 e commerceCh02 e commerce
Ch02 e commerce
 
Assignment 01
Assignment 01Assignment 01
Assignment 01
 
Web Technology Management Lecture II
Web Technology Management Lecture IIWeb Technology Management Lecture II
Web Technology Management Lecture II
 
Implementation Of real testbed of DDOS
Implementation Of real testbed of DDOSImplementation Of real testbed of DDOS
Implementation Of real testbed of DDOS
 
Assignment 01
Assignment 01Assignment 01
Assignment 01
 

Viewers also liked

Tragbares Designsprech
Tragbares DesignsprechTragbares Designsprech
Tragbares Designsprech
Benny Reimold
 
Trat a psicosis
Trat a psicosisTrat a psicosis
Trat a psicosis
Guzman Madriz
 
Langstrecke Gesamt
Langstrecke GesamtLangstrecke Gesamt
Langstrecke Gesamtbw2011
 
Hochzeitsmappe Schlosshotel Mondsee
Hochzeitsmappe Schlosshotel MondseeHochzeitsmappe Schlosshotel Mondsee
Hochzeitsmappe Schlosshotel Mondsee
Hotel Schloss Mondsee
 
HSG Gastvortrag Storytelling Praxis
HSG Gastvortrag Storytelling PraxisHSG Gastvortrag Storytelling Praxis
HSG Gastvortrag Storytelling Praxis
Corporate Dialog GmbH
 
La ville en marche - Etudes Urbaines - EIVP 2012
La ville en marche - Etudes Urbaines - EIVP 2012La ville en marche - Etudes Urbaines - EIVP 2012
La ville en marche - Etudes Urbaines - EIVP 2012
Brice Marquet
 
PSFK Future of Retail 2015 Report - Summary Presentation
PSFK Future of Retail 2015 Report - Summary PresentationPSFK Future of Retail 2015 Report - Summary Presentation
PSFK Future of Retail 2015 Report - Summary Presentation
PSFK
 

Viewers also liked (7)

Tragbares Designsprech
Tragbares DesignsprechTragbares Designsprech
Tragbares Designsprech
 
Trat a psicosis
Trat a psicosisTrat a psicosis
Trat a psicosis
 
Langstrecke Gesamt
Langstrecke GesamtLangstrecke Gesamt
Langstrecke Gesamt
 
Hochzeitsmappe Schlosshotel Mondsee
Hochzeitsmappe Schlosshotel MondseeHochzeitsmappe Schlosshotel Mondsee
Hochzeitsmappe Schlosshotel Mondsee
 
HSG Gastvortrag Storytelling Praxis
HSG Gastvortrag Storytelling PraxisHSG Gastvortrag Storytelling Praxis
HSG Gastvortrag Storytelling Praxis
 
La ville en marche - Etudes Urbaines - EIVP 2012
La ville en marche - Etudes Urbaines - EIVP 2012La ville en marche - Etudes Urbaines - EIVP 2012
La ville en marche - Etudes Urbaines - EIVP 2012
 
PSFK Future of Retail 2015 Report - Summary Presentation
PSFK Future of Retail 2015 Report - Summary PresentationPSFK Future of Retail 2015 Report - Summary Presentation
PSFK Future of Retail 2015 Report - Summary Presentation
 

Similar to Consequences of dns-based Internet filtering

Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152
huynhvanphuc
 
Serverless (Distributed computing)
Serverless (Distributed computing)Serverless (Distributed computing)
Serverless (Distributed computing)
Sri Prasanna
 
O.s. lab all_experimets
O.s. lab all_experimetsO.s. lab all_experimets
O.s. lab all_experimets
Guru Janbheshver University, Hisar
 
Introduction to Information Technology Lecture Slides PPT
Introduction to Information Technology Lecture Slides PPTIntroduction to Information Technology Lecture Slides PPT
Introduction to Information Technology Lecture Slides PPT
Osama Yousaf
 
Network Testing ques
Network Testing quesNetwork Testing ques
Network Testing ques
Pragya Rastogi
 
untitled_document.pptx
untitled_document.pptxuntitled_document.pptx
untitled_document.pptx
RuuSpy
 
M4 internet systems & applications I
M4 internet systems & applications IM4 internet systems & applications I
M4 internet systems & applications I
Josep Bardallo
 
Footprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdfFootprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdf
sdfghj21
 
Introduction internet appli
Introduction internet appliIntroduction internet appli
Introduction internet appli
Theon Jum
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
Prabhakar Thota
 
A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approaches
Fabrizio Farinacci
 
Lecture 4 -_internet_infrastructure_2_updated_2011
Lecture 4 -_internet_infrastructure_2_updated_2011Lecture 4 -_internet_infrastructure_2_updated_2011
Lecture 4 -_internet_infrastructure_2_updated_2011
Serious_SamSoul
 
Global Transition Of Internet Protocol
Global Transition Of Internet ProtocolGlobal Transition Of Internet Protocol
Global Transition Of Internet Protocol
Miles Priar
 
English ._..pptx
English ._..pptxEnglish ._..pptx
English ._..pptx
AndrsLpez752065
 
Report on intranet
Report on intranetReport on intranet
Report on intranet
Amandeep Kaur
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019
Milad Es'Haghi
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security concepts
sonuagain
 
Free net
Free netFree net
Free net
Rajesh Bodapati
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
Courtland Smith
 
Finding the source of Ransomware - Wire data analytics
Finding the source of Ransomware - Wire data analyticsFinding the source of Ransomware - Wire data analytics
Finding the source of Ransomware - Wire data analytics
NetFort
 

Similar to Consequences of dns-based Internet filtering (20)

Detecting dns-tunneling-34152
Detecting dns-tunneling-34152Detecting dns-tunneling-34152
Detecting dns-tunneling-34152
 
Serverless (Distributed computing)
Serverless (Distributed computing)Serverless (Distributed computing)
Serverless (Distributed computing)
 
O.s. lab all_experimets
O.s. lab all_experimetsO.s. lab all_experimets
O.s. lab all_experimets
 
Introduction to Information Technology Lecture Slides PPT
Introduction to Information Technology Lecture Slides PPTIntroduction to Information Technology Lecture Slides PPT
Introduction to Information Technology Lecture Slides PPT
 
Network Testing ques
Network Testing quesNetwork Testing ques
Network Testing ques
 
untitled_document.pptx
untitled_document.pptxuntitled_document.pptx
untitled_document.pptx
 
M4 internet systems & applications I
M4 internet systems & applications IM4 internet systems & applications I
M4 internet systems & applications I
 
Footprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdfFootprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdf
 
Introduction internet appli
Introduction internet appliIntroduction internet appli
Introduction internet appli
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
 
A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approaches
 
Lecture 4 -_internet_infrastructure_2_updated_2011
Lecture 4 -_internet_infrastructure_2_updated_2011Lecture 4 -_internet_infrastructure_2_updated_2011
Lecture 4 -_internet_infrastructure_2_updated_2011
 
Global Transition Of Internet Protocol
Global Transition Of Internet ProtocolGlobal Transition Of Internet Protocol
Global Transition Of Internet Protocol
 
English ._..pptx
English ._..pptxEnglish ._..pptx
English ._..pptx
 
Report on intranet
Report on intranetReport on intranet
Report on intranet
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security concepts
 
Free net
Free netFree net
Free net
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
 
Finding the source of Ransomware - Wire data analytics
Finding the source of Ransomware - Wire data analyticsFinding the source of Ransomware - Wire data analytics
Finding the source of Ransomware - Wire data analytics
 

More from Afnic

Alternative Dispute Resolution Trends 2015 (1st Semester)
Alternative Dispute Resolution Trends 2015 (1st Semester)Alternative Dispute Resolution Trends 2015 (1st Semester)
Alternative Dispute Resolution Trends 2015 (1st Semester)
Afnic
 
Tendances PARL 2015 (1er trimestre)
Tendances PARL 2015 (1er trimestre)Tendances PARL 2015 (1er trimestre)
Tendances PARL 2015 (1er trimestre)
Afnic
 
Sécuriser les communications sur Internet de bout-en-bout avec le protocole DANE
Sécuriser les communications sur Internet de bout-en-bout avec le protocole DANESécuriser les communications sur Internet de bout-en-bout avec le protocole DANE
Sécuriser les communications sur Internet de bout-en-bout avec le protocole DANE
Afnic
 
Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?
Afnic
 
Déployer DNSSEC, comment, quoi, où ?
Déployer DNSSEC, comment, quoi, où ?Déployer DNSSEC, comment, quoi, où ?
Déployer DNSSEC, comment, quoi, où ?
Afnic
 
.fr domain name life cycle
.fr domain name life cycle .fr domain name life cycle
.fr domain name life cycle
Afnic
 
Cycle de vie d'un nom de domaine en .fr
Cycle de vie d'un nom de domaine en .frCycle de vie d'un nom de domaine en .fr
Cycle de vie d'un nom de domaine en .fr
Afnic
 
JCSA2013 08 - Isabelle Chrisment - L'initiative "PLATeforme d'observation de ...
JCSA2013 08 - Isabelle Chrisment - L'initiative "PLATeforme d'observation de ...JCSA2013 08 - Isabelle Chrisment - L'initiative "PLATeforme d'observation de ...
JCSA2013 08 - Isabelle Chrisment - L'initiative "PLATeforme d'observation de ...
Afnic
 
JCSA2013 07 Pierre Lorinquer & Samia M'timet - Observatoire de la résilience ...
JCSA2013 07 Pierre Lorinquer & Samia M'timet - Observatoire de la résilience ...JCSA2013 07 Pierre Lorinquer & Samia M'timet - Observatoire de la résilience ...
JCSA2013 07 Pierre Lorinquer & Samia M'timet - Observatoire de la résilience ...
Afnic
 
JCSA2013 06 Luigi Iannone - Le protocole LISP ("Locator/Identifier Sepration ...
JCSA2013 06 Luigi Iannone - Le protocole LISP ("Locator/Identifier Sepration ...JCSA2013 06 Luigi Iannone - Le protocole LISP ("Locator/Identifier Sepration ...
JCSA2013 06 Luigi Iannone - Le protocole LISP ("Locator/Identifier Sepration ...
Afnic
 
JCSA2013 05 Pascal Thubert - La frange polymorphe de l'Internet
JCSA2013 05 Pascal Thubert - La frange polymorphe de l'InternetJCSA2013 05 Pascal Thubert - La frange polymorphe de l'Internet
JCSA2013 05 Pascal Thubert - La frange polymorphe de l'Internet
Afnic
 
JCSA2013 04 Laurent Toutain - La frange polymorphe de l'Internet
JCSA2013 04 Laurent Toutain - La frange polymorphe de l'InternetJCSA2013 04 Laurent Toutain - La frange polymorphe de l'Internet
JCSA2013 04 Laurent Toutain - La frange polymorphe de l'Internet
Afnic
 
JCSA2013 03 Christian Jacquenet - Nouveau shéma d'acheminement de trafic déte...
JCSA2013 03 Christian Jacquenet - Nouveau shéma d'acheminement de trafic déte...JCSA2013 03 Christian Jacquenet - Nouveau shéma d'acheminement de trafic déte...
JCSA2013 03 Christian Jacquenet - Nouveau shéma d'acheminement de trafic déte...
Afnic
 
JCSA2013 02 Laurent Toutain - Introduction du Séminaire 2013
JCSA2013 02 Laurent Toutain - Introduction du Séminaire 2013JCSA2013 02 Laurent Toutain - Introduction du Séminaire 2013
JCSA2013 02 Laurent Toutain - Introduction du Séminaire 2013
Afnic
 
JCSA2013 01 Tutoriel Stéphane Bortzmeyer "Tout réseau a besoin d'identificate...
JCSA2013 01 Tutoriel Stéphane Bortzmeyer "Tout réseau a besoin d'identificate...JCSA2013 01 Tutoriel Stéphane Bortzmeyer "Tout réseau a besoin d'identificate...
JCSA2013 01 Tutoriel Stéphane Bortzmeyer "Tout réseau a besoin d'identificate...
Afnic
 
New gTLDs: a new Big Bang for domain names
New gTLDs: a new Big Bang for domain namesNew gTLDs: a new Big Bang for domain names
New gTLDs: a new Big Bang for domain names
Afnic
 
Nouvelles extensions Internet : un nouveau Big Bang pour les noms de domaine
Nouvelles extensions Internet : un nouveau Big Bang pour les noms de domaineNouvelles extensions Internet : un nouveau Big Bang pour les noms de domaine
Nouvelles extensions Internet : un nouveau Big Bang pour les noms de domaine
Afnic
 
Observatoire sur la résilience Internet en France-2012
Observatoire sur la résilience Internet en France-2012Observatoire sur la résilience Internet en France-2012
Observatoire sur la résilience Internet en France-2012
Afnic
 
Afnic Public Consultation overview on the Opening of 1 and 2 characters
Afnic Public Consultation overview on the Opening of 1 and 2 charactersAfnic Public Consultation overview on the Opening of 1 and 2 characters
Afnic Public Consultation overview on the Opening of 1 and 2 characters
Afnic
 
Synthèse de la Consultation publique Afnic sur l'ouverture 1 et 2 caractères
Synthèse de la Consultation publique Afnic sur l'ouverture 1 et 2 caractèresSynthèse de la Consultation publique Afnic sur l'ouverture 1 et 2 caractères
Synthèse de la Consultation publique Afnic sur l'ouverture 1 et 2 caractères
Afnic
 

More from Afnic (20)

Alternative Dispute Resolution Trends 2015 (1st Semester)
Alternative Dispute Resolution Trends 2015 (1st Semester)Alternative Dispute Resolution Trends 2015 (1st Semester)
Alternative Dispute Resolution Trends 2015 (1st Semester)
 
Tendances PARL 2015 (1er trimestre)
Tendances PARL 2015 (1er trimestre)Tendances PARL 2015 (1er trimestre)
Tendances PARL 2015 (1er trimestre)
 
Sécuriser les communications sur Internet de bout-en-bout avec le protocole DANE
Sécuriser les communications sur Internet de bout-en-bout avec le protocole DANESécuriser les communications sur Internet de bout-en-bout avec le protocole DANE
Sécuriser les communications sur Internet de bout-en-bout avec le protocole DANE
 
Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?
 
Déployer DNSSEC, comment, quoi, où ?
Déployer DNSSEC, comment, quoi, où ?Déployer DNSSEC, comment, quoi, où ?
Déployer DNSSEC, comment, quoi, où ?
 
.fr domain name life cycle
.fr domain name life cycle .fr domain name life cycle
.fr domain name life cycle
 
Cycle de vie d'un nom de domaine en .fr
Cycle de vie d'un nom de domaine en .frCycle de vie d'un nom de domaine en .fr
Cycle de vie d'un nom de domaine en .fr
 
JCSA2013 08 - Isabelle Chrisment - L'initiative "PLATeforme d'observation de ...
JCSA2013 08 - Isabelle Chrisment - L'initiative "PLATeforme d'observation de ...JCSA2013 08 - Isabelle Chrisment - L'initiative "PLATeforme d'observation de ...
JCSA2013 08 - Isabelle Chrisment - L'initiative "PLATeforme d'observation de ...
 
JCSA2013 07 Pierre Lorinquer & Samia M'timet - Observatoire de la résilience ...
JCSA2013 07 Pierre Lorinquer & Samia M'timet - Observatoire de la résilience ...JCSA2013 07 Pierre Lorinquer & Samia M'timet - Observatoire de la résilience ...
JCSA2013 07 Pierre Lorinquer & Samia M'timet - Observatoire de la résilience ...
 
JCSA2013 06 Luigi Iannone - Le protocole LISP ("Locator/Identifier Sepration ...
JCSA2013 06 Luigi Iannone - Le protocole LISP ("Locator/Identifier Sepration ...JCSA2013 06 Luigi Iannone - Le protocole LISP ("Locator/Identifier Sepration ...
JCSA2013 06 Luigi Iannone - Le protocole LISP ("Locator/Identifier Sepration ...
 
JCSA2013 05 Pascal Thubert - La frange polymorphe de l'Internet
JCSA2013 05 Pascal Thubert - La frange polymorphe de l'InternetJCSA2013 05 Pascal Thubert - La frange polymorphe de l'Internet
JCSA2013 05 Pascal Thubert - La frange polymorphe de l'Internet
 
JCSA2013 04 Laurent Toutain - La frange polymorphe de l'Internet
JCSA2013 04 Laurent Toutain - La frange polymorphe de l'InternetJCSA2013 04 Laurent Toutain - La frange polymorphe de l'Internet
JCSA2013 04 Laurent Toutain - La frange polymorphe de l'Internet
 
JCSA2013 03 Christian Jacquenet - Nouveau shéma d'acheminement de trafic déte...
JCSA2013 03 Christian Jacquenet - Nouveau shéma d'acheminement de trafic déte...JCSA2013 03 Christian Jacquenet - Nouveau shéma d'acheminement de trafic déte...
JCSA2013 03 Christian Jacquenet - Nouveau shéma d'acheminement de trafic déte...
 
JCSA2013 02 Laurent Toutain - Introduction du Séminaire 2013
JCSA2013 02 Laurent Toutain - Introduction du Séminaire 2013JCSA2013 02 Laurent Toutain - Introduction du Séminaire 2013
JCSA2013 02 Laurent Toutain - Introduction du Séminaire 2013
 
JCSA2013 01 Tutoriel Stéphane Bortzmeyer "Tout réseau a besoin d'identificate...
JCSA2013 01 Tutoriel Stéphane Bortzmeyer "Tout réseau a besoin d'identificate...JCSA2013 01 Tutoriel Stéphane Bortzmeyer "Tout réseau a besoin d'identificate...
JCSA2013 01 Tutoriel Stéphane Bortzmeyer "Tout réseau a besoin d'identificate...
 
New gTLDs: a new Big Bang for domain names
New gTLDs: a new Big Bang for domain namesNew gTLDs: a new Big Bang for domain names
New gTLDs: a new Big Bang for domain names
 
Nouvelles extensions Internet : un nouveau Big Bang pour les noms de domaine
Nouvelles extensions Internet : un nouveau Big Bang pour les noms de domaineNouvelles extensions Internet : un nouveau Big Bang pour les noms de domaine
Nouvelles extensions Internet : un nouveau Big Bang pour les noms de domaine
 
Observatoire sur la résilience Internet en France-2012
Observatoire sur la résilience Internet en France-2012Observatoire sur la résilience Internet en France-2012
Observatoire sur la résilience Internet en France-2012
 
Afnic Public Consultation overview on the Opening of 1 and 2 characters
Afnic Public Consultation overview on the Opening of 1 and 2 charactersAfnic Public Consultation overview on the Opening of 1 and 2 characters
Afnic Public Consultation overview on the Opening of 1 and 2 characters
 
Synthèse de la Consultation publique Afnic sur l'ouverture 1 et 2 caractères
Synthèse de la Consultation publique Afnic sur l'ouverture 1 et 2 caractèresSynthèse de la Consultation publique Afnic sur l'ouverture 1 et 2 caractères
Synthèse de la Consultation publique Afnic sur l'ouverture 1 et 2 caractères
 

Consequences of dns-based Internet filtering

  • 1. Consequences of DNS-based Internet filtering 1 Report of the Afnic Scientific Council Consequences of DNS- based Internet filtering Association Française pour le Nommage Internet en Coopération | www.afnic.fr | contact@afnic.fr Twitter : @AFNIC | Facebook : afnic.fr
  • 2. Consequences of DNS-based Internet filtering 2 Consequences of DNS-based Internet filtering1 In France and around the world, Internet filtering has been a central issue in several recent events 2 and has been addressed in numerous decrees or bills (ARJEL 3, LOPPSI2 4, SOPA 5, PIPA 6, etc.). These legislative or regulatory initiatives involve various areas, from protecting against viruses and malware, to protecting children against pedo-pornography, prohibiting access to unauthorized online gaming sites, or the fight against piracy. Filtering, or blocking, can be done at IP address level as well as at domain name level. In this paper, the Afnic Scientific Council provides a situation report on the techniques that can be used when filtering is used at the naming level in the DNS (Domain Name System), and the foreseeable consequences of such measures. 1. Filtering of domain names Filtering consists in modifying the normal resolution of a name on a server to an IP address, either by blocking the response, or by replying with an error message, or by returning the address of another server generally indicating that access to the website in question is prohibited. Unlike telephone networks, which rely on a dedicated infrastructure, the DNS service, like the other services that use it (Web, Mail, etc.), relies on the Internet itself to exchange data. It should be noted that the DNS arrived relatively late in the history of the Internet, when the names of the devices connected could no longer be stored in a single file 7. 1 This text is based on excerpts from a reference document produced by the Council of European National Top-Level Domain Registries (CENTR), http://centr.org/system/files/agenda/attachment/centr-paper-blocking- 20120302.pdf 2 For information purposes only, see the following affairs : “Pirate Bay” (http://money.cnn.com/2012/01/20/technology/pirate_bay/index.htm), wikileaks (http://fr.wikipedia.org/wiki/WikiLeaks), copwatch (http://abonnes.lemonde.fr/societe/article/2011/10/14/la- justice-interdit-le-site-web-copwatch_1588162_3224.html)... 3 http://www.arjel.fr/ 4 http://fr.wikipedia.org/wiki/Loi_d'orientation_et_de_programmation_pour_la_performance_de_la_s%C3%A9 curit%C3%A9_int%C3%A9rieure 5 http://en.wikipedia.org/wiki/Stop_Online_Piracy_Act 6 http://en.wikipedia.org/wiki/PROTECT_IP_Act 7 Historically, this information was stored in a hosts.txt file that is given priority over the DNS, even in the Association Française pour le Nommage Internet en Coopération | www.afnic.fr | contact@afnic.fr Twitter : @AFNIC | Facebook : afnic.fr
  • 3. Consequences of DNS-based Internet filtering 3 The DNS works in a distributed manner, according to an architecture in which the reference information is delegated to a very large number of stakeholders. Registries such as Afnic refer to servers that perform the mapping between domain names and IP addresses. To make the system both more robust and more efficient, three mechanisms are used: structuring the information hierarchically, the use of multiple server replicas, and the caching of the responses obtained. Information hierarchy is based on the structure of the domain name. For example, in order to resolve the name www.wikipedia.fr, a server, known as the root, is queried in order to refer to the name servers of the .fr zone, called a "Top-level" zone. One of the .fr servers in queried in turn in order to refer to the name servers of the wikipedia.fr zone (a zone delegated under the .fr zone). Finally, one of the name servers of wikipedia.fr in queried in turn. The latter then returns the IP address being sought (that of www.wikipedia.fr). Resolvers are used to iteratively process the queries described above. They require a minimal configuration, in particular having the list of the root servers IP addresses, and can be used to cache the responses in order to avoid overloading the DNS architecture. Public ISPs implement resolvers to be used by their customers. The addresses of those resolvers are provided to customers alongwith the other configuration settings. But the customers can easily configure another resolver address either on their home gateway (aka "box"), or on their computer. The number of resolvers in the world is very large (around ten million) and is steadily growing 8. Google 9 and OpenDNS currently provide this service. Users can even install their own resolvers on their computers. Blocking the mapping between domain names and IP addresses can therefore be done in two places, either at the level of the registry by no longer publishing information which will therefore gradually disappear from caches, or at the level of the resolvers. On the latter, filtering can be done by Black Lists provided by governmental or judicial authorities. This system depends on the cooperation of ISPs and other resolver operators to maintain the list in the configuration of the resolvers. In technical terms, blocking a resolution is available in some software distributions such as BIND (one of the most used), but this feature is not standardized 10. Note that we have very little hindsight with which to assess the impact of filtering at the country level. most modern operating systems.. 8 ICANN estimates their number to be about 10 million worldwide (http://blog.icann.org/2012/03/ten- million-dns-resolvers-on-the-internet/) 9 https://en.wikipedia.org/wiki/Google_Public_DNS 10 Since 2011 this software contains the RPZ option (Response Policy Zone) allowing a server to lie during the resolution process, either by returning an error message or another value. Association Française pour le Nommage Internet en Coopération | www.afnic.fr | contact@afnic.fr Twitter : @AFNIC | Facebook : afnic.fr
  • 4. Consequences of DNS-based Internet filtering 4 2. Filtering is relatively ineffective As long as the content remains online 11, filtering a domain name does not completely fulfill its objective. Users can still access the required content, either by directly entering the IP address of the server, or by putting the name-to-address mapping in a file on their machine. The site may also create alternative names that are not part of the list of blocked sites 12. If name resolution is filtered in a country, anonymous proxy https can be used to access (usually free of charge) content from another country. Search engines offer lists of proxies. The use of VPN (virtual private networks) is more complex, but offers more stability and fewer risks than the anonymous proxy http mechanism. This is because VPNs allow users to appear to be connected from another location. They often require a fee-paying account, but it is easily conceivable that a commercial site such as an online casino will pay this in exchange for its customers’ subscriptions. Users can also configure their machine or their box to use an alternative DNS resolver such as those available from Google or OpenDNS. In this case, the filtering performed by the operator becomes ineffective, unless the DNS lookups are blocked as well 13. In addition, for institutions using their own resolvers, blocking ISP resolvers has no effect. 3. Filtering increases the exposure of the user to threats The basic principle behind the DNS is that users must obtain the information they seek and enable them to access the required site. This is the reason why many security messages advise the user to check the name of the site in the URL bar before entering confidential data. Filtering and redirection weaken this rule. Users lose one of the trust seals when they consult a web site or receive email. Users may find that the content they want to access is still online, but the rules used to access it have changed. By changing the behavior of their browser or their machine (as indicated above), they can once again have access. These changes are likely to develop on a large scale. A proxy configured in this way can, without the user knowing it, divert traffic to another site, capture user traffic, and obtain confidential data. In most cases, the use made of these data, 11 It may even be replicated as shown by the case of Wikileaks or Copwatch. 12 The list of these workarounds is long, such as the piratebay servers, which can be accessed via the URL http://www.baiedespirates.be/ 13 Several protocols are currently being defined to encrypt requests to another resolver either by using TLS or by using as a resolution protocol a currently more standard format such as XML rather than HTTP. Association Française pour le Nommage Internet en Coopération | www.afnic.fr | contact@afnic.fr Twitter : @AFNIC | Facebook : afnic.fr
  • 5. Consequences of DNS-based Internet filtering 5 which are often personal, by the providers of these services is not controlled by the user. The implementation of alternative resolvers can also increase the risk of phishing. Take the case of users configuring their systems to access an online gaming site. A few days later, wishing to connect to their bank, they could be directed to a fake site, without realizing the relationship between the two events. Indirectly, blocking therefore expose the users to new threats. Filtering can also have significant side effects. Domain name-based blocking using the DNS cannot block a subset of pages or URLs for a site 14. On the contrary, blocking a domain name blocks all of the URLs using that name, i.e. a complete website. This is called overblocking. For example, one can easily imagine the disruption that would be caused by the complete blockage of Wikipedia, Facebook, or Dailymotion after the publication of specific illegal content (as was the case in the UK for an article on the music album "Virgin Killer" 15). Such opportunities for denial of service by complete blockage could result in abusive use. Numerous examples show that configuration errors or incorrect filtering can have adverse effects. For example, in 2006, bizar.dk, a Danish site, found itself blocked by error 16, which led the holder to threaten to sue the Danish police for libel, until the authorities apologized and removed the site from the block list. 4. The results of the AFNIC survey In 2012 Afnic published the latest edition of its "Technology Backdrop" 17 survey on the foreseeable technological trends and developments over the next ten years for Internet professionals and experts. Two of the survey’s questions are particularly relevant to this document. The questions are set out in the form of predictive assertions, and require an answer expressing the respondent’s level of agreement with the assertions. The first question / assertion (Q70 of the survey) is as follows: "Local DNS resolvers (caches installed on user machines) will take a significant part (25% or more) compared with ISP resolvers or "open" resolvers of the Google DNS type". The results of the survey show a 14 For a finer granularity, HTTP requests must be blocked, which results in significant additional cost. 15 http://www.ecrans.fr/Wikipedia-victime-collaterale-de,5883.html 16 http://translate.google.com/translate?hl=en&sl=da&tl=en&u=http%3A%2F%2Fwww.computerworld.dk %2Fart%2F33184%2Fpolitiet-erkender-censurbroeler-paa-nettet 17 http://www.afnic.fr/en/about-afnic/news/general-news/6391/show/the-internet-in-10-years- professionals-answer-the-afnic-survey.html Association Française pour le Nommage Internet en Coopération | www.afnic.fr | contact@afnic.fr Twitter : @AFNIC | Facebook : afnic.fr
  • 6. Consequences of DNS-based Internet filtering 6 divergence of forecasts between two "schools" (40% of the respondents agreed, 42% disagreed and 18% were undecided). We can nonetheless retain that 40% of the respondents still foresee the use of individual resolvers to replace common resolvers (whether they are those of the ISPs or those of an alternative provider such as Google DNS). The second question / assertion (Q71 of the survey) is as follows: "In the case of DNS requests sent through a third party (ISPs or suppliers of alternative solvers), the use of alternative solvers will exceed the use of one’s own ISP resolver service". Here again, there is a divergence between "two schools" (41% of the respondents agreed, 39% disagreed and 20% were undecided). Again, it can be noted that almost half of those who made a prediction foresee a gradual erosion of the use of the ISP resolvers in favor of alternative suppliers, leading to a reversal in the balance of power. In addition, the respondents who agreed with either of the two assertions above were questioned about the motivations for their response. A majority of them believe on the one hand that it will "allow a better guarantee of the integrity of responses," and on the other that it will "enable better performance." This illustrates the credit they give these alternative methods compared with the resolver of their own ISP. 5. Conclusion The DNS is an essential component in the architecture of the Internet. Many efforts are made to secure it, such as the introduction of cryptography to validate the responses with DNSSEC. The technical security provided by DNSSEC to protect the end-to-end integrity of the DNS against attacks by malicious intermediaries risks being disturbed by the introduction of filtering by altering the responses, and may compromise the adoption of these security extensions. In addition, for years, ISPs and e-commerce sites have educated users about common risks. By compromising the name resolution mechanism, and thus encouraging risky behavior, DNS filtering may reduce users’ confidence in e-commerce as a whole. The DNS was not designed to filter content. If a decision on the use of blocking based on the DNS or other techniques were to be contemplated, it should be evaluated in terms of the proportionality between the objective and the relative effectiveness of the measure, and take into account the consequences outlined above 18. 18 http://www.securityweek.com/dns-blocking-where-technical-considerations-meet-political-considerations Association Française pour le Nommage Internet en Coopération | www.afnic.fr | contact@afnic.fr Twitter : @AFNIC | Facebook : afnic.fr