How to Disable Java on Safari Browser Version 6
How to Enable or Disable JavaScript in Safari: Choose your Poison

A Chain Saw is a Poor Choice for Surgery and for Blocking Web Content

The Internet creates extraordinary opportunities for large populations to monitor and influence politics and lawmaking. Engaged citizens have raised firestorms against antipiracy bills, while powerful lobbies urged politicians to mandate the use of technical measures to protect copyrights. Demonstrators have blogged or tweeted about anti-government protests from rally sites, circumventing governments’ best efforts to prevent the news media from reporting on these events.

In these scenarios, lobbyists and governments looked at the technical measures enterprises and ISPs had used to control user access to or remove content, and they hastily concluded, “This works for them. Why not for us?”

There are several scenarios where the motives to block or remove access are controversial. In some cases -- when technical measures to block access or remove content are incorporated badly into laws -- you end up choosing a chain saw for surgery where a laser or scalpel would suffice. Worse, you often don’t accomplish what you intended.

Yar! Pirates!

In the alphabet soup of antipiracy and content protection legislation, the Stop Online Piracy Act and Protect IP Act are poster children for incorporating technology into law badly. These bills would have mandated the use of DNS filtering to combat illegal use or distribution of intellectual property and copyrighted material.

These bills targeted rogue Websites offering access to copyrighted material. Specifically, they would have given the US attorney general the power to ask federal courts to order ISPs to prevent users from accessing rogue sites hosted outside the US by blacklisting the domain name (“DNS filtering”) and redirecting users to a page telling them the site violated copyrights.


This looks very similar to how an enterprise might configure its DNS servers when using a block list to filter spam domains. Those behind bills like SOPA see that this works for the enterprise, and they conclude it would also work at a national level. The difference is that an enterprise imposes the policy uniformly for all of its users and only for its users. The proposed bills targeted sites hosted outside the US. If they had passed, their mandated technical measures would have ultimately proven ineffective, because:

  1. The removal orders could be issued only to US ISPs.
  2. The orders would not compel hosting providers to remove content.
  3. The orders would not compel non-US ISPs to change their DNS servers to block rogue sites or redirect pirate domain names to the attorney general's notice.

The bottom line is that the content would remain there to be found, and determined users could use a non-US ISP’s resolver to circumvent DNS filters. In fact, workarounds became available as anti-SOPA sentiments intensified.

Great walls of fire


If SOPA had become law, it would have caused Internet users to receive different answers from the DNS depending on which resolver the user queried. This is exactly the kind of behavior that organizations with mobile workforces encounter when their people travel to countries where access to content is restricted.

In such countries, IP address blocking and URL or keyword filtering are used in conjunction with DNS filtering or redirection techniques to ensure that only state-sanctioned material is available to the population and visitors. The DNS measures are applied today on domain names, but the addition of the XXX top-level domain has caused other nations to investigate whether it is practical to block top-level domains in their entirety. The worry is not whether nations will block TLDs, but what technical measures they would use, how these measures would affect the global DNS, and whether the global Internet will eventually balkanize.

DNS is a critical component of your infrastructure, and some of the issues I’ve been discussing may cause you to think more about how you’re providing name service to your users. (See: Preventing Access or Removing Content: Laser, Scalpel, or Saw? and Shutdowns, Suspensions, & Seizures… Oh, My!) For example, when you consider how DNS blocking is used today, you might include “we’ve been blocked” scenarios as risk factors. My guess is you’ll realize it’s important to stay familiar with pending legislation and know how to remedy false positives.

You should also be thinking about measures you can take to ensure universal resolvability of domain names for your users, especially your mobile workforce. Configuring end points you administer to use name servers or resolvers that you operate or have managed on your behalf may be a proper course for your organization.


Originally posted at The Champion Community 9 May 2012

Photos by StartAgain, robotson, redmind, LividFiction, teach42


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.