Europe Planning A DNS Infrastructure With Built-In Filtering

Catalin Cimpanu, reporting for The Record, has found that the European Union wants to build a recursive DNS service that will be available to EU institutions and the European public. The reasons for building the service are manifold, including concerns that American DNS providers are not GDPR compliant and worries that much of Europe is dependent on (largely) American-based or -owned infrastructure.

As part of the European system, plans are for it to:

… come with built-in filtering capabilities that will be able to block DNS name resolutions for bad domains, such as those hosting malware, phishing sites, or other cybersecurity threats.

This filtering capability would be built using threat intelligence feeds provided by trusted partners, such as national CERT teams, and could be used to defend organizations across Europe from common malicious threats.

It is unclear if DNS4EU usage would be mandatory for all EU or national government organizations, but if so, it would grant organizations like CERT-EU more power and the agility it needs to block cyber-attacks as soon as they are detected.

In addition, EU officials also want to use DNS4EU’s filtering system to also block access to other types of prohibited content, which they say could be done based on court orders. While officials didn’t go into details, this most likely refers to domains showing child sexual abuse materials and copyright-infringing (pirated) content.1

By integrating censorship/blocking provisions as the policy level of the European DNS, there is a real risk that over time that same system might be used for untoward ends. Consider the rise of anti-LGBTQ laws in Hungary and Poland, and how those governments mights be motivated to block access to ‘prohibited content’ that is identified as such by anti-LGBTQ politicians.

While a reader might hope that the European courts could knock down these kinds of laws, their recurrence alone raises the spectre that content that is deemed socially undesirable by parties in power could be censored, even where there are legitimate human rights grounds that justify accessing the material in question.

  1. Boldface not in original. ↩︎

Finnish Residents Briefly Left in Cold After DDoS Attack

Per Motherboard:

Simo Rounela, CEO of Valtia, a Finnish company that manages the buildings, told Motherboard that the attack hit a DNS service; that is, servers that translate human-readable internet domain names into computer IP addresses.

Shortly after, Valtia received a number of alerts from one of their building’s automation systems, made by a company called Fidelix.

“Remote connection was not working, so went on-site for more inspections,” Rounela explained. The automated system controlling the heating, ventilation and hot water for the homes kept rebooting every 5 minutes. Eventually, it just didn’t boot-up anymore, he said.

We generally don’t understand the full impacts of connecting things to the Internet; it’s a hugely complex system that we can’t easily ‘fault test’ without breaking a lot of different services and systems. The result is that an attack on one aspect of the Internet – such as the DNS infrastructure – can have unexpected impacts around the world. It’s this potential for untold, and cross-national, impacts linked to cyber attacks that makes many of them so risky and dangerous to the general public.


Internet Census 2012


While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage.

Super interesting research, though incredibly illegal and borderline ethical (at absolute best, and most charitable).


US Internet Imperialism Strikes (Again!)

Wired has run a decent piece surrounding unilateral American seizures of domain names by acting on critical infrastructure governed by US law. A key bit from the article to get you interested: was registered with a Canadian registrar, a VeriSign subcontractor, but the United States shuttered the site without any intervention from Canadian authorities or companies.

Instead, the feds went straight to VeriSign. It’s a powerful company deeply enmeshed in the backbone operations of the internet, including managing the .com infrastructure and operating root name servers. VeriSign has a cozy relationship with the federal government, and has long had a contract from the U.S. government to help manage the internet’s “root file” that is key to having a unified internet name system.

These domain seizures are a big deal. Despite what some have written, even a .ca address (such as the address country code top level domain linked to this website) could be subjected to a take down that leverages the root file. In effect, US copyright law combined with American control of critical Internet infrastructure is being used to radically extend America’s capability to mediate the speech rights of foreign citizens.

The capacity for the US to unilaterally impact the constitution of the Web is not a small matter: such actions threaten the sovereign right to establish policy and law that governs the lives of citizens living in countries like Canada, Russia, Australia, and Europe generally. Something must be done, and soon, before the Web – and the Internet with it – truly begins to fracture.


Comcast’s Catch-22 Position on SOPA

As noted by the folks over at Techdirt:

Just as NBC Universal and other SOPA supporters continue to insist that DNS redirect is completely compatible with DNSSEC… Comcast (and official SOPA/PIPA supporter) has rolled out DNSSEC, urged others to roll out DNSSEC and turned off its own DNS redirect system, stating clearly that DNS redirect is incompatible with DNSSEC, if you want to keep people secure. In the end, this certainly appears to suggest thatComcast is admitting that it cannot comply with SOPA/PIPA, even as the very same company is advocating for those laws.