IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

DNS shakeup could kill ISP filters

Architecture changes promise increased security via DNS encryption — at a price

Internet concept

ISPs, regulators and child-protection groups face a fight to maintain control over web traffic as a new DNS system threatens to neuter tools such as porn-blockers and anti-malware tools.

Firefox and Chrome plan to shift from DNS the "telephone book" that translates user page requests into IP addresses to a more secure version called DNS over HTTPS (DoH).

Until now, DNS requests have been unencrypted, meaning ISPs can see domain requests within traffic and block domains on blacklists, or sites known to host malware.

Many experts believe the proposed changes are overdue and represent an improvement in security and privacy. However, the shift threatens services such as the adult content filters operated by all of Britain's major ISPs, because they would no longer have the ability to filter out certain sites.

"Without cross-industry engagement, this step change has the potential to significantly impact operators' online harm protection capabilities, regulatory obligations and cybersecurity capabilities," BT's principal network architect Andy Fidler warned in a presentation to industry figures.

"DNS blocking is the most granular tool in the kit box used by UK ISPs to implement government and regulation blocking orders," he said. "If UK ISPs are no longer in the DNS path, they may not be able to fulfil certain domain-specific, court order blocking requests."

BT declined to comment on the content of the presentation, but said that it was working with the industry and officials to find a solution to a situation that could render anti-piracy and other tools obsolete.

BT referred us to a statement given by the ISP industry group, ISPA, whose chair Andrew Glover said that: "UK broadband providers are actively involved at a national and international level in ensuring that encrypted DNS is implemented in a way that does not break existing protections provided to UK internet users.

"If internet browser manufacturers switch on DNS encryption by default, they will potentially allow harmful online content to go unchecked."

Broken system

The debate over encrypting DNS has been raging for years amid fears that the system has been open to abuse. Experts claim the "loopholes" in the DNS system used by ISPs to block sites have also been exploited by hackers.

"DNS is fundamentally insecure," said Neil Brown, a network expert lawyer and founder of law firm Decoded Legal. "DNS is used or abused to do a number of things like content controls for court order site blocking. If you ask for the Pirate Bay, the number you get back isn't for the Pirate Bay."

With DoH turned on users could as they can currently choose DNS servers other than their ISP's own, but because the DNS information is encrypted it would bypass ISP monitoring. "Currently, I can choose to use a different DNS server than my ISP, but since DNS is unencrypted, my ISP can still watch ports and requests that I am making," said Brown. "If that is encrypted they cannot do so. It effectively goes through the ISP to the DNS server that you have chosen."

Child abuse concerns

Child protection advocates are angry at what they see as industry arrogance, claiming many site blocks are voluntary and that the system could scupper the Internet Watch Foundation's child-abuse blacklist.

"It has always been possible to opt out of using family filters or other types of protective software," said John Carr, an online child protection professional."There has generally always been an option for individuals to choose alternative DNS servers. But something on the scale now being contemplated, particularly if introduced by default, takes us to a whole other place, and not in a good way," Carr added.

The Internet Watch Foundation was unable to provide details of its plans to remedy the introduction of DNS over HTTPS, although it's understood that the watchdog's tools are more complex than merely blocking domains.

However, with increased pressure from governments to block content globally, many believe DoH is a natural progression to shore up a weakness that could be abused by bad actors. "Who would have thought that anything on the internet, architecture-wise, would stay the same forever?" asked Brown. "These controls have in some ways always been an abuse of the DNS system it may have been an abuse for a good reason but it was still an abuse.

"I'm surprised that anyone thought one solution should be the same forever and would stand still to protect one technical means of parental control, as if the internet should evolve around that one use."

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
Salesforce co-CEO Bret Taylor resigns with cryptic parting message
Business operations

Salesforce co-CEO Bret Taylor resigns with cryptic parting message

1 Dec 2022
The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022