published at 12:12pm on 12/22/11
Update: As of January 20th, 2012, PIPA and SOPA have been postponed. That said, please read the rest of this piece to understand why mucking with the DNS system is a terrible, terrible idea and why any similar legislation in the future should not be allowed to pass.
“Well that didn’t take long…” emailed my coworker. “SOPA already doesn’t matter at all.”
He included a link to a Firefox plugin that would bypass the DNS blocking that could be used to enforce SOPA or similar legislation.
The interesting thing about the sentiment that “SOPA already doesn’t matter at all” is that it suggests that once there is a technological workaround to bad legislation then the legislation itself is nothing to be concerned about. Yet the exact opposite is true, especially when it comes to the very narrow piece of legislation that dictates that the mechanism for restricting access to offending sites is to compel US-based DNS providers to drop the offending sites off of the Internet.
You see, DNS is a pretty straight-forward mechanism by which a domain name like “youtube.com” is converted into an IP address like “22.214.171.124.” This works like a big game of telephone, where your computer first asks the name server it knows about whether or not it knows where “youtube.com” lives on the Internet. If it does, it tells you. If it doesn’t, it asks another server up the chain for the answer, and so on until an authorized server returns a response.
The text of SOPA that affects the DNS mechanism reads as follows:
A service provider shall take technically feasible and reasonable measures designed to prevent access by its subscribers located within the United States to the foreign infringing site (or portion thereof) that is subject to the order, including measures designed to prevent the domain name of the foreign infringing site (or portion thereof) from resolving to that domain name’s Internet Protocol address.
This means that when you try to go to a website that the US Attorney General has decided should be blocked, your ISP will respond with a notice that tells you that the site is no longer available (like that page you get when you go to a Starbucks and they tell you that the Internet is being provided free by AT&T). But there’s a catch. The catch is that the website is still online. SOPA (and PROTECT IP) don’t actually have any provisions for taking the sites down. Instead, they just make it so your ISP can’t tell you where they are on the Internet.
I know what you’re wondering now – you’re wondering whether you could just tell your computer to use DNS servers that are outside of the US (where the law can’t dictate what they do) and have the system work exactly the same as it does now.
The answer, my friends, is yes. That is exactly what you can do.
If SOPA is passed, and if the DNS blocking that SOPA legislates starts being put into place, there are going to be numerous blog posts published telling users how to change their DNS servers to ones that are not restricted by the US government.
So why is this so bad?
Well it’s bad because it breaks the technical promise that all DNS servers now make that they will do their best to resolve a name into an IP address for you. You see, most of the Internet is made up of these promises. Nobody passed a law that said that DNS servers should work this way. This is just the mechanism that was developed, and that everyone decided would be a good idea for the good of the network as a whole. In fact, over the years there have been pushes for people to provide alternative DNS systems than the main one that we use today, but they never really caught on because the Internet does not work unless everyone does the same thing. Once people stop trusting that their DNS servers are going to return the same address as someone else’s DNS servers, then the trust in the underlying system breaks down. As a user, I already have the right to change the name servers that my computers use, but I will only do so if I know what I’m doing.
But if a site I’m going to is being blocked, and I know that the information I am looking for is still on the Internet, and I know I can easily get to it by plugging some foreign DNS servers into my computer, I will probably do so. In doing so, however, I have done two things. First, I have opened myself up to potential harm by using DNS servers that may or may not adhere to the original promise I was made in the first place. While my ISP’s name server might have been blocking the foreign blocked entity I was trying to get to, this new server might be blocking other sites and redirecting me to phishing sites without my knowing it. But even more than that, it establishes a world where the underlying DNS service can become fractured. Where service providers can choose what names to resolve and what names not to, because there has been precedent set for this behavior.
The Internet only works because everyone who participates in it agrees on the way things work. You can not break that agreement and still have a functioning Internet.
Filed under: Technology