Home / Blogs

Alignment of Interests in DNS Blocking

I’ve written recently about a general purpose method called DNS Response Policy Zones (DNS RPZ) for publishing and consuming DNS reputation data to enable a market between security companies who can do the research necessary to find out where the Internet’s bad stuff is and network operators who don’t want their users to be victims of that bad stuff. I’ve also tried to explain why lawfully mandated blocking is wrong headed and will produce no desirable results but many undesirable ones. During an extensive walking tour of the US Capitol last week to discuss a technical whitepaper with members of both parties and both houses of the legislature, I was asked several times why the DNS RPZ technology would not work for implementing something like PROTECT-IP. Now home from my travels, I’m putting the answer I gave in DC on the record here.

Let’s imagine that some reputation source such as the US Department of Justice or a security company like Microsoft or Trend Micro produces a list of domain names that it describes as “bad”. The exact nature of the badness could be anything from “sells unlicensed copies of Hollywood blockbusters” to “will try to infect your computer with malware.” Imagine in each case that some common format like DNS RPZ is used to publish this list of bad domain names. Finally, let’s imagine that some set of network operators decides to subscribe to this badness feed, either because the law requires that they do so or because they want to protect their users and customers from whatever the bad thing is. The effect of all this imagination should be that when the protected users try to access the bad domain names it will not work.

What will those protected users do? I think there are three ways this can go.

If the thing the protected user could not access was a web site that would have tried to infect their computer with malware, or some other thing that they presumably do not want, they’ll think “oh great, my ISP is protecting me, I sure am glad I picked them and not one of their competitors” and they’ll pay their ISP bill on time and maybe send a little extra this month as a “tip” for the wonderful service.

If the thing the protected user could not access was a web site selling unlicensed copies of Hollywood blockbusters and the user didn’t realize this, they’ll think “oh wow, I had no idea, I really ought to stop searching for the $1.00 version of this download and limit my searches to more reputatable companies” and off they’ll go to iTunes or Amazon to look for a licensed copy of the movie and future movies.

However, if the thing the protected user could not access was a web site selling unlicensed copies of Hollywood blockbusters and the user actually did know this, they’ll think “the content police are on the job and they’ve subverted my ISP” and they’ll invest ten minutes or so installing a VPN or thirty seconds or so installing a browser plugin to move their DNS activities outside of their ISP’s influence.

In other words, DNS RPZ and similar DNS blocking technologies work very well when the protected user’s interests are aligned with their ISP’s interests. It’s a huge convenience to have the domain names that would hurt a user not work any more—where the definition of “pain” is in the eyes of that user. On the other hand it’s merely a minor and temporary inconvenience to have domain names not work any more that the user likes and depends on but which hurt someone other than the user.

The reason this comes out as “mandated blocking doesn’t work” is that mandated blocking must inevitably target domain names that users have no interest in being protected from. There would be no need to mandate blocking of domain names users find harmful; the invisible hand of the market would automatically take care of the matter.

I apologize for my naivete on this subject in my earlier articles about DNS blocking. I thought it was well understood that all Internet users can trivially bypass their ISP’s DNS servers and that any kind of DNS blocking that a user doesn’t want will be ineffective.

By Paul Vixie, VP and Distinguished Engineer, AWS Security

Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC).

Visit Page

Filed Under


Does the Id always rule online? Christopher Parente  –  Jul 27, 2011 3:08 AM


That’s a clear explanation. It raises a question more philosophical than technical, please bear with me I’m not an engineer.

Is your argument that if people want something online they will get it, so why bother trying to stop it? I’ve got a lot of libertarian blood in me too, but aren’t there SOME things people shouldn’t be able to get?

Or to phrase it another way, in your opinion is there ever an appropriate time to get in the way of “user interests.” Thanks.

No, there are limits. Paul Vixie  –  Jul 27, 2011 6:20 AM

At no time and in no way am I suggesting that the online world not be controlled.  The canonical example is child abuse materials but there are plenty of other things which society ought to say “no” to when it comes to the use of public infrastructure such as the Internet.  I won’t go into the .XXX debacle since it’s a corner case—some parts of society say no and other parts say yes and that makes it a rotten example for this.

But do consider spam and malware.  I reject the idea that the Internet and especially the Domain Name System (DNS) should work as well for spammers and malware authors as it does for everybody else—we (as in “We The People” or perhaps “We The Internet Users”) have to find a way to offer those malicious users a differentiated service level.  I said as much in Taking Back The DNS:

I am just not comfortable having my own resources used against me simply because I have no way to differentiate my service levels based on my estimate of the reputation of a domain or a domain registrant.

So, to be as clear as I know how to be, I am not saying anything goes or that anything should go.  The Internet is created by the people who use it and those people should be able to set some limits on how it can be used.

My topic in the article we’re both replying under is subtly different.  What I’m showing is that preventing the distribution of content that many users want is extremely difficult since users have a lot of easy alternatives when bypassing any kind of censorship.  One of the least practical places to prevent the distribution of content is by blocking DNS requests inside of Internet Access Providers, since users who don’t want their requests to be blocked in this way can easily find new and probably off-shore ways to handle their DNS needs while softly mumbling words to the effect that “up with this I shall not put”.

I’ll repeat again for the record that I want the United States economy to thrive and that since digital entertainment is one of my country’s chief exports I would like to see it better protected.  But whatever we do, especially where it involves government mandates, has to be a serious effort.  Mandated DNS blocking would be a very un-serious way of combatting online infringement.

Different emphasis The Famous Brett Watson  –  Jul 27, 2011 10:51 AM

Christopher Parente said, “Is your argument that if people want something online they will get it, so why bother trying to stop it?”

I think that’s the wrong emphasis for this issue. I would put it the other way around: “if people want to be protected from something, it doesn’t matter if they can bypass the protection mechanism.” This is the key to “alignment of interests”: when the protection mechanism is doing something that the protected party views as being in his interest, then he has no motivation to bypass the mechanism.

The converse is also true: if people don’t want to be “protected” from something, then it does matter if they can easily bypass the protection mechanism. Attempts to increase the difficulty of bypassing the system usually make the mechanism even more unpleasant (by imposing further restrictions), and thus further increase the motivation to bypass it: a vicious feedback effect.

The questions of who has what prerogative to restrict the actions of whom, and how they should or shouldn’t go about it, are separate and controversial matters. The issue at hand draws a fairly simple relationship between ease of circumvention and desire to circumvent. It’s stating the obvious when put that simply, but sometimes we need to emphasise obvious truths of this sort in order to clarify a more confusing bigger picture.

Paul Vixie said, “we… have to find a way to offer those malicious users a differentiated service level.”

I agree. In fact, I consider it a general design maxim for public-facing systems. In my PhD thesis, “Network Protocol Design with Machiavellian Robustness”, one of my summary “observations on design for Machiavellian robustness” is, “differing classes of service can be offered in accordance with differing expectations of acceptable use” [p81].

Good stuff Christopher Parente  –  Jul 27, 2011 12:18 PM

Thanks Paul. Final question—what percentage of users do you think we’re talking about here? In your post you give three scenarios—in the first two the user is not actively looking for unlicensed content, or at least doesn’t realize the content is forbidden.

In the third scenario, the user is aware and won’t tolerate being blocked. How large a number is this IYO, from the entire U.S. Internet population?

Brett—thanks for that info. When time allows I’ll be checking out your thesis for more on “differentiated services,” which sounds very interesting.

Population estimates Paul Vixie  –  Jul 27, 2011 2:35 PM

During the years 1920 to 1933, the 18th Amendment to the U S Constitution banned the sale, manufacture, and transportation of alcohol.  History records this as having been unsuccessful for all but the gangsters and bootleggers; any customer who wanted access to the forbidden materials could find easy workarounds, and this was pretty much most of the interested parties.  When the idea was scrapped, people awoke as it from a dream wondering “what the heck was it that ever made that seem like a good idea?”

I think a prohibition on the resolution of the domain names of infringing web sites would go about like that.  So while I don’t know what percentage of the United States’ internet population are “knowing infringers” I do expect that almost all of them will seek easy workarounds like off-shore DNS or VPN services or browser plugins that will let them go on living pretty much as they did before the law was passed.  The only real beneficiaries of all this will be the gangsters and bootleggers.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Brand Protection

Sponsored byCSC