Home / Blogs

Nation Scale Internet Filtering—Do’s and Don’ts

If a national government wants to prevent certain kinds of Internet communication inside its borders, the costs can be extreme and success will never be more than partial. VPN and tunnel technologies will keep improving as long as there is demand, and filtering or blocking out every such technology will be a never-ending game of one-upmanship. Everyone knows and will always know that determined Internet users will find a way to get to what they want, but sometimes the symbolic message is more important than the operational results. In this article, I will describe some current and prior approaches to this problem, and also, make some recommendations doing nation-state Internet filtering in the most responsible and constructive manner.

History, Background, and SOPA

For many years, China’s so-called Great Firewall has mostly stopped most law-abiding people including both citizens and visitors from accessing most of the Internet content that the Chinese government does not approve of. As a frequent visitor to China, I find it a little odd that my Verizon Wireless data roaming is implemented as a tunnel back to the USA, and is therefore unfiltered. Whereas, when I’m on a local WiFi network, I’m behind the Great Firewall, unable to access Facebook, Twitter, and so on. The downside of China’s approach is that I’ve been slow to expand my business there—I will not break the law, and I need my employees to have access to the entire Internet.

Another example is Italy’s filtering policy regarding unlicensed (non-taxpaying) online gambling, which was blocked not by a national “Great Firewall” but rather SOPA-style DNS filtering mandated for Italian ISP’s. The visible result was an uptick in the use of Google DNS ( and by Italian gamblers, and if there was also an increase in gambling tax revenue, that was not widely reported. The downside here is the visible cracks in Italian society—many Italians apparently do not trust their own government. Furthermore, in 2013 the European Union ruled that this kind of filtering was a violation of EU policy.

In Turkey up until 2016, the government had similar protections in place, not about gambling but rather pornography and terrorism and anti-Islamic hate speech. The filtering was widely respected, showing that the Turkish people and their government were more closely aligned at that time than was evident during the Italian experiment. It was possible for Turkish internet users to opt-out of the government’s Internet filtering regime, but such opt-out requests were uncommon. This fit the Internet’s cooperation-based foundation perfectly: where interests are aligned, cooperation is possible, but where interests are not aligned, unilateral mandates are never completely effective.

In the years since the SOPA debacle in the United States, I’ve made it my priority to discuss with the entertainment and luxury goods industries the business and technical problems posed to them by the Internet. Away from the cameras, most executives freely admit that it’s not possible to prevent determined users from reaching any part of the Internet they might seek, including so-called “pirate” sites which may even be “dedicated to infringement”. I learned however that there is a class of buyers, of both music and movies and luxury goods, who are not interested in infringement per se, and who are often simply misled by “pirate” Internet sites who pretend to be legitimate. One estimate was that only 1/3rd of commercial music is bought legally, and the remaining 2/3rd is roughly divided between dedicated (1/3rd) and accidental (1/3rd) infringement. If so, then getting the accidental infringers who comprise 1/3rd of the market to buy their music legally wouldn’t change the cost of music for those buyers, but could raise the music industry’s revenues by 100%. We should all think of that as a “win-win-win” possibility.

Speaking for myself, I’d rather live and act within the law, respecting intellectual property rights, and using my so-called “dollar votes” to encourage more commercial art to be produced. I fought SOPA not because I believed that content somehow “wanted to be free”, but because this kind of filtering will only be effective where the end-users see it as a benefit—see it, in other words, as aligned with their interests. That’s why I co-invented the DNS RPZ firewall system back in 2010, which allows security policy subscribers to automatically connect to their providers in near-realtime, and to then cooperate on wide-scale filtering of DNS content based on a shared security policy. This is the technology that SOPA would have used, except, SOPA would have been widely bypassed, and where not bypassed, would have prohibited DNSSEC deployment. American Internet users are more like Italians than Turks—they don’t want their government telling them what they can’t do.

I think, though, that every government ought to offer this kind of DNS filtering, so that any Internet user in that country who wants to see only the subset of the Internet considered safe by their national government, can get that behavior as a service. Some users, including me, would be happy to follow such policy advice even though we’d fight against any similar policy mandate. In my case, I’d be willing to pay extra to get this kind of filtering. My nation’s government invests a lot of time and money identifying illegal web sites, whether dedicated to terrorism, or infringement, or whatever. I’d like them to publish their findings in real time using an open and unencumbered protocol like DNS RPZ, so that those of us who want to avoid those varieties of bad stuff can voluntarily do so. In fact, the entertainment industry could do the same—because I don’t want to be an accidental infringer either.

Future, Foreground, and Specific Approaches

While human ingenuity can sometimes seem boundless, a nation-state exerting any kind of control over Internet reachability within its borders has only three broad choices available to them.

First, the Great Firewall approach. In this scenario, the government is on-path and can witness, modify, or insert traffic directly. This is costly, both in human resources, services, equipment, electric power, and prestige. It’s necessary for every in-country Internet Service Provider who wants an out-of-country connection, to work directly with government agencies or agents to ensure that real time visibility and control are among the government’s powers. This may require that all Internet border crossings occur in some central location, or it may require that the government’s surveillance and traffic modification capabilities be installed in multiple discrete locations. In addition to hard costs, there will be soft costs like errors and omissions which induce unexplained failures. The inevitable effects on the nation’s economy must be considered, since a “Great Firewall” approach must by definition wall the country off from mainstream human ideas, with associated chilling effects on outside investment. Finally, this approach, like all access policies, can be bypassed by a determined-enough end-user who is willing to ignore the law. The “Great Firewall” approach will maximize the bypass costs, having first maximized deployment costs.

Second, a distributed announcement approach using Internet Protocol address-level firewalls. Every user and every service on the Internet has to have one or more IP addresses from which to send, or to which receive, packets to or from other Internet participants. While the user-side IP addresses tend to be migratory and temporary in nature due to mobile users or address-pool sharing, the server-side IP addresses tend to be well known, pre-announced, and predictable. If a national government can compel all of its Internet Service Providers to listen for “IP address firewall” configuration information from a government agency, and to program its own local firewalls in accordance with the government’s then-current access policies, then it would have the effect of making distant (out-of-country) services deliberately unreachable by in-country users. Like all policy efforts, this can be bypassed, either by in-country (user) effort, or by out-of-country (service) provider effort, or by middle-man proxy or VPN provider effort. Bypass will be easier than in the Great Firewall approach described above, but a strong advantage of this approach is that the government does not have to be on-path, and so everyone’s deployment costs are considerably lower.

Third and finally, a distributed announcement approach using IP Domain Name System (DNS-level) firewalls. Every Internet access requires at least one DNS lookup, and these lookups can be interrupted according to policy if the end-user and Internet Service Provider (ISP) are willing to cooperate on the matter. A policy based firewall operating at the DNS level can interrupt communications based on several possible criteria: either a “domain name” can be poisoned, or a “name server”, or an “address result”. In each case, the DNS element to be poisoned has to be discovered and advertised in advance, exactly as in the “address-level firewall” and “Great Firewall” approaches described above. However, DNS lookups are far less frequent than packet-level transmissions, and so the deployment cost of a DNS-level firewall will be far lower than for a packet-level firewall. A DNS firewall can be constructed using off the shelf “open source” software using the license-free “DNS Response Policy Zone” (DNS RPZ) technology first announced in 2010. The DNS RPZ system allows an unlimited number of DNS operators (“subscribers”) to synchronize their DNS firewall policy to one or more “providers” such as national governments or industry trade associations. DNS firewalls offer the greatest ease of bypass, so much so that it’s better to say that “end-user cooperation is assumed,” which could be a feature rather than a bug.


A national government who wants to make a difference in the lived Internet experience of its citizens should consider not just the hard deployment and operational costs, but also the soft costs to the overall economy, and in prestige, and especially, what symbolic message is intended. If safety as defined by the government is to be seen as a goal it shares with its citizens and that will be implemented using methods and policies agreed to by its citizens, then ease of bypass should not be a primary consideration. Rather, ease of participation, and transparency of operation will be the most important ingredients for success.

By Paul Vixie, VP and Distinguished Engineer, AWS Security

Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC).

Visit Page

Filed Under


Paul Vixie 2010 “Hack In The Box Charles Christopher  –  Jul 18, 2017 3:12 PM

Paul Vixie 2010 “Hack In The Box Security Conference”:


[00:50] “I’m shocked because this is a really bad idea and I can think of ten different complaints that this audience ought to have about it”

[01:07] “This is an attack on network neutrality”

[01:19] “This will absolutely make the DNS less reliable”

[01:41] “The place where you are legislate the use of RPZ by all ISPs”

[12:15] “Yes it’s also a great tool for government censorship and
oppression. I don’t know what to do about that. I’m Sorry.”

thanks for that reminder (HITB 2010) Paul Vixie  –  Aug 2, 2017 4:14 AM

what network neutrality meant in 2010 was whether or not your traffic was allowed to go through at all, and i was against it, because every distributed reputation system from the MAPS RBL of the mid-1990's through the modern day A/V and spamhaus and surbl and other systems, relies on being able to say "no". postel's maxim "be liberal in what you accept" is simply wrong on a commercial internet where people with unaligned interests can reach you. what network neutrality means in 2017 is whether your traffic is performance-penalized or not, getting through but too slowly to be competitive, and i am for it, because last mile is once again effectively monopolized and i come from a decade where the last mile provider was not allowed to restrain third party innovation (like modems, or AOL). it turns out that dns filtering was not actually a great tool for government censorship, as demonstrated by the italy debacle in 2013. so i was wrong to worry about that part. catch me at the bar some time and i'll tell you the story of RPZ and SOPA.

Paul, thanks for the thoughtful essay. Mitch Stoltz  –  Aug 1, 2017 6:48 PM

Paul, thanks for the thoughtful essay. User-selectable filtering is certainly preferable to filtering mandated by governments, monopolist ISPs, or a combination of the two. Ideally, every Internet user would be able to make an informed choice about which endpoints they want blocked, and could be aided in that task by the curator of their choice - not just governments like China or industry associations like MPAA/RIAA, but also user-aligned groups with varying constituencies. Those could be something like Adblock Plus block-list maintainers, or companies like ClearPlay that offer a service of editing the naughty bits out of films on the fly.

The problem with this approach is that it requires real, informed choice by Internet users. As many if not most people will stick with the default DNS firewall policy “provider,” that provider gains a de facto power of censorship. The other danger is that widespread use of such filtering, through any of the technological approaches you mentioned, lowers the economic, political, and “prestige” costs of mandatory site-blocking, as in China. If the system is in place, it’s easy to flip a switch and make it mandatory. And if any entity, whether government, NGO, or commercial, gains a critical mass of users as a filter policy provider, they will come under immense pressure from special interests to filter more and more. A voluntary system for users who want to block themselves from reaching sites that the MPAA deems “rogue” easily becomes a mandatory system that blocks websites on behalf of numerous governmental and private special interests.

While this is a global issue, Americans in particular are traditionally very wary of “a national government who wants to make a difference in the lived Internet experience of its citizens” by restricting what information they can receive, even if there are ways to bypass those restrictions. And giving those tools, and that example, to governments that manifestly do not have their citizens’ best interests in mind should concern us all.

neat (curated filtering; informed choice; making it mandatory; special interest pressure; laws) Paul Vixie  –  Aug 2, 2017 4:56 AM

i visited the android store and searched for "dns changer" and there were dozens of free apps there. i also tested several under windows, back during the SOPA debacle. i know mac/os has ways to do this, since that's how dnssec validation worked for a while. i don't know about iOS but it seems that there has to be a non-root way to select dns servers other than those offered by your wireless provider or ISP. what this tells me is that you don't have to be at all technical in order to know you need this and to do it. this kind of dns filtering has been occurring for many years -- nominum had it in their product as early as 2004, for example, and they are used by a lot of wireless providers. rpz makes the market larger but is not the only gateway to this capability. that matters because curated filtering _works today_. opendns already has this, and google could offer it if they wanted to. there is a market for it. i've been thinking of shrinking the rDNS function down to smartphone size where all configuration is local, for example. i know that most users aren't informed, but some famous arab spring pictures of "" spray painted on concrete-block walls, and the italian online gambling debacle, show us how quickly informed choice in rDNS becomes massively multiplayer when called for. china is currently clamping down on VPN's again, even to the point of demanding that apple remove VPN software from the iOS Store as viewed from china. successfully, i might add. i think if a government has the authority and capability to "flip a switch and make (RPZ) mandatory" that it is that switch-flipping authority and capability, and not RPZ per se or any other specific filtering capability, that enables nation-state censorship to occur. i have heard the "easily becomes" argument before, and my answer applies here as well: Notice, Takedown, Borders, and Scale. Many in Civil Society firmly believe that the Internet not just can be or is, but should be a democratizing force. Even more people hold that democracy is a universal good. The union of those views leads to a call for political disruption, for example, to "fight" censorship even if it's the law of the land, often noting that many evils including slavery in the United States during its first century of existence, were legal at the time. I resonate to those views myself, and I call many of those who hold those views fellow travelers, or even, drinking buddies. However, and this is a big however, national sovereignty is a thing, as is the rule of law, and when we lecture others as to what's right and what's wrong we should expect some resistance, some laughter, and sometimes self-marginalization. I am a frequent polemicist for various ideologies, and I respect other such polemicists if they can be informed, relevant, respectful, polite, and professional. But none of us should pretend that anybody has to listen to us, especially nation-state governments. All of this should sound to you like rationalization, if you think I'm making money from DNS Firewalls with RPZ. It should seem like I was trying to improve my business conditions, so as to sell more product, except that we (my co-inventor Vernon Schryver and I) made the technology completely open and unencumbered, implementable and operable by all, without license or royalty. We weren't working for any government when we put this stuff out there and encouraged wide adoption. We simply considered that the known good of giving malicious DNS content differential (that is to say, worse) service, outweighed the unknown bad of some DNS operator or their national government getting away with censorship because their local users didn't yet know how easy it was to switch DNS providers. I pushed DNS Firewalls with RPZ at exactly the time that SOPA was being fought, knowing as I did so that the law of my land might shortly require (and, it was a near thing!) its use. That is how much confidence I have in the end-user cooperation assumed by and required for DNS filtering.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

New TLDs

Sponsored byRadix