Gov't crackdown spurs initiatives to route around DNS

[Eugen Leitl]

http://www.itworld.com/print/129947

Gov't crackdown spurs initiatives to route around DNS

by Keith Dawson

December 7, 2010 b

Over the Thanksgiving holiday weekend, US Immigration and Customs Enforcement
(ICE), the principal investigative arm of the Department of Homeland Security
(DHS), led an alphabet soup of government agencies in seizing the domain
names of 82 Web sites (PDF) that ICE said were "engaged in the illegal sale
and distribution of counterfeit goods and copyrighted works" (See: Operation
In Our Sites v. 2.0). The seizures were accomplished by getting the VeriSign
registry, owner of the .com and .net top-level domains, to change the
authoritative domain-name servers for the seized domains to servers
controlled by DHS.

Regardless of the supposed criminal intent of the affected systems, the
seizure without notice of these domain names by US authorities sent
shock-waves around the Internet world. It got people's attention in a much
stronger way than version 1 of this enforcement operation had b the first
iteration late last June seized the names of nine sites selling pirated
first-run movies. Many people woke up to the reality of how vulnerable the
DNS is to government meddling.

(More recently, the uproar caused by the WikiLeaks publication of US
diplomatic cables b and subsequent attempts to censor the site and/or to
hound it off the Internet b have resulted in what developer Dave Winer calls
"a human DNS" implemented "in a weird sneaker-net sort of way," via Twitter
and ad hoc bulletin-board sites.)

Within days of the ICE/DHS seizures, at least three separate initiatives to
work around the DNS had been announced, and several existing alternatives
were highlighted in the ensuing discussion. Let's take a look at some of
these proposals b two to route around and one to supplant the DNS b and some
of the obstacles they face.

1. 4LW: 4 Little Words

This new alt-DNS project got a quick boost from the developer communities at
Hacker News and Reddit. The idea is to map each of the four numbers in an
IPv4 address to one of 256 "little words," in the Mad Libs-inspired pattern
adjective noun verb noun. For example, using an online 4LW generator,
208.101.51.56 (the IP address of the seized domain name torrent-finder.com)
becomes simple hair climbs cup. Reddit user armooo created an open source DNS
server that returns "A" records using the 4LW protocol. For the example
above, visiting http://simple.B-hair.B-climbs.B-cup.B-4lw.org takes you straight
to the site formerly pointed to by the seized domain name. This scheme should
continue to work unless 4lw.org itself is compromised, in which case others
could copy the source code and put up their own servers; meta-servers could
emerge to distribute requests among known 4LW servers; and so on.

2. P2P DNS: Peering Around It

This project has gotten the lion's share of press attention, because it was
initially suggested by Peter Sunde, co-founder of The Pirate Bay. The idea is
to create a peer-to-peer alternative to the DNS, and beyond that nothing has
been announced. Sunde's blog post has garnered over 100 comments, most
pledging help and some offering concrete suggestions or pointing out similar
efforts across the Net. There are active brainstorms in various media and a
code repository, which is currently empty. Sunde has promised a press release
soon.

3. Project IDONS: Internet Distributed Open Name System

This proposal is by Lauren Weinstein, one of the early developers of what
became the Internet and the long-time moderator of the PRIVACY forum (which
predates even the widespread existence of email). Weinstein's vision is of
"an alternative Internet name to address mapping system b fully distributed,
open source, fault-tolerant, secure, flexible, and not subject to centralized
constraints, meddling, and censorship." Other high-level goals include "no
central registries, no registrars, no fees nor charges necessary for any name
or address operations across IDONS."

Weinstein adds in his introduction to IDONS: "Ad hoc attempts to bypass the
existing system (such as those newly proposed by Pirate Bay) are likely to
create fragmentation and confusion, and therefore ironically tend to further
entrench the existing systemb& ad hoc won't fly for this."

In an interview, Weinstein told me he has had a "couple of thousand"
responses to the IDONS proposal, ranging from substantive technical
suggestions to "Yes I'd like to help." Weinstein said, "The point is not just
to replace the DNS with another DNS. It's to get out from under a completely
limiting condition. Technology is full of these kinds of situations in which
we have to get out from under bad early decisions. In the case of DNS, the
mistake was centralization. That enables not only censorship, but also the
whole gigantic mess that has grown up around domain registrations" b what
Weinstein has taken to calling the "domain industrial complex." He continued,
"This is not just a technical project, it's an attempt to change the
underlying mechanisms we use for names on the Internet. It involves policy
and politics as well as technology." And it's likely to be a 10-year effort
or longer.

At this point the project does not have a website or a mailing list.
Interested parties can contact Weinstein via his blog.

Operation In Our Sites v. 2.0

Mere weeks ago, rights activists and users concerned about Internet
censorship were mounting opposition to the proposed Combating Online
Infringement and Counterfeits Act b a law that would give the Justice
Department the power to seize domain names from sites around the globe that
are "dedicated to infringing activities." That bill is now sidelined in the
Senate. Now, with "Operation In Our Sites v. 2.0," the DoJ is asserting that
it already has the authority, under the 2008 PRO-IP law (PDF), to turn off
DNS service for sites that rely on US-resident domain-name registries, even
if the sites are based outside the US. (The court orders for seizure were
served on VeriSign, the Virginia company that runs the .com and .net
registries.)

While most of the seized sites sold counterfeit goods such as sports
equipment, shoes and handbags, at least one sold nothing and did not even
store pointers to contraband. Torrent-finder.com is a meta-search engine that
returns results from other search engines, in response to user queries, and
according to TorrentFreak.com "is not encouraging or even facilitating
copyright infringement any more than other search engines such as Google."
There has been no official comment on this apparent anomaly. The EFF and the
CDT have raised questions about the "nuke-the-whole-website approach," and
the EFF has vowed to fight the actions.

The operation that was torrent-finder.com has reopened at
torrent-finder.info; its owner, who lives in Egypt, has also vowed to fight
the seizure.


Drawbacks to trying to route around the DNS

Any alternative to or replacement for the DNS must begin by acknowledging the
existing system's strengths: it is ubiquitous, it is built in to many aspects
of the way the Internet functions, it is distributed and scaleable (and in
fact has scaled by 5 or 6 orders of magnitude since its introduction in the
1980s), and it establishes a hierarchy of trust so that you have some
assurance (not 100%) that you're visiting the site you think you are.

A major concern for any DNS alternative b especially one that stands beside
the existing DNS b must be "breaking the Internet" into Balkanized islands,
unreachable one from the other. In practice this means that any alt-DNS must
somehow allow access to all Internet resources. Past attempts at establishing
an alternate DNS root, such as AlterNIC.net (begun in 1995), required
tweaking configuration files in domain name servers b clearly a non-starter
for widespread adoption. AlterNIC faded away after its founder was convicted
in the US of wire fraud, and the Internet Architecture Board spoke out
strongly against alternate roots in RFC 2826. Nonetheless, other attempts at
setting up an alternate root have sprung up. These depend on a Web browser to
decide which name resolver to use: for example, Unified Root provides its own
browser, called Sundial and based on Firefox; and DASHWORLDS offers a browser
plug-in for Internet Explorer on Windows.

A drawback to routing-around proposals such as 4LW is the assumption of one
domain name per IP address. Such one-to-one mapping is by no means universal,
and may be getting less common as IPv4 addresses dwindle to exhaustion. I run
a server in the cloud with a dozen or more sites on each of several IP
addresses. The server is set up to provide the correct content to the visitor
based on which domain name was requested b Apache configuration files for
that purpose are generated by the (Plesk) site management software. A visitor
who types in one of my server's IP addresses, or goes there via e.g. the 4LW
protocol, will get a default Apache page. Presumably some deep juju could be
developed for the Apache server's rewrite engine, but it would have to be
custom-made for each alt-DNS scheme. It would have to be added by hand to
each site's Apache configuration file, as the site management software (such
as Plesk or cPanel) won't know about it b and therefore will tend to
overwrite it. And ditto for sites running Microsoft's IIS or any of numerous
other Web servers.

Another issue that alt-DNS schemes will face is that websites use
non-relative internal links, hard-coded with fully qualified domain names.
Any such links will work as long as the official DNS points to where the site
expects it to, but break in case of domain-name compromise.

Perhaps the biggest obstacle any aspiring DNS workaround or replacement faces
is getting to critical mass. I spoke to one alt-DNS developer, Chris
Brainard, who is working on a concept called FreeLayer. In his opinion, "Most
people won't switch if what they are using is working. Plus you have tight
integration with browsers and search engines and code. So in a way the only
people who are really interested in this are those who wish to have more
privacy, have an interest in the technology, want domains for free, or are
doing something illegal." Lauren Weinstein acknowledges that the scope of the
IDONS project "may perhaps be reasonably compared with the scale of IPv6
deployment" b in other words, massive.