Sandia National Labs: DNS Filtering In SOPA/PIPA Won't Stop Piracy, But Will Hurt Online Security

from the more-experts-weigh-in dept

We’ve covered at great length the problems with DNS filtering in SOPA and PROTECT IP (PIPA) and how it will harm internet security. These concerns were first highlighted by a group of folks who are considered to be some of the foremost experts (and original architects) on DNS. The MPAA and other SOPA/PIPA startups have been trying for months to diminish these points, but have yet to find any kind of argument that makes sense. The argument they fall back on is “well, if this law breaks DNSSEC, just change the code and fix it.” This represents a fundamental misunderstanding of the technoloy. That’s not too surprising, coming from the MPAA, frankly. However, now, Sandia National Labs, which is a part of the Department of Energy, has sent a letter to Rep. Zoe Lofgren confirming most of the problems with the idea of DNS filtering, noting that it would make the internet less secure… and would do nothing to actually stop piracy.

It is not likely DNS filtering would be effective in blocking U.S. access to targeted foreign websites….

On the question of DNSSEC, the letter notes that slowing the adoption of DNSSEC would have significant “negative consequences” for US online security. While DNSSEC may not be fully rolled out yet, nearly everyone who understands this stuff knows that it’s needed to fix key flaws in DNS. And while it takes time, simply breaking it and waiting for the next generation to rewrite it from scratch would be a mistake. Many years of careful work has gone into DNSSEC. Scrapping it for something else random is not going to help.

At this point, I don’t see how any SOPA/PIPA supporters can still claim that the concerns over DNS blocking are unfounded. When you even have a major national lab saying that it’s a bad idea, won’t work and will be bad for online security… can the MPAA still respond with nothing more detailed than “we disagree” (which was the MPAA’s actual statement at the hearing when challenged about the security problems associated with DNS blocking).

Napolitano Response Rep Lofgren 11 16 11 c

Filed Under: , , , ,
Companies: sandia national labs

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Sandia National Labs: DNS Filtering In SOPA/PIPA Won't Stop Piracy, But Will Hurt Online Security”

Subscribe: RSS Leave a comment
A Guy (profile) says:

I am still trying to figure out who sold them on the idea of DNS censoring to begin with. Seriously, someone had to understand it well enough to tell them what it is but not well enough to understand how it works.

It baffles me. What kind of engineers do they work with? Which incompetent consultants told them this would work?

Oh well, their entire internet campaign has been riddled with incompetence so it’s not that surprising.

out_of_the_blue says:

Well, China manages DNS blocking...

And if DNS is fatally flawed, there goes your “Internet repairs damage” riff.

I’ve given you empirical example and a logical counter to a prior line of argument. You’re basically just using a “fear of change” line here. — Most things never get fixed until they are broken, so could be just the impetus needed for DNS, eh?

Anonymous Coward says:

The issue of DNSSEC is that it requires almost every piece of network gear to either be entirely replaced, or patched with software upgrades is possible. On many routers, this is not possible.

Currently, most networks are upgrading to allow for IPv6. Upgrades for DNSSEC may not or may not be possible on all of this equipment. It is likely that until the current equipment reaches it’s EOL and is taken down that DNSSEC will not be any more complete than IPv6 currently is.

Further, a full implimentation of DNSSEC requires replacement of eveything right down to your local router at home. The time frame for that to happen is “years”, if not a decade or more at all levels.

If anything, DNSSEC turned on too early could break the internet. So DNSSEC at this point is just not really an issue, even those who created it admit that it is not widely in use and unlikely to be there any time soon.

Anonymous Coward says:



With copyright-infringing sites getting an estimated 53 billion page views a year, a huge number of U.S. residents would seek out alternative DNS servers to access the sites if their ISPs weren’t directing them there, Kaminsky said during a press conference. “It’s not just that lookups to the Pirate Bay go overseas; lookups to Bank of America go overseas,” he said. “This is handing over American Internet access to entities we explicitly do not trust, entities that are unambiguously bad guys.”

Alternative DNS services could intercept Internet traffic and use customers’ data “in any way the remote operator would like,” said David Dagon, a post-doctoral researcher at the Georgia Institute of Technology and co-author of a May paper focused on the technical problems that PROTECT IP could create.


When things break people go after solutions, if you believe any American will seat idle and allow censorship you are just an idiot.

Rikuo (profile) says:

Well, China manages DNS blocking...

China doesn’t have ICANN. China doesn’t have the backbone of the world’s internet reside within its borders. Therefore, what China does to DNS pretty much affects only China.
The situation is completely different with regards to the US. Because so many Internet-related and Internet using companies are based/headquartered in the US, SOPA is bad news for them. SOPA isn’t a bill being discussed in my country, but if it passes, some of my favourite websites will have to redesign themselves completely (i.e., forgo user participation entirely) even though I am accessing the site from a country where SOPA isn’t a law.
What if I want to upload a video to Youtube? Sorry, someone just accused them and Youtube’s been blocked from receiving income through its payment processors! Therefore, I can’t upload video and expect it to be watched.

Rikuo (profile) says:

Well, China manages DNS blocking...

In addition, the tech companies that will be impacted by SOPA the most will have to make a choice: either censor themselves completely…or leave the US. While not totally practical, that is what these companies are debating amongst themselves. Google, Facebook et al bring in billions to the US economy: what if they shut up shop and opened their new global headquarters somewhere else? Now suddenly, Silicon Valley is deserted, the US loses out on taxes, thousands of people are without jobs…and people still haven’t been convinced to pay for a song/movie/book/whatever.

A Guy (profile) says:


DNS blocking doesn’t remove a site from the internet. That is your first mistake. That is also why DNS blocking will never work.

I don’t know what they do with child porn sites but I assume it involves getting local authorities involved to remove the content from the servers and track down the perpetrators.

You see, other countries will track down citizens whom engage in the vile and disgusting act of abusing children and spreading that abuse around the internet for fun and profit.

On the other hand, governments of other countries care a lot less that some guy in Hollywood or an already rich artist claims they aren’t making enough money off their population.

You see, any reasonable person sees that these two things are nothing alike and anyone that compares the sexual exploitation of defenseless children to not making enough money can probably go fuck themselves.

Anonymous Coward says:

Your pop quiz du jour

Your task is to answer these questions without resorting to any resources other than your own brain. If you can, then you might be competent to discuss this issue. If you can’t, then you should probably defer to people who actually have a reasonable grasp of the technical issues. Let’s begin:

1. What is the difference between an authoritative resolver and a recursive resolver?

2. How does DNS cache poisoning work?

3. What does NXDOMAIN mean, and when does it mean it?

4. What are the DNS requirements for a mail server?

5. What is the relationship between the TTL value and DNS caching?

6. Presuming you’re using the ISC BIND distribution, what is the best command-line program to use in order to find out DNS information?

7. What is a lame delegation?

8. What would one expect to see in the DNS A records for a multi-homed host?

9. What command-line tools do you use to trace the hierarchy of reverse DNS assignment?

10. What does “fast flux” mean, and why do we care?

anonymous says:

how can a company that has so little knowledge of the internet and how it works, be so scared of it, say that ‘they disagree’ when told by actual experts in not only the use of the internet but the makers of it, be believed and those experts be discounted? i know money talks louder than anything, but surely even the bought and paid for advocates of SOPA/PROTECT IP have enough intelligence to realise who’s right and who’s just really clueless and wanting to safeguard their own interests above all else.

John Fenderson (profile) says:


I don’t think the people who wrote SOPA (MPAA, etc.) are idiots. Given that, since it’s obvious that SOPA won’t do anything to stop piracy, I think that it’s reasonable to assume that’s not the goal of the legislation.

What SOPA will do is to make it easy for big companies to outright kill innovative noninfringing startups on the net. It’s very clear from their actions as well as their words that the **AAs are terrified that they are losing control of the distribution channel. SOPA is a powerful tool to let them forcibly take control of the internet as such a channel.

I think that this is the real purpose of the law. If so, then there’s nothing wrong with it, technically. It can easily accomplish that goal.

Anonymous Coward says:

Funny, the Internet didn’t break when Google blocked the Public Knowledge site:

“SOPA supporters question Google’s blocking of website
By Jennifer Martinez

11/18/11 5:18 PM EST
Google and Public Knowledge are both opposed to online copyright legislation in Congress, but the search engine?s blocking of the public interest group?s website this week gave supporters of the bills some new ammunition.

For part of Friday, visitors who attempted to access Public Knowledge?s site via the Mozilla Firefox browser were greeted with a bold warning message that said visiting the site may harm their computers. Public Knowledge spokesman Art Brodsky said that the organization found a piece of malicious code was slipped onto the site and Google blocked access to the site because of this security threat.

The malware has since been scrubbed from Public Knowledge?s site. But the incident has motivated supporters of the two bills ? the PROTECT IP Act in the Senate and Stop Online Piracy Act in the House ? to ask why the search giant is objecting to taking the same action against so-called rogue sites that offer illicit copies of entertainment content and counterfeit goods when served with a court order.

?It does beg the question, if they do this on their own to prevent malware, couldn?t they do the same when a court tells them a domain name is being used to sell counterfeits or pirated works?? a Senate aide for a member who supports the PROTECT IP Act told POLITICO.

In response, Google pointed to the testimony of the company?s copyright counsel Katherine Oyama this week at the House Judiciary Committee hearing on the Stop Online Piracy Act.

?Google takes the problem of online piracy and counterfeiting very seriously, devoting our best engineering talent and tens of millions of dollars every year to fight it,? Oyama said.

She also noted that the search company has spent more than $60 million to remove online pirates from its ad services and processed Digital Millennium Copyright Act takedown requests for nearly five million items so far this year.

Public Knowledge?s site was accessible via Microsoft?s Internet Explorer and Apple?s Safari browsers, Brodsky said. The site became available via Firefox Friday afternoon.

Brodsky lauded Google for taking action to prevent Web visitors from picking up a virus.

Both Google and Public Knowledge are staunch opponents of the House and Senate bills. They have argued the bills would threaten constitutionally protected speech on the Web, discourage online innovation and ultimately not solve the problem of online piracy.

Google?s blocking of sites infected with malware and its objection to domain name blocking and filtering in the copyright legislation are ?not analogous at all,? according to Brodsky.

?The situations are very different,? he said.”

Anonymous Coward says:


Actually for infringing content one doesn’t need DNS at all, you can just type what you want in the embedded search engine that many P2P applications has an bam! there you go.

But others would not do that, they would simply configure their DNS servers to be foreigner servers that the US has no control off of it, which can expose people to problems.

Basically we are going back 30 years to a time when there was no authoritative DNS system and people where still developing the solutions they use today, but this time it will be decentralized so you muppets can’t meddle with it.

Anonymous Coward says:

Frankly, and without discussing the technical merits of the letter’s contents, I am shocked beyond words that someone from Sandia would “officially” correspond with a member of Congress.

Sandia is what is known as a GOCO, which stands for Government Owned Contractor Operated, that manages the Sandia National Laboratories for the Department of Energy, the latter, of course, being an executive agency. Having worked closely with Oak Ridge, Sandia, and other labs that have managed these various DOE facilities, it is nothing short of amazing that this letter appears to have bypassed the DOE. I rather suspect that both Lockheed Martin and the DOE are about to have some very interesting conversations (what I call “bonding sessions”) with Mr. Napolitano. He may know a lot about technical matters, but does appear to be a bit naive about political matters.

elemecca (profile) says:


I think you’ve misconstrued the issue with routers. The only way in which DNSSEC will affect most provider devices (including true layer 3 routers) is by increasing the size of DNS packets. For almost all devices that shouldn’t be a problem. ISPs, then, shouldn’t have to upgrade their infrastructure much beyond their nameservers.

Where DNSSEC could become a problem is the ALG in NAT gateways (including home routers), which is responsible for parsing DNS responses to determine which masked computer they’re intended for. Poorly implemented ALGs may be confused by DNSSEC packets. I suppose it’s also possible that some gateway devices include a caching DNS resolver or some sort of DNS proxy that would need to be updated, but I’ve personally never seen one. DNSSEC is not exactly a new protocol, however. Most reasonably new hardware should support it.

Turning on DNSSEC too early won’t break the Internet. Legacy clients will simply continue to use regular, unsecured DNS. Rolling out DNSSEC won’t do anything to change that. While it is true that clients configured to require validation will fail if the recursive resolver doesn’t support it, that’s a per-client setting and can easily be disabled.

All of that is largely irrelevant to the discussion of SOPA. Your post seems to be insinuating that DNSSEC is not ready and thus we have time to fix it. Unfortunately, SOPA doesn’t just break some implementation detail of DNSSEC as the MPAA seems to think. It breaks the very idea of DNSSEC. It enshrines in law the idea that the recursive resolver must lie to the client, which is exactly what DNSSEC was designed to prevent.

Rekrul says:

Well, China manages DNS blocking...

Google, Facebook et al bring in billions to the US economy: what if they shut up shop and opened their new global headquarters somewhere else? Now suddenly, Silicon Valley is deserted, the US loses out on taxes, thousands of people are without jobs…and people still haven’t been convinced to pay for a song/movie/book/whatever.

What you fail to understand is that only the entertainment companies matter. They are single-handedly keeping the world’s economy afloat. Without them, the economy would be doomed, the governments would fall and the world would descend into chaos! Also, the planet would probably stop turning and the sun would go out.

Do you really want to be the cause of the extinction of the entire human race???

Rekrul says:

The most frustrating thing about this whole mess is being able to see how easily these bills could be killed, but knowing it will never happen.

If every ISP in the country agreed to shut down their network and show each user a page urging them to contact their congressmen demanding the end of net censorship bills, SOPA & PROTECT IP would be going through the shredder by the end of the day.

I don’t think the government can legally force any private company to do business, can they? If every ISP did this, they wouldn’t lose any customers to the competition, and unless I’m mistaken, it wouldn’t cost them anything to not use their network for a few days. Of course there’s always the risk that some people will cancel their accounts in protest, but would that really be an option for most people, especially if they have nowhere else to turn?

Sure, it’s nice to say that the government doesn’t give in to blackmail, but what choice would they have? They wouldn’t have the resources to take over every ISP, and even if they did, how would that even be legal?

If a few web sites blacking out part of their pages (which I never even saw) can get half a million protest letters (or so I read) to congress, think what having every consumer level internet account shut down would do.

Anonymous Coward says:


Sadly, many routers used today in the field are unable to handle oversized DNS packets, and specifically filter for them to avoid what use to be a rudimentary type of DoS attack. Combining something like a Fraggle attack with oversized packets, and you would get all sorts of amusing and unintended results.

As a result, each of those routers along the way have to be at minimum reprogrammed not to filter oversized packets, and in many cases, may not be able to handle oversized UDP packets (which they handle seperate from other traffic to speed them up).

Safe to say that DNSSEC, even without SOPA, wouldn’t be here much before 2020.

It would also appear that DNSSEC was designed with the intent of hurting the ability for anyone to control or filter the net in any manner, and that itself may be enough of a reason not to go down that road.

TtfnJohn (profile) says:


“It would also appear that DNSSEC was designed with the intent of hurting the ability for anyone to control or filter the net in any manner, and that itself may be enough of a reason not to go down that road.”

If that’s the design in intention of DNSSEC then I want to go down that road as fast as we can.

On the other hand if SOPA/PIPA wants to break that road then it’s better avoided. The statement from Sandia Labs is anything to go by the proposal is not only easily circumvented but may also have commercial and military consequences for the United States.

Europe won’t follow suit, Canada won’t, Japan won’t, China doesn’t care and, in fact, the only country I can think of that might is that already dangerously censorious country known as Australia.

In the age of the Internet the United States isn’t an island and can’t be. Doing things like this hurts the US more than it does anyone else. Consequently it doesn’t help the *AA’s one bit as it’s inconsequential to work around what they propose.

Ironic, don’t you think?

wvhillbilly (profile) says:


“What SOPA will do is to make it easy for big companies to outright kill innovative noninfringing startups on the net. It’s very clear from their actions as well as their words that the **AAs are terrified that they are losing control of the distribution channel. SOPA is a powerful tool to let them forcibly take control of the internet as such a channel.”

I suspect you are dead on in your analysis of this. The people who want this are so paranoid that someone is going to get something without their getting a big chunk of money for it, that they would – so to speak – burn the entire barn (the Internet) to the ground to get rid of a few pesky rats.


Renee Marie Jones says:

DNS filtering

I think they really did think it up themselves. They are technological children. Most of them probably don’t know how to use a computer, but the ones that do just know that you either click a link or you type in a domain name. So, they figure that if you can stop those two things, then a site is unreachable. They don’t think beyond that. That is all they can understand.

The sad thing is that incompetent fools like this are allowed to dictate tech policy.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...