Russia Says Disconnecting From The Rest Of The Net 'Out Of The Question', But Wants Alternative DNS Servers For BRICS Nations

from the think-global,-act-local dept

At the start of the year, we wrote about a call for Russia to make its Internet infrastructure resistant to external attempts to shut it down, and able to work in isolation if need be. It looks like the authorities are moving ahead with the idea:

The Russian Security Council has asked the country’s government to develop an independent internet infrastructure for BRICS nations, which would continue to work in the event of global internet malfunctions.

The RT news story has some details on how the BRICS subnet will work:

They decided that the problem should be addressed by creating a separate backup system of Domain Name Servers (DNS), which would not be subject to control by international organizations. This system would be used by countries of the BRICS bloc — Brazil, Russia, India, China and South Africa.

The plan has evidently developed from a purely Russian intranet system to one that includes the other BRICS nations. Creating additional DNS servers will be easy, so there’s no reason why it shouldn’t happen — not least because Putin has “personally set a deadline of August 1, 2018 for the completion of the task”. Perhaps the most interesting aspect of the story is the following comment by Putin’s Press Secretary, Dmitry Peskov:

“Russia?s disconnection from the global internet is of course out of the question,” Peskov told the Interfax news agency. However, the official also emphasized that “recently, a fair share of unpredictability is present in the actions of our partners both in the US and the EU, and we [Russia] must be prepared for any turn of events.”

That offers a pragmatic recognition that disconnection from the global Internet is no longer an option for a modern state, even if Iran begs to differ. It’s true that local DNS servers provide resilience, but they also make it much easier for a government to limit access to foreign sites by ordering their IP addresses to be blocked — surely another reason for the move.

This latest proposal is part of a long-running campaign by Russia to wrest control of key aspects of the Internet — such as the DNS system — from international bodies, for example during the ITU’s World Conference on International Communications (WCIT) in 2012. Russia already had the support of other BRICS governments back then, which suggests they will back the new approach.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Russia Says Disconnecting From The Rest Of The Net 'Out Of The Question', But Wants Alternative DNS Servers For BRICS Nations”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Yeah, this is not a new movie

You’re assuming you’d notice if you were using an alternate root. Which if your using caching name service from a major ISP, it might as well be, considering all the shenanigans they play with the DNS system.

Really there needs to be a chinese wall between DNS providers and ISP’s. These services should not be managed by the same companies. DNS is badly deprecated, and if you want to see it get fixed, you have to make it profitable to do so. Which means it has to be it’s own service.

Anonymous Coward says:

Re: Re: Re: Yeah, this is not a new movie

“More like abused than deprecated.”

IMHO namecoin is closer to a servicable architecture going forward. As long as you have a root server, and/or a cascading database configuration, there will be MITM attacks.

The only thing that fixes that is blockchain. But… If your going to go to all that length, then even better is to make it indistinguishable from other traffic types.

IMHO the whole stack is deprecated, because ISO layers 4 and 5 should be transposed. Port numbers should never have been publicly exposed data. If it isn’t exposed we get much closer to compelled NN, because full encryption at layer 4 forcibly deprecates QOS switching on traffic type.

Anonymous Coward says:

Re: Yeah, this is not a new movie

FreeDNS set up a blended root, OpenDNS set up a blended root, TOR set up a blended root — all three projects are still going strong.

What worries me about what Russia is doing is not that they’re setting up an alternate root — I think that has the potential to be a good thing, especially if it peers with the current root.

What worries me is whether they’re going to mandate that all DNS traffic be limited to the upstream provider via router configurations — that is, any DNS request that’s not signed by the appropriate authority will be dropped.

In the past, the way DNS was designed prevented this sort of thing, but signing DNS traffic is a two way street — you can verify there’s been no MITM attempt, but you can also programmatically block queries to DNS servers you don’t want your downstream users seeing.

This means it’s possible that and (and all the other public DNS servers) may start getting dropped, and even local DNS resolvers may get dropped wholesale if they’re from zones the upstream provider doesn’t like.

I haven’t used an ISP DNS in 20 years, but this plan could force people to do so or risk unreliability/fragmentation.

Anonymous Coward says:

cyber warfare

There could be much more to this story than that which appears on the surface.

Leaked documents from the NSA, CIA, and other agencies has demonstrated that the US government is on a mission to weaponize the internet, so it makes sense that other nations would take defensive precautions that would minimize damages from such attacks. Since NATO nations to a large degree control much of the critical internet backbones, the ability of individual nations to compartmentalize their own internet to at least some degree would be a logical step.

BRICS was established as a free trade block, though it has been slowly moving in the direction toward a military alliance, so it will be interesting to see if these countries will feel free to trust Russia and China –as opposed to the US & NATO– for such a critical utility as internet service.

Considering the way that DNS servers in Western nations have increaasingly been used as a major censorship tool, it seems strange that the rest of the world would not have made major efforts to avoid US & EU-controlled DNS servers a long time ago.

Anonymous Coward says:

Re: Re: Re: Re:

This may not be as easy as it sounds.

Current DNS is federated, where each server points to a more local authority until the DNS server that “owns” the IP eventually responds with the address that should be connected to.

Proxying basically lets you tunnel to some other starting location to kick off your chain of queries. Full proxying will create an encrypted tunnel to that starting point and move the entire chain of queries through the tunnel so that your ISP only sees a stream of encrypted data.

However, encrypted DNS traffic is easy to spot at the router with packet inspection. It stands out like a sore thumb, and is easy to drop if the owner of the router is so inclined. And once you’ve eliminated encrypted DNS traffic, it’s just as easy to spot when someone’s not going through the official, signed DNS root to get their DNS queries resolved. This may require a new layer added to DNS, but that’s essentially what’s happening here: the DNS chain will be signed so that you can trace the authority back to the originating server. This creates a chain of trust, but also creates a chain of control.

Anonymous Coward says:

Re: Re: Re:2 Re:

And “block the addresses of all known DNS servers” is actually easier than it sounds — at least for the bulk of them. Let me explain how I’d do that.

There are two ways to acquire the root zone files (that is: the list of authoritative DNS servers for each root zone like .com, .net, .info, etc.) One is to apply for access to them, which isn’t that onerous if you present identification and reasons. The other is to set up passive DNS listeners and just grab everything as it goes by — perhaps augmenting that by doing a lot of queries.

In both cases, what you’d end up with — to a sloppy first approximation — would be a very large list of domain names along with their associated nameservers. You sort that list by the number of occurrences of each DNS server, and then block the top million plus the DNS servers for the Alexa top million plus all the open DNS servers that you know about.

That won’t catch everything, but it will catch the overwhelming majority of the DNS servers used by the overwhelming majority of domains that anybody cares about.

Anonymous Coward says:

Re: Re: Re:2 Re:

Again, that is easily circumvented as one does not need to go looking for someone else’s DNS server when they can set up their own – one must protect against DNS poisoning and other such nefarious attacks but it is well documented. Maybe that is why they are attempting to censor the flow of information.

Anonymous Coward says:

Re: Re: Re:3 Re:

generally, if you set up your own DNS server, you will point it at an external DNS server to deal with all queries that are not for your domain.

The reason that ISPs provide DNS service is to become a man in the middle, using one of the big DNS providers to do the heavy lifting. After they have logged your request, and filtered for anything that they want to block they pass it on to gt it resolved. This also allows them to respond to failed requests by sending you to an advertising page.

Anonymous Coward says:

Re: Re: Re:4 Re:

“generally, if you set up your own DNS server, you will point it at an external DNS server to deal with all queries that are not for your domain.”

Yup. One would have to turn that off that function and populate manually those sites one desired to visit. I thought that was a well known given.

Even if you use a DNS server out there in wonderland, one can still enter an IP address in the browser – no DNS necessary.

Anonymous Coward says:

Re: Re: Re:5 Re:

In other words go back to the days when the hosts file was all that you had, which also means that search engines become largely useless, and you largely eliminate the use of the Internet as an information source.

A filtered ISP provided DNS would be than what you propose, and you can use the hosts file to insert known IP addresses of sites that they block, so long as it is not an IP block.

Anonymous Coward says:

Re: Re:

Except this isn’t a firewall or anything even remotely close to it. It has zero value as a defensive measure.

Keep in mind the following:

1. DNS holds all kinds of information in addition to the A records that are so often used by web browsers.
2. The root zone files are available. Getting them requires a process, but they’re available.
3. Alternatively, there are passive DNS projects that have collected most of the data that exists in the root zones.
4. You can run your own DNS resolver on just about anything. I have one on each of my laptops and on a Raspberry Pi. You could run one on your phone or tablet.
5. Static hosts files are clumsy but in a pinch they suffice.
6. There are open DNS resolvers in many places.
7. VPNs, tunnels, tor, virtual hosts, proxies all enable BRICS DNS to be bypassed.
8. DNS traffic can be tunneled via other protocols.
9. Clouds, CDNs, etc. make it difficult to block services.
10. Even if 1-9 weren’t in play, the inability of anyone in a BRICS nation to perform a certain DNS query has zero effect on their vulnerability to attack.

This is a combination of political grandstanding and a vague hand-waving attempt at censorship. It won’t work.

Anonymous Coward says:

No one winning

Thanks Fancy Bear, APT 28, APT 29 for the suggestions. I’m sure as long as Russia can attach SORM to the network, everything will be all right–Comrade.

Don’t get me wrong, NSA isn’t the poster child for everything that is right in the world but you have to ask yourself which is the lesser of two evils. As far as I am aware, NSA hasn’t been out there stealing technology (looking at you China APT 1, APT 3) or crashing electrical grids or spreading malware in MeDoc.

Anonymous Coward says:

Re: No one winning

Although the nuclear arms race ended a quarter-century ago, it would appear that the cyberwar arms race is just in its early stages. It’s naive to think that Russia and China are not working furiously to try to catch up to America’s cyberwar dominance in every way possible.

This DNS server story could be a red herring. Russia no doubt knows that cyberwar defense means controlling as much as possible in its internet space – all the hardware, all the software, and all the technical expertise. Having full control also makes it easier for the government to spy, infiltrate, disrupt, disable, and all sorts of other underhanded shenanigans that paranoid, authoritarian governments tend to do.

Anonymous Coward says:

Re: Re: No one winning

“It’s naive to think that Russia and China are not working furiously to try to catch up to America’s cyberwar dominance in every way possible.”

I have bad news for you.

The Russians and the Chinese are AHEAD of the US, both in terms of understanding the theater of war and in terms of navigating it. This is one of the outcomes of 15+ years of steadily-narrowing US focus on one particular strain of terrorism at the expense of many other threats.

I have worse news for you.

The Russians and the Chinese have repeatedly and thoroughly demonstrated that they know how to leverage poorly-run US-based operations against the US. This includes “social media” like Facebook and Twitter as well as numerous ISPs and web hosts with horribly bad security practices. This is a brilliant strategy on their part (using the infrastructure that we built, that we run, that we pay for, and we think we own) and every indicator suggests that they have a massive head start on defenders…who are only now slowly figuring out what’s happened.

Let me give you one data point. Facebook has publicly admitted that there are 200M — MILLION — fake profiles on its site. Of course, like everyone else, they’re lying: the number they know about in-house is larger. Much larger. And of course, like everyone else, the real number is larger — much larger — than the one they think they know. It’s not at all a stretch to consider the possibility that there are a billion fake profiles on Facebook. (If you think this is unduly speculative, I invite you to consider the history of Yahoo’s email account breach.)

Anonymous Coward says:

Re: Re: Re: (beware the paper tiger)

“I have bad news for you.

The Russians and the Chinese are AHEAD of the US”

Such Dire warnings about Soviet superiority were the same sort of thing that Americans had constantly drummed into them throughout the entirety of the Cold War. But once the Soviet Union broke up, it became obvious that it was an extreme exaggeration, because for the most part, the Russians were decades behind Western technology and American military capability.

Or when back in 1990, all the times were were repeatedly told that Iraq had the world’s fourth most powerful army?

It’s hard to know exactly what sort of military capabilities other countries (especially adverse ones) actually have, but if history is any guide, we can be sure that whatever the US military industrial complex is screaming at us is likely to be a gross exaggeration if not an outright fantasy.

Anonymous Coward says:

Re: Re: Re:2 (beware the paper tiger)

Perhaps — but this is all public information, i.e., it’s not something emanating from the famous military-industrial complex. You’re correct that they have a sporadic history of hyping threats but in this particular instance I think they’re actually underselling it.

Also keep in mind that cyberwar doesn’t work the same way as traditional warfare. In the latter, a markedly inferior force can only succeed if it has some serious tactical/strategic advantages, e.g., the element of surprise. But in the former — and we see examples of this every single day — markedly inferior forces can succeed brilliantly.

Russian IS weak in many ways, for example, economically. But they don’t have to be strong by any traditional metric in order to wage highly effective cyberwar.

carlb (profile) says:

Out of the frying pan, into the fire

I don’t agree with the US controlling Internet infrastructure or controlling key software which could be used to break an entire country’s IT backbone. The country who brought us the DMCA and the DirecTV/DiSH “Black Sunday” and “Americas Top One” attacks now has the ability to force unwanted updates onto any Windows PC on the planet? If they were to attack us (as they did in 1776 and again in 1812) that could be abused.

That said, putting Russia in control would merely be going out of the frying pan into the fire. Russian control over Internet in Brazil, India or South Africa would be abused. As one example of how Russia is just as bad as the US for trying to apply its laws to entities in other countries where it has no lawful jurisdiction, try this gem from November 2015:

” It is notice of making an entry into the “Unified register of domain names, Internet web-site page links and network addresses enabling to identify the Internet web-sites containing the information prohibited for public distribution in the Russian Federation” the Internet web-site page (s) link (s): . “

” In case the hosting provider and (or) the Internet web-site owner fail to take these measures, the network address enabling to identify Internet web-sites containing the information prohibited for distribution in the Russian Federation will be decided to be entered into the Register and access will be limited. “

” The information about entering the domain names, Internet web-site page links and network addresses into the Register shall be available on a 24-hour basis at the following Internet address: . “

” Federal Service for Supervision in the Sphere of Telecom,
Information Technologies and Mass Communications (ROSKOMNADZOR). “

See what they just did? Someone in Russia is dictating to the upstream providers of a tiny Portuguese-language website in Canada that they should not be free to openly discuss Russian politics… even though that site has (predictably) no audience in Russia as “Português” is spoken not in Moscow but in São Paulo.

Brazil already has its own severe issues with libel chill and even a spurious claim can take a couple years to get to trial, to the point where doing any serious biography means dancing into a minefield of strategic lawsuits against public participation, but they’ve lived through dictatorship as recently as the 1980’s and I don’t see why they should have to relive that nightmare by having Russians control (and presumably censor) their communications.

Anonymous Coward says:

Re: So, I'm curious

“s there any legal requirement that that international system connect to that nation’s subnet, if the subnet violates international standards?”

No. They are completely independent systems. DNS is one minor service running OVER the Internet. Conflating the two is really dangerous from a legal standpoint. Any precedent from the entanglement you suggest would have a cascade effect that would be catastrophic.

MyNameHere (profile) says:

Essentially, Russia is just trying to get into a situation where, even if every connection to the outside internet is dropped, that things inside their own country (or group) will not be easily disrupted.

It also gives them the longer term ability to block sites or make it harder at least to find them, imagine all traffic for getting redirected to a look-a-like site that has nothing but the rhetoric that Russia is pushing on it. It’s citizens could be deceived by this sort of thing.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...