Russia Says Disconnecting From The Rest Of The Net 'Out Of The Question', But Wants Alternative DNS Servers For BRICS Nations
from the think-global,-act-local dept
At the start of the year, we wrote about a call for Russia to make its Internet infrastructure resistant to external attempts to shut it down, and able to work in isolation if need be. It looks like the authorities are moving ahead with the idea:
The Russian Security Council has asked the country’s government to develop an independent internet infrastructure for BRICS nations, which would continue to work in the event of global internet malfunctions.
The RT news story has some details on how the BRICS subnet will work:
They decided that the problem should be addressed by creating a separate backup system of Domain Name Servers (DNS), which would not be subject to control by international organizations. This system would be used by countries of the BRICS bloc — Brazil, Russia, India, China and South Africa.
The plan has evidently developed from a purely Russian intranet system to one that includes the other BRICS nations. Creating additional DNS servers will be easy, so there’s no reason why it shouldn’t happen — not least because Putin has “personally set a deadline of August 1, 2018 for the completion of the task”. Perhaps the most interesting aspect of the story is the following comment by Putin’s Press Secretary, Dmitry Peskov:
“Russia?s disconnection from the global internet is of course out of the question,” Peskov told the Interfax news agency. However, the official also emphasized that “recently, a fair share of unpredictability is present in the actions of our partners both in the US and the EU, and we [Russia] must be prepared for any turn of events.”
That offers a pragmatic recognition that disconnection from the global Internet is no longer an option for a modern state, even if Iran begs to differ. It’s true that local DNS servers provide resilience, but they also make it much easier for a government to limit access to foreign sites by ordering their IP addresses to be blocked — surely another reason for the move.
This latest proposal is part of a long-running campaign by Russia to wrest control of key aspects of the Internet — such as the DNS system — from international bodies, for example during the ITU’s World Conference on International Communications (WCIT) in 2012. Russia already had the support of other BRICS governments back then, which suggests they will back the new approach.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Comments on “Russia Says Disconnecting From The Rest Of The Net 'Out Of The Question', But Wants Alternative DNS Servers For BRICS Nations”
Yeah, this is not a new movie
Others have tried to set up alternate roots. It’s not as easy as it looks.
And the moment this goes live — if not before — there will be static hosts files making the rounds. They won’t contain everything but they’ll have all the important stuff.
Re: Yeah, this is not a new movie
You’re assuming you’d notice if you were using an alternate root. Which if your using caching name service from a major ISP, it might as well be, considering all the shenanigans they play with the DNS system.
Really there needs to be a chinese wall between DNS providers and ISP’s. These services should not be managed by the same companies. DNS is badly deprecated, and if you want to see it get fixed, you have to make it profitable to do so. Which means it has to be it’s own service.
Re: Re: Yeah, this is not a new movie
“DNS is badly deprecated”
More like abused than deprecated.
“if you want to see it get fixed, you have to make it profitable”
another reason markets are not self regulating
Re: Re: Re: Yeah, this is not a new movie
“More like abused than deprecated.”
IMHO namecoin is closer to a servicable architecture going forward. As long as you have a root server, and/or a cascading database configuration, there will be MITM attacks.
The only thing that fixes that is blockchain. But… If your going to go to all that length, then even better is to make it indistinguishable from other traffic types.
IMHO the whole stack is deprecated, because ISO layers 4 and 5 should be transposed. Port numbers should never have been publicly exposed data. If it isn’t exposed we get much closer to compelled NN, because full encryption at layer 4 forcibly deprecates QOS switching on traffic type.
Re: Re: Re:2 Yeah, this is not a new movie
MITM does not need DNS
Sounds like a lot of bandaging you have in mind, why not simply stop hurting yourself?
Re: Yeah, this is not a new movie
FreeDNS set up a blended root, OpenDNS set up a blended root, TOR set up a blended root — all three projects are still going strong.
What worries me about what Russia is doing is not that they’re setting up an alternate root — I think that has the potential to be a good thing, especially if it peers with the current root.
What worries me is whether they’re going to mandate that all DNS traffic be limited to the upstream provider via router configurations — that is, any DNS request that’s not signed by the appropriate authority will be dropped.
In the past, the way DNS was designed prevented this sort of thing, but signing DNS traffic is a two way street — you can verify there’s been no MITM attempt, but you can also programmatically block queries to DNS servers you don’t want your downstream users seeing.
This means it’s possible that 8.8.8.8 and 9.9.9.9 (and all the other public DNS servers) may start getting dropped, and even local DNS resolvers may get dropped wholesale if they’re from zones the upstream provider doesn’t like.
I haven’t used an ISP DNS in 20 years, but this plan could force people to do so or risk unreliability/fragmentation.
cyber warfare
There could be much more to this story than that which appears on the surface.
Leaked documents from the NSA, CIA, and other agencies has demonstrated that the US government is on a mission to weaponize the internet, so it makes sense that other nations would take defensive precautions that would minimize damages from such attacks. Since NATO nations to a large degree control much of the critical internet backbones, the ability of individual nations to compartmentalize their own internet to at least some degree would be a logical step.
BRICS was established as a free trade block, though it has been slowly moving in the direction toward a military alliance, so it will be interesting to see if these countries will feel free to trust Russia and China –as opposed to the US & NATO– for such a critical utility as internet service.
Considering the way that DNS servers in Western nations have increaasingly been used as a major censorship tool, it seems strange that the rest of the world would not have made major efforts to avoid US & EU-controlled DNS servers a long time ago.
Re: cyber warfare
Nicely done, Ivan.
I wonder how long it will be before they make it illegal to manually type in the address of a different DNS server.
Re: Re:
More to the point, and without net neutrality, how long before an ISP blocks all but their own DNS servers?
Re: Re: Re:
Even if your browser were to have a single DNS server address hardwired in, or if your ISP were to force-route all URLs to its own DNS server, there is a simple way around that problem. Just use a proxy site, as they don’t rely on your ISP (or browser) directed DNS server.
Re: Re: Re: Re:
This may not be as easy as it sounds.
Current DNS is federated, where each server points to a more local authority until the DNS server that “owns” the IP eventually responds with the address that should be connected to.
Proxying basically lets you tunnel to some other starting location to kick off your chain of queries. Full proxying will create an encrypted tunnel to that starting point and move the entire chain of queries through the tunnel so that your ISP only sees a stream of encrypted data.
However, encrypted DNS traffic is easy to spot at the router with packet inspection. It stands out like a sore thumb, and is easy to drop if the owner of the router is so inclined. And once you’ve eliminated encrypted DNS traffic, it’s just as easy to spot when someone’s not going through the official, signed DNS root to get their DNS queries resolved. This may require a new layer added to DNS, but that’s essentially what’s happening here: the DNS chain will be signed so that you can trace the authority back to the originating server. This creates a chain of trust, but also creates a chain of control.
Re: Re: Re:
“how long before an ISP blocks all but their own DNS servers?”
How would they accomplish this? … Make it so users are forced into using the official “browser” crafted by the ISP?
Certainly there are ways of circumventing this also.
Re: Re: Re: Re:
Re: Re: Re:2 Re:
And “block the addresses of all known DNS servers” is actually easier than it sounds — at least for the bulk of them. Let me explain how I’d do that.
There are two ways to acquire the root zone files (that is: the list of authoritative DNS servers for each root zone like .com, .net, .info, etc.) One is to apply for access to them, which isn’t that onerous if you present identification and reasons. The other is to set up passive DNS listeners and just grab everything as it goes by — perhaps augmenting that by doing a lot of queries.
In both cases, what you’d end up with — to a sloppy first approximation — would be a very large list of domain names along with their associated nameservers. You sort that list by the number of occurrences of each DNS server, and then block the top million plus the DNS servers for the Alexa top million plus all the open DNS servers that you know about.
That won’t catch everything, but it will catch the overwhelming majority of the DNS servers used by the overwhelming majority of domains that anybody cares about.
Re: Re: Re:2 Re:
Again, that is easily circumvented as one does not need to go looking for someone else’s DNS server when they can set up their own – one must protect against DNS poisoning and other such nefarious attacks but it is well documented. Maybe that is why they are attempting to censor the flow of information.
Re: Re: Re:3 Re:
generally, if you set up your own DNS server, you will point it at an external DNS server to deal with all queries that are not for your domain.
The reason that ISPs provide DNS service is to become a man in the middle, using one of the big DNS providers to do the heavy lifting. After they have logged your request, and filtered for anything that they want to block they pass it on to gt it resolved. This also allows them to respond to failed requests by sending you to an advertising page.
Re: Re: Re:4 Re:
“generally, if you set up your own DNS server, you will point it at an external DNS server to deal with all queries that are not for your domain.”
Yup. One would have to turn that off that function and populate manually those sites one desired to visit. I thought that was a well known given.
Even if you use a DNS server out there in wonderland, one can still enter an IP address in the browser – no DNS necessary.
Re: Re: Re:5 Re:
In other words go back to the days when the hosts file was all that you had, which also means that search engines become largely useless, and you largely eliminate the use of the Internet as an information source.
A filtered ISP provided DNS would be than what you propose, and you can use the hosts file to insert known IP addresses of sites that they block, so long as it is not an IP block.
From one BRICs citizen: no, thanks.
Of course they’d need to make it illegal to use open DNS servers for this to fully match with their authoritarian ideas.
Did we just get a news story from the 20th century?
A more relevant story would be something like “Russia finally joins the many nations who are ready to firewall themselves from the rest of the world and go it alone.”
While “The Great Firewall of China” is the best known, the Chinese were hardly the first, or only.
Re: Re:
Except this isn’t a firewall or anything even remotely close to it. It has zero value as a defensive measure.
Keep in mind the following:
1. DNS holds all kinds of information in addition to the A records that are so often used by web browsers.
2. The root zone files are available. Getting them requires a process, but they’re available.
3. Alternatively, there are passive DNS projects that have collected most of the data that exists in the root zones.
4. You can run your own DNS resolver on just about anything. I have one on each of my laptops and on a Raspberry Pi. You could run one on your phone or tablet.
5. Static hosts files are clumsy but in a pinch they suffice.
6. There are open DNS resolvers in many places.
7. VPNs, tunnels, tor, virtual hosts, proxies all enable BRICS DNS to be bypassed.
8. DNS traffic can be tunneled via other protocols.
9. Clouds, CDNs, etc. make it difficult to block services.
10. Even if 1-9 weren’t in play, the inability of anyone in a BRICS nation to perform a certain DNS query has zero effect on their vulnerability to attack.
This is a combination of political grandstanding and a vague hand-waving attempt at censorship. It won’t work.
Brilliant!
About bloody time! We are sick and tired of being dictated to by the fascist USA. Western imperialists, you can all go fuck yourselves!
No one winning
Thanks Fancy Bear, APT 28, APT 29 for the suggestions. I’m sure as long as Russia can attach SORM to the network, everything will be all right–Comrade.
Don’t get me wrong, NSA isn’t the poster child for everything that is right in the world but you have to ask yourself which is the lesser of two evils. As far as I am aware, NSA hasn’t been out there stealing technology (looking at you China APT 1, APT 3) or crashing electrical grids or spreading malware in MeDoc.
Re: No one winning
Although the nuclear arms race ended a quarter-century ago, it would appear that the cyberwar arms race is just in its early stages. It’s naive to think that Russia and China are not working furiously to try to catch up to America’s cyberwar dominance in every way possible.
This DNS server story could be a red herring. Russia no doubt knows that cyberwar defense means controlling as much as possible in its internet space – all the hardware, all the software, and all the technical expertise. Having full control also makes it easier for the government to spy, infiltrate, disrupt, disable, and all sorts of other underhanded shenanigans that paranoid, authoritarian governments tend to do.
Re: Re: No one winning
“It’s naive to think that Russia and China are not working furiously to try to catch up to America’s cyberwar dominance in every way possible.”
I have bad news for you.
The Russians and the Chinese are AHEAD of the US, both in terms of understanding the theater of war and in terms of navigating it. This is one of the outcomes of 15+ years of steadily-narrowing US focus on one particular strain of terrorism at the expense of many other threats.
I have worse news for you.
The Russians and the Chinese have repeatedly and thoroughly demonstrated that they know how to leverage poorly-run US-based operations against the US. This includes “social media” like Facebook and Twitter as well as numerous ISPs and web hosts with horribly bad security practices. This is a brilliant strategy on their part (using the infrastructure that we built, that we run, that we pay for, and we think we own) and every indicator suggests that they have a massive head start on defenders…who are only now slowly figuring out what’s happened.
Let me give you one data point. Facebook has publicly admitted that there are 200M — MILLION — fake profiles on its site. Of course, like everyone else, they’re lying: the number they know about in-house is larger. Much larger. And of course, like everyone else, the real number is larger — much larger — than the one they think they know. It’s not at all a stretch to consider the possibility that there are a billion fake profiles on Facebook. (If you think this is unduly speculative, I invite you to consider the history of Yahoo’s email account breach.)
Re: Re: Re: (beware the paper tiger)
“I have bad news for you.
The Russians and the Chinese are AHEAD of the US”
Such Dire warnings about Soviet superiority were the same sort of thing that Americans had constantly drummed into them throughout the entirety of the Cold War. But once the Soviet Union broke up, it became obvious that it was an extreme exaggeration, because for the most part, the Russians were decades behind Western technology and American military capability.
Or when back in 1990, all the times were were repeatedly told that Iraq had the world’s fourth most powerful army?
It’s hard to know exactly what sort of military capabilities other countries (especially adverse ones) actually have, but if history is any guide, we can be sure that whatever the US military industrial complex is screaming at us is likely to be a gross exaggeration if not an outright fantasy.
Re: Re: Re:2 (beware the paper tiger)
Perhaps — but this is all public information, i.e., it’s not something emanating from the famous military-industrial complex. You’re correct that they have a sporadic history of hyping threats but in this particular instance I think they’re actually underselling it.
Also keep in mind that cyberwar doesn’t work the same way as traditional warfare. In the latter, a markedly inferior force can only succeed if it has some serious tactical/strategic advantages, e.g., the element of surprise. But in the former — and we see examples of this every single day — markedly inferior forces can succeed brilliantly.
Russian IS weak in many ways, for example, economically. But they don’t have to be strong by any traditional metric in order to wage highly effective cyberwar.
Out of the frying pan, into the fire
I don’t agree with the US controlling Internet infrastructure or controlling key software which could be used to break an entire country’s IT backbone. The country who brought us the DMCA and the DirecTV/DiSH “Black Sunday” and “Americas Top One” attacks now has the ability to force unwanted updates onto any Windows PC on the planet? If they were to attack us (as they did in 1776 and again in 1812) that could be abused.
That said, putting Russia in control would merely be going out of the frying pan into the fire. Russian control over Internet in Brazil, India or South Africa would be abused. As one example of how Russia is just as bad as the US for trying to apply its laws to entities in other countries where it has no lawful jurisdiction, try this gem from November 2015:
” It is notice of making an entry into the “Unified register of domain names, Internet web-site page links and network addresses enabling to identify the Internet web-sites containing the information prohibited for public distribution in the Russian Federation” the Internet web-site page (s) link (s):http://desciclopedia.org/wiki/Tomoyo_Daidouji . “
” In case the hosting provider and (or) the Internet web-site owner fail to take these measures, the network address enabling to identify Internet web-sites containing the information prohibited for distribution in the Russian Federation will be decided to be entered into the Register and access will be limited. “
” The information about entering the domain names, Internet web-site page links and network addresses into the Register shall be available on a 24-hour basis at the following Internet address:http://eais.rkn.gov.ru/en/ . “
” Federal Service for Supervision in the Sphere of Telecom,
Information Technologies and Mass Communications (ROSKOMNADZOR). “
See what they just did? Someone in Russia is dictating to the upstream providers of a tiny Portuguese-language website in Canada that they should not be free to openly discuss Russian politics… even though that site has (predictably) no audience in Russia as “Português” is spoken not in Moscow but in São Paulo.
Brazil already has its own severe issues with libel chill and even a spurious claim can take a couple years to get to trial, to the point where doing any serious biography means dancing into a minefield of strategic lawsuits against public participation, but they’ve lived through dictatorship as recently as the 1980’s and I don’t see why they should have to relive that nightmare by having Russians control (and presumably censor) their communications.
Re: ...and the russkies block themselves for good measure
https://www.bloomberg.com/view/articles/2017-06-13/how-the-russian-internet-censor-banned-itself
So, I'm curious
If a country separates from the international DNS system, is there any legal requirement that that international system connect to that nation’s subnet, if the subnet violates international standards?
Re: So, I'm curious
I am not an attorney, I’m an engineer, so take this answer for that it’s worth: no.
As far as I know, nobody is obligated to use ANY DNS services if they don’t want to. Does make things difficult for end users, but that’s their problem.
Re: So, I'm curious
“s there any legal requirement that that international system connect to that nation’s subnet, if the subnet violates international standards?”
No. They are completely independent systems. DNS is one minor service running OVER the Internet. Conflating the two is really dangerous from a legal standpoint. Any precedent from the entanglement you suggest would have a cascade effect that would be catastrophic.
Essentially, Russia is just trying to get into a situation where, even if every connection to the outside internet is dropped, that things inside their own country (or group) will not be easily disrupted.
It also gives them the longer term ability to block sites or make it harder at least to find them, imagine all traffic for whitehouse.gov getting redirected to a look-a-like site that has nothing but the rhetoric that Russia is pushing on it. It’s citizens could be deceived by this sort of thing.