Gov't crackdown spurs initiatives to route around DNS
The Net interprets censorship as damage and routes around it
Over the Thanksgiving holiday weekend, US Immigration and Customs Enforcement (ICE), the principal investigative arm of the Department of Homeland Security (DHS), led an alphabet soup of government agencies in seizing the domain names of 82 Web sites (PDF) that ICE said were "engaged in the illegal sale and distribution of counterfeit goods and copyrighted works" (See: Operation In Our Sites v. 2.0). The seizures were accomplished by getting the VeriSign registry, owner of the .com and .net top-level domains, to change the authoritative domain-name servers for the seized domains to servers controlled by DHS.
Regardless of the supposed criminal intent of the affected systems, the seizure without notice of these domain names by US authorities sent shock-waves around the Internet world. It got people's attention in a much stronger way than version 1 of this enforcement operation had — the first iteration late last June seized the names of nine sites selling pirated first-run movies. Many people woke up to the reality of how vulnerable the DNS is to government meddling.
(More recently, the uproar caused by the WikiLeaks publication of US diplomatic cables — and subsequent attempts to censor the site and/or to hound it off the Internet — have resulted in what developer Dave Winer calls "a human DNS" implemented "in a weird sneaker-net sort of way," via Twitter and ad hoc bulletin-board sites.)
Within days of the ICE/DHS seizures, at least three separate initiatives to work around the DNS had been announced, and several existing alternatives were highlighted in the ensuing discussion. Let's take a look at some of these proposals — two to route around and one to supplant the DNS — and some of the obstacles they face.
1. 4LW: 4 Little Words
This new alt-DNS project got a quick boost from the developer communities at Hacker News and Reddit. The idea is to map each of the four numbers in an IPv4 address to one of 256 "little words," in the Mad Libs-inspired pattern adjective noun verb noun. For example, using an online 4LW generator, 184.108.40.206 (the IP address of the seized domain name torrent-finder.com) becomes simple hair climbs cup. Reddit user armooo created an open source DNS server that returns "A" records using the 4LW protocol. For the example above, visiting http://simple.hair.climbs.cup.4lw.org takes you straight to the site formerly pointed to by the seized domain name. This scheme should continue to work unless 4lw.org itself is compromised, in which case others could copy the source code and put up their own servers; meta-servers could emerge to distribute requests among known 4LW servers; and so on.
2. P2P DNS: Peering Around It
This project has gotten the lion's share of press attention, because it was initially suggested by Peter Sunde, co-founder of The Pirate Bay. The idea is to create a peer-to-peer alternative to the DNS, and beyond that nothing has been announced. Sunde's blog post has garnered over 100 comments, most pledging help and some offering concrete suggestions or pointing out similar efforts across the Net. There are active brainstorms in various media and a code repository, which is currently empty. Sunde has promised a press release soon.
3. Project IDONS: Internet Distributed Open Name System
This proposal is by Lauren Weinstein, one of the early developers of what became the Internet and the long-time moderator of the PRIVACY forum (which predates even the widespread existence of email). Weinstein's vision is of "an alternative Internet name to address mapping system — fully distributed, open source, fault-tolerant, secure, flexible, and not subject to centralized constraints, meddling, and censorship." Other high-level goals include "no central registries, no registrars, no fees nor charges necessary for any name or address operations across IDONS."
Weinstein adds in his introduction to IDONS: "Ad hoc attempts to bypass the existing system (such as those newly proposed by Pirate Bay) are likely to create fragmentation and confusion, and therefore ironically tend to further entrench the existing system… ad hoc won't fly for this."
In an interview, Weinstein told me he has had a "couple of thousand" responses to the IDONS proposal, ranging from substantive technical suggestions to "Yes I'd like to help." Weinstein said, "The point is not just to replace the DNS with another DNS. It's to get out from under a completely limiting condition. Technology is full of these kinds of situations in which we have to get out from under bad early decisions. In the case of DNS, the mistake was centralization. That enables not only censorship, but also the whole gigantic mess that has grown up around domain registrations" — what Weinstein has taken to calling the "domain industrial complex." He continued, "This is not just a technical project, it's an attempt to change the underlying mechanisms we use for names on the Internet. It involves policy and politics as well as technology." And it's likely to be a 10-year effort or longer.
At this point the project does not have a website or a mailing list. Interested parties can contact Weinstein via his blog.
Operation In Our Sites v. 2.0
Mere weeks ago, rights activists and users concerned about Internet censorship were mounting opposition to the proposed Combating Online Infringement and Counterfeits Act — a law that would give the Justice Department the power to seize domain names from sites around the globe that are "dedicated to infringing activities." That bill is now sidelined in the Senate. Now, with "Operation In Our Sites v. 2.0," the DoJ is asserting that it already has the authority, under the 2008 PRO-IP law (PDF), to turn off DNS service for sites that rely on US-resident domain-name registries, even if the sites are based outside the US. (The court orders for seizure were served on VeriSign, the Virginia company that runs the .com and .net registries.)
While most of the seized sites sold counterfeit goods such as sports equipment, shoes and handbags, at least one sold nothing and did not even store pointers to contraband. Torrent-finder.com is a meta-search engine that returns results from other search engines, in response to user queries, and according to TorrentFreak.com "is not encouraging or even facilitating copyright infringement any more than other search engines such as Google." There has been no official comment on this apparent anomaly. The EFF and the CDT have raised questions about the "nuke-the-whole-website approach," and the EFF has vowed to fight the actions.
The operation that was torrent-finder.com has reopened at torrent-finder.info; its owner, who lives in Egypt, has also vowed to fight the seizure.
Drawbacks to trying to route around the DNS
Any alternative to or replacement for the DNS must begin by acknowledging the existing system's strengths: it is ubiquitous, it is built in to many aspects of the way the Internet functions, it is distributed and scaleable (and in fact has scaled by 5 or 6 orders of magnitude since its introduction in the 1980s), and it establishes a hierarchy of trust so that you have some assurance (not 100%) that you're visiting the site you think you are.
A major concern for any DNS alternative — especially one that stands beside the existing DNS — must be "breaking the Internet" into Balkanized islands, unreachable one from the other. In practice this means that any alt-DNS must somehow allow access to all Internet resources. Past attempts at establishing an alternate DNS root, such as AlterNIC.net (begun in 1995), required tweaking configuration files in domain name servers — clearly a non-starter for widespread adoption. AlterNIC faded away after its founder was convicted in the US of wire fraud, and the Internet Architecture Board spoke out strongly against alternate roots in RFC 2826. Nonetheless, other attempts at setting up an alternate root have sprung up. These depend on a Web browser to decide which name resolver to use: for example, Unified Root provides its own browser, called Sundial and based on Firefox; and DASHWORLDS offers a browser plug-in for Internet Explorer on Windows.
A drawback to routing-around proposals such as 4LW is the assumption of one domain name per IP address. Such one-to-one mapping is by no means universal, and may be getting less common as IPv4 addresses dwindle to exhaustion. I run a server in the cloud with a dozen or more sites on each of several IP addresses. The server is set up to provide the correct content to the visitor based on which domain name was requested — Apache configuration files for that purpose are generated by the (Plesk) site management software. A visitor who types in one of my server's IP addresses, or goes there via e.g. the 4LW protocol, will get a default Apache page. Presumably some deep juju could be developed for the Apache server's rewrite engine, but it would have to be custom-made for each alt-DNS scheme. It would have to be added by hand to each site's Apache configuration file, as the site management software (such as Plesk or cPanel) won't know about it — and therefore will tend to overwrite it. And ditto for sites running Microsoft's IIS or any of numerous other Web servers.
Another issue that alt-DNS schemes will face is that websites use non-relative internal links, hard-coded with fully qualified domain names. Any such links will work as long as the official DNS points to where the site expects it to, but break in case of domain-name compromise.
Perhaps the biggest obstacle any aspiring DNS workaround or replacement faces is getting to critical mass. I spoke to one alt-DNS developer, Chris Brainard, who is working on a concept called FreeLayer. In his opinion, "Most people won't switch if what they are using is working. Plus you have tight integration with browsers and search engines and code. So in a way the only people who are really interested in this are those who wish to have more privacy, have an interest in the technology, want domains for free, or are doing something illegal." Lauren Weinstein acknowledges that the scope of the IDONS project "may perhaps be reasonably compared with the scale of IPv6 deployment" — in other words, massive.