GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Untitled attachment

Download link

Notices where this attachment appears

  1. Embed this notice
    Rob Ricci (ricci@discuss.systems)'s status on Monday, 28-Apr-2025 07:43:27 JST Rob Ricci Rob Ricci
    in reply to

    🧵 2/2

    IANA is administered by ICANN: https://en.wikipedia.org/wiki/ICANN . Again, ICANN is an international organization, but its headquarters are in the United States. I would compare this to the United Nations, which also has its headquarters on US soil. Yes, the US could put the organization's property and some of its personnel under threat, and it could be quite disruptive, but the organization is global enough that it almost certainly could continue its operations and maintain its desired policies under such an attack.

    Let's also talk about the physical infrastructure at the root of the DNS. When you look up example.com, your DNS resolver (conceptually) goes to the root to ask where the DNS servers for .com are, then asks those servers where the DNS servers for example.com are. These root servers are extremely important, if utterly invisible to most people. There are currently thirteen root DNS servers: https://en.wikipedia.org/wiki/Root_name_server . However, each 'root server' is actually a bunch of root servers, many of them spread across the globe in various countries. The picture attached to this post shows where the physical servers are. Most of the operators of the root servers are American companies, but there are also companies headquartered in the Netherlands, Sweden, and Japan. We are probably pretty safe on this front.

    Let's wrap up by moving a level up, to the DNS server closest to your own computer.

    Unless you've done any special configuration (and you will know if you have...) you are probably using either one two DNS servers: most devices and software on your network are probably using your ISP's DNS server, and your browser *might* be using a third-party DNS server via DoH.

    Could a government compel your ISP to hijack DNS requests? Legally, I don't know, but on a technical level, mostly yes. Doing so would involve adding entries to their DNS servers that differ from the "real" ones, and returning those to you instead. This would essentially hijack the domain for all customers of that ISP. An attacker would have to do this ISP by ISP; this is easier in some places than others - in some countries the ISPs are already functionally arms of the government, in others they are independent but have consolidated down to just a few options, and others have more diversity.

    Ah, but, you say, DNSSEC! And yes, DNSSEC! For most of its history, the DNS has not provided a way to verify that the answer you get is legitimate instead of, say, replaced by your ISP as described above. Some time back, a set of extensions to DNS was put together to prevent such attacks: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions . There is more detail here than I could possibly go into, but this mechanism is (1) deployed on some TLDs but not all, (2) deployed only spottily on domains within the TLDs that support it, and (3) not universally checked by all resolvers. So: yes, DNSSEC helps - it generally protects the domains that have deployed it from being hijacked, even under threat to the ISP, but its effects are uneven.

    ISPs can relatively easily block you from using DNS servers other than their own - AFAIK, most don't, currently, but they can, because DNS requires UDP port 53, so it's easy to recognize and block.

    So, let's talk about DoH - this is DNS over HTTPS, and it gives you an encrypted way to make DNS requests and uses the same TCP port as HTTPS, making it harder for an ISP to block. Like DNSSEC, the more DoH there is in use, the less effective ISP-level domain hijacking is. Lately, browser vendors have started experimenting with making DoH the default for at least some users in at least some places; both Firefox and Chrome turned it on by default for some users in 2020: https://en.wikipedia.org/wiki/DNS_over_HTTPS . But, this is not 100% a win for freedom from government attacks: Chrome uses Google's DNS servers by default, and Firefox uses CloudFlare's - this can be changed, but it's a re-centralization, and therefore an attractive attack target for governments that have leverage over these two organizations.

    So to conclude: the DNS is a very messy system with lots of points that could be attacked by a government, but it is also comprised of enough systems, organizations, and protocols that attempts to seize domain names are likely to be hard to do at scale, and while the opportunity for mass disruption does exist, it is unlikely to meet with much long-term large-scale success.

    In conversation about 21 days ago from discuss.systems permalink
  2. Embed this notice
    Futurist Jim Carroll (jimcarroll@futurist.info)'s status on Monday, 17-Apr-2023 08:55:48 JST Futurist Jim Carroll Futurist Jim Carroll
    in reply to

    @davidaugust Well, I must contradict!

    I have my own company and run my own server for myself.

    I sure as heck can break it if I do something bad in su. Or mess with some init scripts. Or wipe out my carefully crafted nginx block.

    So, one person and one company can break one.

    (-;

    In conversation Monday, 17-Apr-2023 08:55:48 JST from futurist.info permalink
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.