Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://discuss.systems/users/ricci/statuses/114412305047891702">Rob Ricci (ricci@discuss.systems)'s status on Monday, 28-Apr-2025 07:43:27 JST</a><a href="https://discuss.systems/@ricci" title="ricci@discuss.systems"><img src="https://gnusocial.jp/avatar/116194-48-20250425211628.webp" width="48" height="48" alt="Rob Ricci" style="position: absolute; left: 0; top: 0;">Rob Ricci</a><div><a href="https://discuss.systems/@ricci/114412296355937121" rel="in-reply-to">in reply to</a></div></section><article><p>🧵 2/2</p><p>IANA is administered by ICANN: <a href="https://en.wikipedia.org/wiki/ICANN" rel="nofollow noreferrer">https://en.wikipedia.org/wiki/ICANN</a> . Again, ICANN is an international organization, but its headquarters are in the United States. I would compare this to the United Nations, which also has its headquarters on US soil. Yes, the US could put the organization's property and some of its personnel under threat, and it could be quite disruptive, but the organization is global enough that it almost certainly could continue its operations and maintain its desired policies under such an attack.</p><p>Let's also talk about the physical infrastructure at the root of the DNS. When you look up example.com, your DNS resolver (conceptually) goes to the root to ask where the DNS servers for .com are, then asks those servers where the DNS servers for example.com are. These root servers are extremely important, if utterly invisible to most people. There are currently thirteen root DNS servers: <a href="https://en.wikipedia.org/wiki/Root_name_server" rel="nofollow noreferrer">https://en.wikipedia.org/wiki/Root_name_server</a> . However, each 'root server' is actually a bunch of root servers, many of them spread across the globe in various countries. The picture attached to this post shows where the physical servers are. Most of the operators of the root servers are American companies, but there are also companies headquartered in the Netherlands, Sweden, and Japan. We are probably pretty safe on this front.</p><p>Let's wrap up by moving a level up, to the DNS server closest to your own computer.</p><p>Unless you've done any special configuration (and you will know if you have...) you are probably using either one two DNS servers: most devices and software on your network are probably using your ISP's DNS server, and your browser *might* be using a third-party DNS server via DoH. </p><p>Could a government compel your ISP to hijack DNS requests? Legally, I don't know, but on a technical level, mostly yes. Doing so would involve adding entries to their DNS servers that differ from the "real" ones, and returning those to you instead. This would essentially hijack the domain for all customers of that ISP. An attacker would have to do this ISP by ISP; this is easier in some places than others - in some countries the ISPs are already functionally arms of the government, in others they are independent but have consolidated down to just a few options, and others have more diversity.</p><p>Ah, but, you say, DNSSEC! And yes, DNSSEC! For most of its history, the DNS has not provided a way to verify that the answer you get is legitimate instead of, say, replaced by your ISP as described above. Some time back, a set of extensions to DNS was put together to prevent such attacks: <a href="https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" rel="nofollow noreferrer">https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions</a> . There is more detail here than I could possibly go into, but this mechanism is (1) deployed on some TLDs but not all, (2) deployed only spottily on domains within the TLDs that support it, and (3) not universally checked by all resolvers. So: yes, DNSSEC helps - it generally protects the domains that have deployed it from being hijacked, even under threat to the ISP, but its effects are uneven.</p><p>ISPs can relatively easily block you from using DNS servers other than their own - AFAIK, most don't, currently, but they can, because DNS requires UDP port 53, so it's easy to recognize and block.</p><p>So, let's talk about DoH - this is DNS over HTTPS, and it gives you an encrypted way to make DNS requests and uses the same TCP port as HTTPS, making it harder for an ISP to block. Like DNSSEC, the more DoH there is in use, the less effective ISP-level domain hijacking is. Lately, browser vendors have started experimenting with making DoH the default for at least some users in at least some places; both Firefox and Chrome turned it on by default for some users in 2020: <a href="https://en.wikipedia.org/wiki/DNS_over_HTTPS" rel="nofollow noreferrer">https://en.wikipedia.org/wiki/DNS_over_HTTPS</a> . But, this is not 100% a win for freedom from government attacks: Chrome uses Google's DNS servers by default, and Firefox uses CloudFlare's  - this can be changed, but it's a re-centralization, and therefore an attractive attack target for governments that have leverage over these two organizations.</p><p>So to conclude: the DNS is a very messy system with lots of points that could be attacked by a government, but it is also comprised of enough systems, organizations, and protocols that attempts to seize domain names are likely to be hard to do at scale, and while the opportunity for mass disruption does exist, it is unlikely to meet with much long-term large-scale success.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4965085#notice-9729530">In conversation</a><time datetime="2025-04-28T07:43:27+09:00" title="Monday, 28-Apr-2025 07:43:27 JST">about 21 days ago</time> <span>from <span><a href="https://discuss.systems/@ricci/114412305047891702" rel="external" title="Sent from discuss.systems via ActivityPub">discuss.systems</a></span></span><a href="https://discuss.systems/@ricci/114412305047891702">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="http://example.com/">Example Domain</a></h5><div></div></header><div></div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/866825">Untitled attachment</a></label><br></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions">Domain Name System Security Extensions</a></h5><div></div></header><div>The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.Overview
The original design of the Domain Name System did not include any security features. It was conceived only as a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempt to add security, while maintaining backward compatibility. RFC 3833 of 2004 documents some of the known threats to the DNS, and their solutions in DNSSEC.
DNSSEC was designed to protect applications using DNS from accepting forged or manipulated DNS data, such as that created by DNS cache poisoning. All answers from DNSSEC protected zones are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served...</div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4536593">A screenshot of a map, taken from root-servers.net. It shows the locations of root DNS servers around the world - there are hundreds, and they are on all continents.</a></label><br><a href="https://fd.discuss.systems/media_attachments/files/114/412/301/801/658/092/original/d1047d411d346b46.png" rel="external">https://fd.discuss.systems/media_attachments/files/114/412/301/801/658/092/original/d1047d411d346b46.png</a></li><li><article><header><div>Domain not in remote thumbnail source whitelist: upload.wikimedia.org</div><h5><a href="https://en.wikipedia.org/wiki/ICANN">ICANN</a></h5><div></div></header><div>The Internet Corporation for Assigned Names and Numbers (ICANN  EYE-kan) is a global multistakeholder group and nonprofit organization headquartered in the United States responsible for coordinating the maintenance and procedures of several databases related to the namespaces and numerical spaces of the Internet, ensuring the Internet's stable and secure operation. ICANN performs the actual technical maintenance work of the Central Internet Address pools and DNS root zone registries pursuant to the Internet Assigned Numbers Authority (IANA) function contract. The contract regarding the IANA stewardship functions between ICANN and the National Telecommunications and Information Administration (NTIA) of the United States Department of Commerce ended on October 1, 2016, formally transitioning the functions to the global multistakeholder community.
Much of its work has concerned the Internet's global Domain Name System (DNS), including policy development for internationalization of the DNS, introduction of new generic top-level domains (TLDs), and the operation...</div><footer></footer></article></li><li><article><header><div>Domain not in remote thumbnail source whitelist: upload.wikimedia.org</div><h5><a href="https://en.wikipedia.org/wiki/Root_name_server">Root name server</a></h5><div></div></header><div>A root name server is a name server for the root zone of the Domain Name System (DNS) of the Internet. It directly answers requests for records in the root zone and answers other requests by returning a list of the authoritative name servers for the appropriate top-level domain (TLD). The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts.
A combination of limits in the DNS and certain protocols, namely the practical size of unfragmented User Datagram Protocol (UDP) packets, resulted in a decision to limit the number of root servers to thirteen server addresses. The use of anycast addressing permits the actual number of root server instances to be much larger, and is 1,733 as of March 4, 2024.Root domain
The DNS is a hierarchical naming system for computers, services, or any resource participating in the Internet. The top of that hierarchy is the root domain. The root domain does not have a formal name and its label in the DNS hierarchy...</div><footer></footer></article></li><li><article><header><div>Domain not in remote thumbnail source whitelist: upload.wikimedia.org</div><h5><a href="https://en.wikipedia.org/wiki/DNS_over_HTTPS">DNS over HTTPS</a></h5><div></div></header><div>DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018,  Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States. In May 2020, Chrome switched to DNS over HTTPS by default.
An alternative to DoH is the DNS over TLS (DoT) protocol, a similar standard for encrypting DNS queries, differing only in the methods used for encryption and delivery. Based on privacy and security, whether either protocol is superior is a matter of controversial debate, while others argue that the merits of either depend on the specific use case.Technical details
DoH is a proposed standard, published as RFC 8484 (October 2018) by the IETF. It uses HTTPS, and supports the wire format DNS response...</div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4536602">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Rob Ricci (ricci@discuss.systems)'s status on Monday, 28-Apr-2025 07:43:27 JST Rob Ricci
in reply to
🧵 2/2
IANA is administered by ICANN: https://en.wikipedia.org/wiki/ICANN . Again, ICANN is an international organization, but its headquarters are in the United States. I would compare this to the United Nations, which also has its headquarters on US soil. Yes, the US could put the organization's property and some of its personnel under threat, and it could be quite disruptive, but the organization is global enough that it almost certainly could continue its operations and maintain its desired policies under such an attack.
Let's also talk about the physical infrastructure at the root of the DNS. When you look up example.com, your DNS resolver (conceptually) goes to the root to ask where the DNS servers for .com are, then asks those servers where the DNS servers for example.com are. These root servers are extremely important, if utterly invisible to most people. There are currently thirteen root DNS servers: https://en.wikipedia.org/wiki/Root_name_server . However, each 'root server' is actually a bunch of root servers, many of them spread across the globe in various countries. The picture attached to this post shows where the physical servers are. Most of the operators of the root servers are American companies, but there are also companies headquartered in the Netherlands, Sweden, and Japan. We are probably pretty safe on this front.
Let's wrap up by moving a level up, to the DNS server closest to your own computer.
Unless you've done any special configuration (and you will know if you have...) you are probably using either one two DNS servers: most devices and software on your network are probably using your ISP's DNS server, and your browser *might* be using a third-party DNS server via DoH.
Could a government compel your ISP to hijack DNS requests? Legally, I don't know, but on a technical level, mostly yes. Doing so would involve adding entries to their DNS servers that differ from the "real" ones, and returning those to you instead. This would essentially hijack the domain for all customers of that ISP. An attacker would have to do this ISP by ISP; this is easier in some places than others - in some countries the ISPs are already functionally arms of the government, in others they are independent but have consolidated down to just a few options, and others have more diversity.
Ah, but, you say, DNSSEC! And yes, DNSSEC! For most of its history, the DNS has not provided a way to verify that the answer you get is legitimate instead of, say, replaced by your ISP as described above. Some time back, a set of extensions to DNS was put together to prevent such attacks: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions . There is more detail here than I could possibly go into, but this mechanism is (1) deployed on some TLDs but not all, (2) deployed only spottily on domains within the TLDs that support it, and (3) not universally checked by all resolvers. So: yes, DNSSEC helps - it generally protects the domains that have deployed it from being hijacked, even under threat to the ISP, but its effects are uneven.
ISPs can relatively easily block you from using DNS servers other than their own - AFAIK, most don't, currently, but they can, because DNS requires UDP port 53, so it's easy to recognize and block.
So, let's talk about DoH - this is DNS over HTTPS, and it gives you an encrypted way to make DNS requests and uses the same TCP port as HTTPS, making it harder for an ISP to block. Like DNSSEC, the more DoH there is in use, the less effective ISP-level domain hijacking is. Lately, browser vendors have started experimenting with making DoH the default for at least some users in at least some places; both Firefox and Chrome turned it on by default for some users in 2020: https://en.wikipedia.org/wiki/DNS_over_HTTPS . But, this is not 100% a win for freedom from government attacks: Chrome uses Google's DNS servers by default, and Firefox uses CloudFlare's - this can be changed, but it's a re-centralization, and therefore an attractive attack target for governments that have leverage over these two organizations.
So to conclude: the DNS is a very messy system with lots of points that could be attacked by a government, but it is also comprised of enough systems, organizations, and protocols that attempts to seize domain names are likely to be hard to do at scale, and while the opportunity for mass disruption does exist, it is unlikely to meet with much long-term large-scale success.
In conversationabout 21 days ago from discuss.systemspermalink
Attachments
1. No result found on File_thumbnail lookup.
  Example Domain
2. Untitled attachment
3. No result found on File_thumbnail lookup.
  Domain Name System Security Extensions
  The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality. Overview The original design of the Domain Name System did not include any security features. It was conceived only as a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempt to add security, while maintaining backward compatibility. RFC 3833 of 2004 documents some of the known threats to the DNS, and their solutions in DNSSEC. DNSSEC was designed to protect applications using DNS from accepting forged or manipulated DNS data, such as that created by DNS cache poisoning. All answers from DNSSEC protected zones are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served...
4. A screenshot of a map, taken from root-servers.net. It shows the locations of root DNS servers around the world - there are hundreds, and they are on all continents.
  https://fd.discuss.systems/media_attachments/files/114/412/301/801/658/092/original/d1047d411d346b46.png
5. Domain not in remote thumbnail source whitelist: upload.wikimedia.org
  ICANN
  The Internet Corporation for Assigned Names and Numbers (ICANN EYE-kan) is a global multistakeholder group and nonprofit organization headquartered in the United States responsible for coordinating the maintenance and procedures of several databases related to the namespaces and numerical spaces of the Internet, ensuring the Internet's stable and secure operation. ICANN performs the actual technical maintenance work of the Central Internet Address pools and DNS root zone registries pursuant to the Internet Assigned Numbers Authority (IANA) function contract. The contract regarding the IANA stewardship functions between ICANN and the National Telecommunications and Information Administration (NTIA) of the United States Department of Commerce ended on October 1, 2016, formally transitioning the functions to the global multistakeholder community. Much of its work has concerned the Internet's global Domain Name System (DNS), including policy development for internationalization of the DNS, introduction of new generic top-level domains (TLDs), and the operation...
6. Domain not in remote thumbnail source whitelist: upload.wikimedia.org
  Root name server
  A root name server is a name server for the root zone of the Domain Name System (DNS) of the Internet. It directly answers requests for records in the root zone and answers other requests by returning a list of the authoritative name servers for the appropriate top-level domain (TLD). The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts. A combination of limits in the DNS and certain protocols, namely the practical size of unfragmented User Datagram Protocol (UDP) packets, resulted in a decision to limit the number of root servers to thirteen server addresses. The use of anycast addressing permits the actual number of root server instances to be much larger, and is 1,733 as of March 4, 2024. Root domain The DNS is a hierarchical naming system for computers, services, or any resource participating in the Internet. The top of that hierarchy is the root domain. The root domain does not have a formal name and its label in the DNS hierarchy...
7. Domain not in remote thumbnail source whitelist: upload.wikimedia.org
  DNS over HTTPS
  DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States. In May 2020, Chrome switched to DNS over HTTPS by default. An alternative to DoH is the DNS over TLS (DoT) protocol, a similar standard for encrypting DNS queries, differing only in the methods used for encryption and delivery. Based on privacy and security, whether either protocol is superior is a matter of controversial debate, while others argue that the merits of either depend on the specific use case. Technical details DoH is a proposed standard, published as RFC 8484 (October 2018) by the IETF. It uses HTTPS, and supports the wire format DNS response...
8. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice