Anyone who's decided to replace their ISP router with something more secure knows the value of ensuring your home network and the traffic on it is private. Even if you haven't changed the router, you might still be running Pi-hole on your network, or various Android tools to block the parts of the internet that you don't want to see. And for good reason, as malware-containing domains and scam websites are an ever-present danger to our online safety.

If you've tried any of these methods for blocking domains, you've used DNS-based blocking, even if you didn't know it then. It's also used by your ISPs and governments worldwide to censor the parts of the open internet that they find objectionable. And that's a problem, because in the wrong hands, this powerful cybersecurity tool turns into another way to control what you can see online.

What is DNS blocking?

Stopping your browser from loading malicious content is a worthy thought

The internet relies on the Domain Name System (DNS) as a directory that turns domain names into IP addresses, in the same way the phone book connects your name to your home address and phone number. That way, internet users don't need to remember IP addresses to access services; they only need the domain name. It also means those IP addresses can change as hosting needs change, changing how the two are linked in the DNS records.

When you request a domain, the query goes through a series of requests to a DNS resolver to find the path to that domain's IP address. It's important to know that at this stage, no content from the remote server is loaded on the local browser until the DNS resolution process is finished. That means that you can block dangerous resources from even being connected by using DNS blocking or filtering.

The blocklists that you load into Pi-hole, Technitium, AdGuard, or any other DNS-based blocking software are made up of known malicious DNS records. These come from several sources, including cybersecurity professionals, and could be blocking phishing domains, or those serving malware, or any number of other unwanted sources of content. It's simple to implement and scalable, but it's not without issues.

The imprecise nature can be troublesome

When DNS blocks are put into place, they could be at the individual IP address level, or a higher level depending on the number of reports from that IP block. The problem with that is due to IPv4 depletion, some users could be blocked from accessing legitimate services, or could find their own IP address blocked. In that case, the security features running on many domains will limit their ability to browse the internet. And plenty of small businesses rely on shared hosting environments, and could conceivably get their livelihood blocked by someone else's bad actions.

DNS blocking threatens the open Internet

Who watches the watchers, and ensures they're being fair

DNS has a propensity to go wrong at the best of times, because of how finely balanced the whole system is. I use private DNS services wherever possible because they reduce my exposure to being tracked and having DNS hijacks occur, but I understand that's not possible everywhere in the world. Many governments have tried, or are actively blocking, DNS services like Cloudflare or any other open DNS resolver that can bypass DNS hijacks aimed at censorship.

Some of these DNS blocks at the country level brought unintended consequences, like DNS sinkholing YouTube and other huge websites for entire regions, as the DNS blocking server became the authoritative resolver for the area. And in the case of Google DNS or Cloudflare, blocking the resolvers also blocks a huge cross-section of the internet from view, affecting legitimate services. And even encrypted DNS options like DNS over HTTPS and DNS over TLS can be blocked, or intercepted by ISPs, which is even more worrying when we just want our data to be ours, and not sniffed and used for advertising or other means.

Companies using DNS blocks should be more transparent with users

One big problem with DNS blocking is that it's not visible to the user. The only page they'll see when trying to click on a blocked DNS record is some error message (this varies depending on the browser and the network configuration), like the familiar 404 page, indicating the website domain isn't where it was supposed to be. But that page also shows up when technical faults take domains down. Without an indication of DNS blocking, they could easily try navigating to that website again, perhaps from another device like a smartphone that might not be subject to the same DNS blocks.

Internet governance bodies and ISPs have a dual responsibility here to both limit the exposure to internet users by harmful content, and also to ensure those users are proactively communicated with when things like DNS blocking are engaged. And the second part needs some work, as generic "site not found" messages are inadequate for passing much-needed context to the user.

DNS blocking is a powerful cybersecurity tool when it's being used properly

Source: Wikicommons

ICANN's (Internet Corporation for Assigned Names and Numbers) Security and Stability Advisory Committee (SSAC) recently issued a report, SAC127, focusing on the technical means of DNS blocking and the consequences of taking these steps. ICANN's official position on DNS blocking is a neutral one, focused on the merits of responsible blocking use at the domain level or the authoritative nameserver level, and not on IP addresses or IP blocks, as is currently often done.

In this manner, internet users can be protected from malware and phishing sites without the potential of blocking other legitimate domain names from being accessed. It also suggests that once a domain is added to a blocklist, to periodically check to ensure that the domain is still dangerous, and liaise with the hosting providers to remove the malicious content at the source, so the blocks are no longer necessary.

DNS blocking isn't going anywhere, but for it to be a trusted solution, it needs to be used responsibly and not to blanket ban content that governments or other responsible parties find objectionable. The open nature of the internet is at stake when content can be blocked in large blocks like this, and that benefits nobody but those looking to consolidate power.