The DNS and Internet fragmentation

By on 31 Aug 2022

Category: Community

Tags: , ,

1 Comment

Blog home

One of the most conspicuous Internet policy trends of the last few years has been the increasing pressure for national regulation of the Internet.

Many reasons can be identified for this. Some descend from differences in values and legal approaches, requiring the ability to make specific content available or not depending on the user’s location and to enforce rules which differ by jurisdiction. Others are economic and pertain to the need to defend digital markets from monopolies and dominant positions, especially in parts of the world that have almost no champion in the global Internet platform arena, and to ensure proper fiscal revenue on wealth extracted from the local economy.

Enforcing national regulations on a global network inherently requires establishing points of control. Indeed, even in the physical world, experience shows that such points of control do not necessarily look like customs booths on each national border. Within the Schengen area, people and goods can move freely across borders; if necessary, they are checked and rejected afterwards.

Unfortunately for the entire DNS industry, DNS resolution offers a good (or the least bad) control point for the enforcement of national regulation. As almost any Internet operation starts with a DNS query, blocking or manipulating queries at the DNS resolver level is a reasonably effective way of preventing access to services and content that may be legal where they are being hosted but are illegal where the user is trying to reach them. While a minority of smarter or more determined users can easily find ways to route around these checks, it is much easier to deal with the smaller residual problem of a minority, rather than with widespread and easy ways to bypass national regulation.

More importantly, if the DNS resolution service is offered by a third party different from the provider of the destination platform or service, DNS blocks allow the enforcement of rules even in the face of uncooperative parties, or parties that are not subject to the local jurisdiction and that are in unfriendly places.

The DNS is also relevant to requirements for data protection and localization, which are also becoming increasingly common. Like it or not, regulators are less and less keen on letting important personal information of their citizens move to services located abroad, especially if other jurisdictions do not offer the same degree of privacy. Even if they do, several types of organizations using the Internet — ranging from national security agencies to public administrations dealing with sensitive personal information — simply must not give access to any of their data to other economies, even if friendly. This also creates a push for the DNS resolution to happen in the same jurisdiction of the end user, preventing any international transfer of data during the DNS query and response process.

Therefore, the DNS is a key tool in any practical proposal to address the general Internet fragmentation debate.

Unless we imagine an Internet topologically arranged by distinct economies, with few international interconnections heavily guarded by great firewalls, DNS is the service that will be called upon to enforce the content-related laws of the user’s jurisdiction, while preserving the topologically borderless nature of the Internet at the transport level.

So, how is the DNS industry reacting to this new scenario?

Honestly, many of us seem to be ducking and waiting for the storm to pass. It seems to be widely hoped that these pressures will just go away.

The latest major technical development around the DNS protocol, encrypted DNS transport, was explicitly designed to prevent the use of the DNS as a national content control tool. As a side effect, its deployment tends to increase the centralization of DNS queries into the hands of dominant global Internet players, exactly the ones that economies may want to regulate. Of course, this has not made regulators happy.

Sometimes, the debate in our community fails to understand the solid reasons behind this trend. Comments around the European DNS4EU project, for example, often took the direction of a fantasy world in which civil servants in Brussels plot to introduce political censorship onto the European Internet — or, alternatively, a world of radical views in which even blocking CSAM or pirated live football matches is ‘censorship’. Again, this also has not made regulators happy.

Read: Opinion: DNS4EU

Indeed, the industry faces a dilemma. Continuing to ignore the pressure may lead to irrelevance; regulators will not brake for anyone, and if they are not given reasonable and cooperative ways to enforce their laws, they will look for unreasonable ones.

A few months ago, I was involved in a public consultation by the Italian government on the implementation of a recent law that mandates on-by-default parental control filters on all consumer Internet access services. The proposed technical norms would require all Internet Service Providers (ISPs) to hard-block access to global DNS resolvers by dropping all packets for and the like unless they also implement the blocks, and ‘in some way’ disable the user’s ability to perform encrypted DNS queries, for example, blocking outgoing traffic to port 853 for all users. While we, fortunately, succeeded in explaining that this was not the way to go, this mindset is increasingly growing among public officers, even in fully democratic economies.

On the other hand, from the viewpoint of the DNS industry, cooperating with this trend, for example, by deploying mechanisms to geolocate all users contacting the global DNS resolvers and applying per-economy blocklists, may invite more of this and create long-term costs.

In the middle of all of this, end users get the worst of all worlds; they increasingly find themselves in front of unpredictable experiences, depending on which browser and which resolver they use. The inability of browsers to work out a mechanism for displaying meaningful error messages when connections are blocked by the resolver, or the network, is still a weak point for any Internet access service.

All in all, while governments have their share of responsibilities in the trend toward Internet fragmentation, the industry also has some. National sovereignty is a fact of life and the key principle over which the governance of our planet is built. While there may be periods in history in which it becomes less relevant, there are others when it is again front and centre in all global policies.

There is no clear and collective answer by the DNS industry, or by the Internet’s technical community in general, to the public sector’s request for digital sovereignty mechanisms within key protocols and services; we should start thinking about whether we can find a good one.

Vittorio Bertola is Head of Policy & Innovation at Open-Xchange.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

One Comment

  1. Tariq Mustafa

    In Pakistan, PTA (Pakistan Telecommunication Authority) is working on new regulation that will require only whitelisted DNS servers to be allowed to pass the national firewall. Any other DSN would not be able to work inside geographical boundaries of Pakistan. PTA is allowing the authorized DNS providers to ‘sell’ resolver services to local users in PK if they so desire. A special middleware will ‘push’ blackholed entries in these regulated DNS servers of the service providers for whatever they want to censor from the PK citizens as part of the court rulings etc.


Leave a Reply

Your email address will not be published. Required fields are marked *