GCHQ Planning UK-Wide DNS Firewall

An anonymous reader writes: UK surveillance agency GCHQ is exploring the use of a national 'firewall' in its fight against cybercrime, according to the organisation's head of cybersecurity. Alongside BT, Talk Talk and Virgin Media, GCHQ will work to filter out websites and email campaigns which are known to contain malicious content. The intelligence organisation believes that the best to way to set up such a blockade would be to build a national domain name system (DNS). In a speech delivered at the Billington Cyber Security Summit in Washington DC, director general for cyber security at GCHQ, Ciaran Martin, said: 'We're exploring a flagship project on scaling up DNS filtering: what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?'

and then block porn / 3rd party candidates / free

[Joe_Dragon]

and then block porn / 3rd party candidates / free press.

Good, Bad And Ugly

[alternative_right]

The Good: if there are known threats that can be filtered, this is the most efficient level on which to do them.

The Bad: this will inevitably be extended to blocking torrent sites, Wikileaks and any web sites I administer.

The Ugly: it will create a false sense of security, "educating" users to be less educated about their machines.

Re:Good, Bad And Ugly

[amxcoder]

Not much good in this at all. There are already alternative DNS providers that will block most of this stuff selectively by each user. I use OpenDNS myself for this purpose. This is effectively censoring by the government, and nothing less.

Yes, it will eventually used to block torrent sites, the Pirate Bay, etc. It will be used to block any of the other downloading sites that are available whether they are torrent trackers or straight downloads or streaming sites.

Even more, if riots break out, or dissension protests start up, all of a sudden Twitter and FB will be temporarily blocked to prevent coordination by participants. The US has already done similar to this, for instance in bay area BART stations where they shutdown the cell phone repeaters to prevent communication in the stations when Oakland had riots/protests going on. If UK can do it by simply blocking DNS to these sites, the same results will happen.

Who decides what is considered "MalWare"? What are the criteria? Malware could be the typical kind, but could also include hacking software, keygen apps, apps that the RIAA/MPAA and big-media doesn't like? Everyones idea of what is malware, is probably slightly different. Viruses yes, but not all the others are malware. I know most virus scanners pick up keygen's and other cracking software as a virus even if it's not, but because want to scare away people from using them.

Won't work.

[BarbaraHudson]

You don't need DNS to visit a website. Also, there's nothing preventing you from running your own DNS.

Re:Won't work.

Agreed.

The Internet was designed to route around disruptions in the network. Censorship one type of disruption.

If an end user doesn't like what GCHQ is doing, they can:
    1. Install a DNSSEC-enabled nameserver software on their end device or home network to bypass the firewalls and detect man-in-the-middle rewrties.
    2. Utilize another open recursive server - there are millions to choose from.
    3. Utilizea a VPN to get out of the country and utilize Google or OpenDNS or whatever recursive server via their tunnel endpoint.

All this system would do is make Internet access more difficult/intrusive for UK citizens who don't want to be sheep.

Re:Won't work.

[myowntrueself]

You don't need DNS to visit a website. Also, there's nothing preventing you from running your own DNS.

Hmm intriguing idea. I guess you could run your own DNS root server and maintain your own records for everything on all zones on the Internet. Its going to take some bandwidth to keep all that updated!

But if you are thinking of just running your own local DNS server then its going to need forwarders and those forwarders are going to either be within the firewall and thus limited or outside the firewall and inaccessible.

Or you could use an alternative port on a DNS forwarder outside the firewall. Some DNS servers run on 5353 but you could run it on whatever port you wanted. Until they start doing deep packet inspection and block your non-standard port DNS traffic because its obvious DNS traffic.

I don't see any indications of an SSL-wrapped DNS protocol..?

People's Republic of Great Britain

[Errol+backfiring]

How many times do we have to say that 1984 was not an instruction manual?

Re:People's Republic of Great Britain

[AmiMoJo]

They will never stop pushing, so we must never stop pushing back.

The price of freedom is eternal vigilance.

Re:People's Republic of Great Britain

[LichtSpektren]

There was an internet in *1984*. Pay attention.

The Internet existed in real life in the year AD 1984, yes. There was no internet in the novel Nineteen Eighty-Four by George Orwell, which was written in AD 1949.

There also were those who controlled what was remembered, and those who architected language with the end goal of non-state approved concepts being impossible to express or even conceived.

You're referring to the Ministry of Truth and Newspeak, respectively. Both of which have nothing to do with a national DNS. Now, it's true that the government could make it annoying to access unapproved websites, and there's nothing wrong with being skeptical of their intentions, but to say it's Orwellian is a massive hyperbole. Governments all throughout time have engaged in censorship and repression, it takes a lot more than that to reach Stalinism.

Re:and then block porn / 3rd party candidates / fr

[Buchenskjoll]

It's England. More than two parties is encouraged.

FTFY GCHQ

what better way of providing national surveillance

Drawbacks of ways to visit a site without DNS

[tepples]

You don't need DNS to visit a website.

I can think of two ways to visit a website without DNS, and both have serious drawbacks.

Add the IP address and name to the hosts file This breaks whenever the site's IP address changes. This file is traditionally editable only by root, and root access is often impractical to gain on any type of device other than a desktop or traditional laptop PC, especially a smartphone or a tablet computer running a smartphone operating system. (Finally, recommending the use of such a file summons him.) Enter the IP address in the URL instead of the hostname This also breaks whenever the site's IP address changes. In addition, it produces a certificate error, as certification authorities issue TLS certificates to operators of hostnames, not IP addresses. If you attempt to work around the certificate error by using legacy cleartext HTTP instead of HTTPS, you lose access to sensitive JavaScript features that browsers have begun to expose only to HTTPS sites, and a man in the middle can easily alter what you see. And either way, you can see only the first site on a given IP address, not other sites hosted on the same address using name-based virtual hosting.

Also, there's nothing preventing you from running your own DNS.

Other than border security intercepting all outbound connections or datagrams on port 53.

Re:Drawbacks of ways to visit a site without DNS

[MikeDataLink]

Other than border security intercepting all outbound connections or datagrams on port 53.

Not necessarily. A VPN to a n external server and they would never know what is inside that tunnel.

Re:Drawbacks of ways to visit a site without DNS

[darkain]

This is highly untrue, actually. Larger web sites don't run on a single IP address, they run on a collection of IP addresses using various redundant networks (such as IP load balancing by issuing different addresses from DNS requests). This also allows for easier system maintenance while maintaining 100% uptime. Need a server to go down for a while in the pool? Just remove that server's IP address from the DNS load balancing pool, wait some time for client DNS caching to expire, then take down that particular machine. Effectively, the web site has "a new IP address" for a subset of clients now.

And this shall be named...

[xfade551]

Hadrian's Firewall

Re:Allow opt-out

[Midnight+Thunder]

Nothing should *ever* be opt-out. The default should always be to opt-in. If you can't make that enabling process easy to do and successfully sell the idea to your prospective end users (AKA "source of data" - because they are absolutely going to be saving all your DNS queries as "metadata"), then maybe it wasn't such a good idea to start with.

I won't argue with that, though I was more thinking about the alternative of not having a choice (opt-in or opt-out), as to having this imposed. I just don't want to see a 'Great Moat of Britain', being imposed. There are enough right wing isolationist attitudes at play, in the country today, that we don't need another one added to the fray.

Re:Well....

Hmm well if you understood what a DNS was you might feel differently. This would be easily circumvented but would protect the masses from malicious sites and for once it seems like a reasonable idea from a national agency.

The Great Firewall of Britain!

[Archtech]

"[W]hat better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?"

What better way of allowing the UK government to censor what British people can see and hear on the Internet, without the huge majority of them having any idea that their Internet access is being censored?

And for those who have suggested this is no big deal, just wait. This is a case of "First they came for the communists", with a vengeance. Quite apart from the fact that this is exactly what the Chinese government has been doing with its "Great Firewall of China" - and getting it in the neck for alleged tyranny, totalitarianism and censorship.

Of course, how this policy would work out in practice does depend very much on who decides what constitutes "known malware and bad addresses [sic]". Previous draconian laws passed by the British Parliament were, we were solemnly promised, to be used only in the most serious of terrorist cases. A couple of years later, the powers were in fact being used by town councils to spy on what people put into their rubbish, how they kept their gardens, and other such personal and utterly non-vital matters.

If a law is passed establishing a "Great Firewall of Britain", we can be quite sure that within a couple of years literally thousands of government employees - from the Prime Minister to town hall clerks - will be contributing "bad addresses" to the cumulative DNS blacklist. Just like the current Homeland Security watch lists in the USA, thousands of items will be added every month, and nothing will ever be removed.

Indeed, people living in Britain may well find that, one day in the not-too-distant future, they are no longer able to read or contribute to Slashdot. After all, just think of all the contentious issues and worrying statements that are to be found on its pages! Some government functionary - or, perhaps more likely, an instance of that classic responsibility-diffusing mechanism, a committee - will take the view that it would perhaps be for the best if this rather dubious Web site were no longer to be accessible from the UK.

"Lady Chatterley's Lover" redivivus

[Archtech]

This proposal reminds me of the 1960 obscenity trial of Penguin Books for the publication of "Lady Chatterley's Lover" by D.H. Lawrence. The chief prosecutor, Mervyn Griffith-Jones, caused some merriment but also revealed his deep prejudices by asking if it were the kind of book "you would wish your wife or servants to read". (If they have time on their hands, readers are encouraged to compile a full list of the ways in which that remark was patronising and bigoted).

If this proposal is taken up by the UK government, it will means that - more than fifty years after the "Lady Chatterley" trial, in an era that prides itself on its freedom of expression - government officials will be asking themselves, in the privacy of their offices, "Is this the kind of Web site you would wish your wife or servants to read?" As it is so very much easier to be safe than sorry, no doubt the answer will very often be, "Actually, no, old man, it isn't" - and off will go another batch of "bad addresses" to the Black List, never ever again to be seen.

Malicious content?

[jenningsthecat]

What could go wrong? I mean really, who the fuck trusts a consortium of GCHQ and several mega-corps to neutrally and impartially protect them from "known malware and bad addresses"? Incidentally, I have to wonder - do those 'bad addresses' include sites that are critical of the government and/or the companies in question? Might they include 'non-approved' IP telephony services? Sites that promote Scottish independence?

The opportunities for abuse are endless. This is a very bad idea.

Re:and then block porn / 3rd party candidates / fr

[amorsen]

English politics are strange.

Conservatives and Lib Dems set up a coalition, Conservatives do a lot of bad things and Lib Dems only prevent some of them: Lib Dems collapse.

Conservatives and Labour jointly try to run a campaign to stay in the EU, to deal with the mess that the Conservatives created: Labour collapse.

Re:and then block porn / 3rd party candidates / fr

[rubycodez]

Thoughtcrime, Winston Smith. It's all doubleplusungood thoughtcrime.