If you are an individual: Quad9 relies entirely on sponsorship and support from individuals and companies who believe in our mission, and who benefit from our protection of end users. We need resources to fight this ruling, and to continue our mission of providing security and privacy to end users. Your comments on social media to amplify the awareness of this issue and engage in civil discussion on the topic are welcome. Please help by donating via Paypal.
So it begins. Cloudflare, Google DNS and others to follow.
IMHO they went after quad9 because they advertise that they already block some domains, based on some lists. They'll probably argue that it's simple to add to their system.
That's exactly what they claim. The objection argues that these blocks are not comparable though, mainly since the malware domains are filtered globally, where that's obviously impossible for local filters based on regional court decisions.
They went after Quad9 (and not Google, Cisco, and Cloudflare) because Google, Cisco, and Cloudflare are all still hiding behind the Northern California District Court, where there are no consequences for privacy violations. And the US isn't a signatory to the Lugano Convention, whereas Switzerland is. Sony began this attack just a few days after Quad9 re-domiciled to Switzerland. An unexpected and unfortunate cost of having a binding privacy policy. I gave a talk about this at the last DEF CON:
Google's 8.8.8.8 / 8.8.4.4 offering is actually very forgiving. Most pirate sites now have multiple TLDs and advertise the latest TLD in use on social media. New TLDs usually arrive when there is pressure by Google or even LEAs to censor specific domains.
Maybe no-one technical, but here in the UK where DNS-based blocking is very prevalent, I know most of my non-technical friends don’t know how to access a website that’s been blocked in this way, and wouldn’t think to look for mirrors. I’ve tried to explain the process of piracy via torrents to people and it just goes over their heads.
You don't need mirrors, you just need a DNS server that doesn't implement this policy.
Historically the government reaction to that was to censor the DNS protocol itself. Trouble is, by the time they got around to legislating for such things, DNS is already optionally encrypted. In Firefox for example General -> Networking Settings -> Enable DNS over HTTPS
use-application-dns.net is a canary for the default behaviour, but the configuration switch I described is a deliberate user choice, so the canary isn't relevant.
Ah but I'm not talking about getting around the actual DNS part (even though that is indeed trivial).
I'm talking about obtaining the content. Sooner or later they'll just ask a techie friend where they can still get their sweet torrents and they're back in business.
And finally, don't forget: The people who are using Quad 9 are people who do know what they're doing. Otherwise they'd be simply using their provider DNS.
> Providers of browsers, operating systems or antivirus software could be held liable as interferers on the same grounds if they do not prevent the accessibility of copyright-infringing websites.
What about providers of phone OSes that scan for illegal files against the user's wishes?
What difference would it make to you as a user between "this domain doesn't exist" and "this domain doesn't exit, but I refuse to give you valid proof that it doesn't" (or even no answer at all)?
(NXDOMAIN is also somewhat special in DNSSEC and not signed by default, and requires special mechanisms to handle (NSEC, NSEC3), but IMHO that's not even very relevant to the block scenario)
> What difference would it make to you as a user between "this domain doesn't exist" and "this domain doesn't exit, but I refuse to give you valid proof that it doesn't" (or even no answer at all)?
If you're validating then the second answer should cause you to regard the reply as invalid and retry the request, possibly using a different DNS service.
True, a system that is setup with multiple resolvers of which only one censors might actually do get you the page in the end. But from the perspective of the DNS provider, they've done what they "intended"/were forced to do in any case: not give you the correct answer.
All that DNSSEC does is to let you validate whether a DNS response is authentic. If you don't get a result that validates successfully, you know there's something wrong, but you still don't know what the right result is, so it doesn't stop censorship.
So, in conventional DNS this is problematic since of course a false answer isn't valid under DNSSEC the server can't even deny the existence of a name without proof this denial is authoritative which it doesn't have. It may have to SERVFAIL or give an obviously inauthentic response.
In DoH the HTTP error codes provide a way for the server to explain why it can't (or won't) give you the correct answer to your query, for example because you set it to block advertising, or your government obliges it to censor domains, separate from the actual DNS answer or absence of one.
This will grow even more interesting under oblivious DNS, a planned future upgrade to the DPRIVE protocols in which you'd send your questions to an intermediate (e.g. quad 9 in this case) but those questions are encrypted so they can't read the details, and the intermediate forwards them to an authoritative name server (which thus doesn't learn your IP address) that can decrypt them, before sending the response back to you without being able to read it.
This obliviousness means that on the one hand Google, Cloudflare and similar large DNS providers don't see what exactly it is you wanted to know about example.com (if www.example.com is the only thing that exists this isn't much help, but if clown-porn.example.com, adopt-a-puppy.example.com and holocaust-survivor.example.com are all under example.com then this makes a real difference to your privacy) and yet on the other the people operating example.com don't get your IP address (at least until you connect directly to their servers over plain TCP) and yet you still get the answer you wanted.
If you are an individual: Quad9 relies entirely on sponsorship and support from individuals and companies who believe in our mission, and who benefit from our protection of end users. We need resources to fight this ruling, and to continue our mission of providing security and privacy to end users. Your comments on social media to amplify the awareness of this issue and engage in civil discussion on the topic are welcome. Please help by donating via Paypal.