
GCHQ planning UK-wide DNS ‘firewall’ - peterkelly
https://thestack.com/security/2016/09/14/gchq-planning-uk-wide-dns-firewall/
======
ymse
For privacy concerned netizens, especially UK based ones, I highly recommend
checking out DNSCrypt[0]. It securely tunnels all your DNS requests to an
endpoint of your choice.

I've used it for about two years and it's very reliable, even on a laptop. I
do recommend using it in conjunction with a caching DNS recursor such as
Unbound[1] to save bandwidth.

It also works great on OpenWRT if you have that luxury.

For UK residents, please also consider changing to an ISP that cares about
your online rights. I only know this one:
[http://aaisp.net.uk](http://aaisp.net.uk)

0: [https://dnscrypt.org](https://dnscrypt.org)

1: [https://unbound.net](https://unbound.net)

~~~
mike-cardwell
Not happy with only your ISP and government knowing where you're going online?
Install DNSCrypt and add some more third parties to the mix.

[edit] From DNSCrypt's own front page:

Please note that DNSCrypt is not a replacement for a VPN, as it only
authenticates DNS traffic, and doesn't prevent "DNS leaks", or third-party DNS
resolvers from logging your activity. The TLS protocol, as used in HTTPS and
HTTP2, also leaks leaks websites host names in plain text, rendering DNSCrypt
useless as a way to hide this information.

~~~
ymse
This is true. It's more of a DNS MITM protection rather than privacy fix.
There are other uses of DNS than just HTTP(S) traffic though: but I'm sure
these mass surveillance entities sit on massive reverse DNS databases anyway,
rendering the effort mostly useless.

------
WillKirkby
"We’re exploring a flagship project on scaling up DNS filtering: what better
way of providing automated defences at scale than by the major private
providers effectively blocking their customers from coming into contact with
known malware and bad addresses?"

Because this definitely isn't a step towards state censorship, no siree!

~~~
throwawayReply
Step towards? This is state-wide censorship.

But isn't the truth that it is already implemented in UK ISP's DNS offerings
anyway, and that this is just extending the filter so you can't bypass it by
changing to a different DNS server?

This should be a textbook case on how to achieve censorship. Start by having
it "optional", but not an option a user opts into explicitly, just implicitly
in a way they don't understand (by "choosing" their ISP).

Then when 99% of people are already covered, roll it out in a compulsory way
across everywhere because "This won't affect most people, just a small number
of people".

No debate needed.

~~~
pixl97
> and that this is just extending the filter so you can't bypass it by
> changing to a different DNS server?

No, many people will just use VPNs

Then the government will find a need to ban VPNs for the safety of its
citizens.

------
mariusz79
I think it is safe to say that by 2020 the Internet as we know it today will
not exists. All we will have is a bunch of walled gardens, under full
surveillance from both the government and corporations. And most people will
not even notice or care.

~~~
astrodust
I think it's safe to say you're exaggerating, and while there will be local
pockets of utter confusion (North Korea, some US ISPs) on the whole it will be
fine.

That's not to say we don't need to fight for rights, to keep this sort of
thing from happening, but that I have confidence that we _can_ and will fight
these things successfully.

Australia, as one example, has tried on many occasions to put up very
restrictive firewalls and has mostly failed.
[https://en.wikipedia.org/wiki/Internet_censorship_in_Austral...](https://en.wikipedia.org/wiki/Internet_censorship_in_Australia)

Stay vigilant, stay informed, and you can control the future.

~~~
antihero
If in 2010 I told you the next presidential candidate for the USA was
retweeting 4chan memes, you'd have probably said I was exaggerating. All I'm
saying is things are changing quicker than we can imagine.

~~~
astrodust
4chan's track record of getting people elected is pretty terrible. See also:
Ron Paul.

~~~
antihero
Probably for the best, really. Ron Paul was more of a Reddit thing, anyway.

------
dirtbox
Weren't GCHQ caught illegally spying on pretty much everyone at a similar
level to the NSA?

Trustworthy guys to put in charge of something like this.

~~~
gc419hq
Sometimes you just need to give in on these little things to get on with your
life. For example, my friends complain about spam, but ever since I switched
my email to 419.ng, it has been a thing of the past for me. I'm sure letting a
malicious government institution fully merge its traffic and monitoring into
your traffic will simplify your life too.

–---

419.ng freemail, exceptional service for fr33!

Dear sir or madam the crown prince of Contantanople is having trouble
transferring his considerable fortune..

Cpoc@419.ng

------
forgottenpass
_" what better way of providing automated defences at scale than by the major
private providers effectively blocking their customers from coming into
contact with known malware and bad addresses?"_

By designing a system for distributing filter rulesets to the endpoints. Works
fairly well for in-browser malware blocking and adblocking. And if users can
retrieve rulesets from configurable sources, it allows them to tune how
aggressive their filtering is, and avoids turning every rule into a potential
national censorship row.

By comparison, making ISPs do DNS filtering is of middling effectiveness and
screams of "just give me all the control and trust me to sort it all out."

------
CommanderData
This means they'll be able to collect statistics information only to be stored
onto your household web history list. This is just another attempt at mass
data collection.

It's not like it wasn't being done before by intercepting DNS requests but
this way its legal.

This also paves the way to ISP 's requiring to conform and building an
infrastructure to associate an subscriber id to a given DNS request.

------
talideon
"We have always been at war with Eastasia."

------
tptacek
Tell me again why it's a good idea to put all our TLS keys in the DNS?

~~~
dane-pgp
Because we can avoid registering a .co.uk domain, but we can't stop a foreign
government forcing a Certificate Authority to issue a certificate for our
domain.

If the US government were to force the root zone key holders into issuing a
false update for the .is top level domain, for example, that should rightly be
treated as an act of war, and be detected before it could be used. Such an
expensive attack could only be used once, and would achieve nothing.

Do you have a different threat model in mind?

~~~
tptacek
I've answered this totally bogus argument so many times, I'm going to take a
different tack this time and put _you_ on the spot.

Tell me: what's the TLD you'd choose for your new site if protection from
governments was your goal? We already know: it's not .IO, which is is
controlled by GCHQ. Which one is it? Are we all getting .IS names in your
bright DNSSEC future?

~~~
dane-pgp
I trust the Icelandic government more than the least trustworthy of all the
CAs trusted by my browser (plus the least trustworthy of all the governments
that have power over any of the CAs trusted by my browser).

Alternatively I could (in theory) set up my own generic TLD, like Apple has
done. Here is their DNSSEC practice statement:

[https://www.apple.com/legal/intellectual-
property/tld/dps/](https://www.apple.com/legal/intellectual-property/tld/dps/)

It's still not clear why you think that being able to choose your trust path
is strictly worse than being at the mercy of all CAs in the world.

~~~
tptacek
But if your site is hosted under a .COM, .ORG, .NET, .US, .CO.UK, .ORG.UK, or
.IO name, or, for that matter, under a generic TLD _managed by any company
domiciled in the US, UK, Canada, or Australia_ , your feeling is: it's just
fine that the NSA gets to swap in its own TLS keys for your own whenever it
wants.

Do you have another TLD besides .IS you might "trust more than the least
trustworthy CA in your browser"? Could you name it?

~~~
dane-pgp
If you are relying on the CA system to secure your website, it is equally
insecure no matter what TLD your site is under. DNSSEC at least gives you the
possibility of moving away from .COM, .ORG, etc to a top-level you trust.

You still haven't said what your threat model is, though. The fact you
mentioned "protection from governments" earlier suggests that the threat model
you are envisaging is "I am trying to run a website that will be attacked by
every country in the world". If that's your threat model, I would be
interested to know what technology you suggest to counter that threat.

Alternatively, if your threat model only includes "US, UK, Canada, or
Australia" then there are various other TLDs that are more trustworthy than
the Turkish or Chinese governments (no disrespect to those countries). For
example, the TLDs of .ch, .dk, .li and .lu. Even .de and .fr should be managed
in ways that are independent from the 5 Eyes.

~~~
tptacek
I can't believe anyone thinks this is the Internet we should be forklifting
the DNS out to build. The one where we have to decide which spy agency is
going to escrow our TLS keys when we pick a domain name. It's the same day as
the announcement of the Snowden pardon appeal drive, and we're saying "fuck
it, all of .COM's TLS keys should just go straight to NSA".

No. No no no.

~~~
dane-pgp
Why are you so focused on "all of .COM's TLS keys" when, under the current CA
system, all TLS keys for all domains go straight to NSA and any government
that controls a CA (e.g. Turkey and China, etc.)?

A situation where people can avoid the governments they don't trust is
strictly better than this, but you seem to be arguing that it is strictly
worse.

~~~
tptacek
Because:

(a) They do not (go ahead and try to get a Google Mail cert).

(b) They need not (CA's can be --- and have been --- and will probably within
a few weeks be again --- untrusted by browsers)

(c) It is insane --- as in, "definition of insanity" insane --- to double down
on a hierarchical PKI controlled by governments as a response to problems with
the CA system. It is literally the opposite of the direction we should (and
are!) going in.

I note: in no exchange we have ever had about this issue have you ever so much
as _rebutted_ my contention that adopting DNSSEC+DANE would escrow .COM TLS
keys with the US government. That's unsurprising, because my contention is
true. But I'd like to point it out anyways.

~~~
dane-pgp
(a) The fact that I can't (or won't) get a fake cert for Google Mail doesn't
really prove anything. I am not the NSA. I assume you wouldn't accept the
challenge if I asked you to produce a fake (but cryptographically valid)
DNSSEC response for mail.google.com.

(b) Waiting a few months after an attack for a CA to be shut down is not as
much comfort as being able to choose in advance which ccTLD or gTLD you are
under. As I keep saying, with DNSSEC, the malfeasance of a third party trust
source has no effect on your security, unlike the existing case with CAs.

(c) Switching from a "chain is as strong as its weakest link" model to one
where you can be free from any subset of governments you choose is a strict
improvement and very much the right direction to be going in.

In response to your note: you have made many claims on this site, and I have
rebutted those made in discussions I have been involved in, but I don't
remember you making the "escrow" claim in one of the discussions I was
involved in. I do remember seeing it recently, though, and laughing to myself
about it, trying to work out what was going through your mind when you made
that claim. Eventually I realised that by "escrow" you mean "The US government
could force Verisign to issue a fake DNSSEC response for a website under
.COM", i.e. a situation which is strictly better than "The US government could
force Verisign to issue a fake TLS certificate for any website with any domain
name." Presumably you would call that key escrow too.

I hope I have understood you correctly, and that this counts as a rebuttal,
but it's 03:30 here so I'll have to leave this interesting discussion for the
night. I look forward to hearing what you have to say in this or another
thread soon.

~~~
tptacek
In a DANE world, every TLS certificate for a site under .COM is validated
through the DNS, and the USG, which controls the DNS for .COM, can silently
swap in its own identity for that of any of those sites.

They don't get the bits of your private key exponent. They don't need them;
the DNSSEC key escrow system is subtle enough to let people think their secret
keys matter.

~~~
dane-pgp
In a CA world, every TLS certificate for a site under . is validated through
trusting the CA, and the USG, which controls various CAs capable of issuing
certificates for any site, can silently swap in its own identity for that of
any of those sites.

They don't get the bits of your private key exponent. They don't need them;
the CA key escrow system is subtle enough to let people think their secret
keys matter.

~~~
tptacek
And? The CA system is already deployed. DNSSEC is not. Why would we deploy
_another_ compromised PKI, one that can't be separated from governments, one
that would force most huge sites to abandon their current domains to avoid USG
spying, when we could spend a fraction of that energy getting CT deployed?

~~~
dane-pgp
I readily accept that we need Certificate Transparency deployed, not least to
deter malfeasance in the DNS (which is a more tractable problem as the list of
TLDs is relatively small and well known in advance). Hopefully you also accept
that DNSSEC (or something very similar to it) is needed to ensure the
integrity of DNS responses (and to give us authenticated denial of existence,
and so on).

The question then becomes "Is the amount of work to use DANE on top of DNSSEC
(and potentially changing the TLD of my domains, depending on my threat model)
too great to justify the extra security of being insulated from malfeasance by
unrelated third parties (i.e. any of the CAs in the world)?"

I think that reasonable people can disagree about both the amount of work and
the amount of extra security, and it is probably a different balance for each
domain being considered. I don't think it is reasonable, though, to say that
DANE as a technology shouldn't exist and be available to people who would
benefit from it.

~~~
tptacek
No, I do not accept that something like DNSSEC is needed. I do not think the
DNS needs integrity. I think the CA system needs to be repaired, and then we
need to stop pretending that the DNS is more important than it actually is.
After all, we don't have plans to create "ARPSEC" or "DHCPSEC", either.

Nobody benefits from DANE. DANE takes the existing broken CA system we have
now, _retains it_ , because a large fraction of the deployed base of browsers
can't actually handle DANE lookup queries, and then adds a new hierarchical
PKI that is suborned by governments from the very beginning.

There is no amount of extra work we should spend to deploy DANE or DNSSEC. In
fact: the potential deployment of DANE merits some work _to prevent it from
happening_.

------
mtmail
Some the UK web blocking initiatives already reach 99% coverage
[https://en.wikipedia.org/wiki/Web_blocking_in_the_United_Kin...](https://en.wikipedia.org/wiki/Web_blocking_in_the_United_Kingdom)

------
zimbatm
How would a legitimate plan look like?

I think it's part of the state's mandate to provide security to the citizens,
offline and online. Unfortunately I haven't really seen alternative plans that
don't give the state more power at the same time.

It doesn't matter the "real" reasons behind this kind of decision, unless
people are presented with a sane alternative.

~~~
Zigurd
"Don't censor" is a valid alternative. Just don't.

