DNSSEC and ISPs faking DNS responses

Jean-Francois Mezei jfmezei_nanog at vaxination.ca
Sat Nov 14 06:36:06 UTC 2015

On 2015-11-13 16:59, Stephane Bortzmeyer wrote:
> On Fri, Nov 13, 2015 at 04:27:36AM -0500,
>  Jean-Francois Mezei <jfmezei_nanog at vaxination.ca> wrote 
>  a message of 34 lines which said:
>> I'll have to research how other countries tried to implement similar
>> schemes
> https://www.afnic.fr/en/about-afnic/news/general-news/6584/show/the-afnic-scientific-council-shares-its-report-on-dns-based-internet-filtering.html

Thanks to Stephane and all the others.  The afnic report will be
especially usefull because it is in french and thus better understood by
Québec politicians.

And thank to all those who filled in the gaps for DNSSEC for me.

Unfortunately, an ISP can still pretend to be authoritative for the
blocked domains and respond with fake unsigned response. The end client
that doesn't validate will be gullible and access the redirect side.
Those who validate will get SERVFAIL or NXDOMAIN and the end result is
that the blocked web site remains blocked.

With regards to VPNs: while they may not be very well known in the USA,
they are outside the USA where many people need VPNs to access foreign
content that is geoblocked in their home country.  New Zealand is not
alone, the practice is also common in Canada (as well as using pretend
DNS servers in USA

There are a number of commercial services that provide DNS "faking" that
make your canadian requests appear to come from a USA location, so
Netflix assumes you are in USA location when resolving whether content
is available or not.

(ex: https://www.unblock-us.com )

In the case of gambling, anyone with such an addiction will likely feel
deprived after a couple of days being blocked and will call on their
best friend Mr Google who will quickly provide ways to get around it
such as ignoring your own ISP's DNS server and using one outside of
Québec. Or using a VPN.

This may have interesting implications for Google's which, if I
am not mistaken, peers at QIX, the Montréal exchange. Would they be
bound by the law (they are not an ISP). Google could simply widthdraw
from the QIX echange at which point the Québec government would have 0

ISPs that serve both Ontario and Québec thorugh Bell's DSL
infrastructure will have fun. PPPoE connections arrive to a common
connection point via L2TP tunnels, so the ISP would have to determine
the person's province based PPPoE login credentials and assign different
DNS servers (blocked for QC, unblocked for ON).

Loto Québec is supposed to be testing for compliance, and I am not sure
how they will do that short of having a subscription to every ISP that
sells services in Québec. (Maybe they think they only have to test 3
ISPs, (telcos and cablecos) and don't realise they have over 100 ISPs to
test for compliance).  And when an ISP in Val D'Or has its DNS set to
recurse only for requests that come from its intranet, Loto Québec won't
be able to test from its cushy Montréal offices with a simple "set
server" command.

Ahh... the trouble clueless politicians can cause.

More information about the NANOG mailing list