[dns-wg] DNS4EU?

Andrew,

On Dec 20, 2021, at 3:28 AM, Andrew Campling <andrew.campling at 419.consulting> wrote:
> The use of the pejorative term "lying" resolver is unhelpful in this context.  It is important to acknowledge that the vast majority of Internet users are not experts; indeed most are unaware of either the purpose or the existence of DNS.

Sure.

> They are however exposed to vast amounts of malicious content and, in my opinion, any mass-market resolver that does not block access to such content by default is not fit for purpose.

The issue is probably the definition of “malicious content”. While I suspect most people would agree that redirecting (“lying”) about phishing, botnet c&c, and malware distribution domain names would be fine, where does the line get drawn and by whom? What other content would result in the DNS filtering hammer being brought down? CSAM domains? Hate speech domains? Intellectual property violations domains? Embarrassing-to-those-in-power domains? Etc. Without more detail in how filtering would be implemented, it is natural for folks to raise eyebrows.

> In addition, for citizens of countries covered by GDPR, accessing a resolver located in the same jurisdiction is beneficial as it doesn't then export personal data elsewhere - US-based resolvers have the disadvantage of falling under the US CLOUD Act and FISA 702.

True, however it may be worth noting that “legal intercept” applies in the EU even with GDPR and I’ve been told it is in some ways easier for local law enforcement to gain access in the EU jurisdictions than it is in the US.

> As far as protection of intellectual property is concerned, it seems reasonable to me that Internet companies comply with court orders in the same way that other companies have to do so: despite the assertions of cyberlibertarians, the Internet is not a separate place beyond the reach of national legislation.

Trotting out “cyberlibertarians” seems like a strawman to me. Intellectual property disputes can be very complicated (e.g., definitions of jurisdiction, applicability, and actor location) and DNS-based redirection tends to be a very large (and frequently easily avoided) hammer.

> This is just as well, otherwise we'd still be prey to the whims of surveillance capitalists and not protected by GDPR etc.

Out of curiosity, have any open resolver operators been accused of violating GDPR relating to resolver services? As far as I know, the larger operators tend to have very explicit privacy assurances (e.g., https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver <https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver>, https://developers.google.com/speed/public-dns/privacy <https://developers.google.com/speed/public-dns/privacy>, etc).

> I know that one of the drivers of the DNS4EU project was to improve the resilience of Internet infrastructure given the way that increased centralisation has weakened this over the last few years.

Last I heard, there are over 3 million open resolvers in the IPv4 address space.  Harder to scan the IPv6 address space of course. Has there been consolidation of use of open resolvers?  Sure. However, the “stickiness” of DNS resolvers is very low and the options if you don’t like what a particular resolver operator is doing are so numerous, I find it a bit difficult to get worked up about it.

> Providing an alternative open resolver is just one of several approaches being taken in this regard.

> 
> An additional benefit of a European resolver is the opportunity to extract localised cybersecurity intelligence, something that I know the similar Canadian Shield project has already acknowledged has been an outcome of its operation.  Many of the commercial threat feeds are US-centric whereas DNS4EU provides the ability to draw insight from what may be a significant European user base.

Just as with the CIRA and TWNIC national resolver efforts, personally, I’m in the “meh, sure, why not?” camp as long as use of a particular resolver is not mandated. More is better and depending on implementation, I figure there can even be benefits to the general health of the DNS. It will be interesting to see how DNS4EU evolves.

Regards,
-drc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/dns-wg/attachments/20211221/7a02b092/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: </ripe/mail/archives/dns-wg/attachments/20211221/7a02b092/attachment.sig>