DNS Blocking: Benefits Versus Harms – An Advisory from the Security and Stability Advisory Committee on Blocking of Top Level Domains at the Domain Name System (R1)
| Date Issued | Document | Reference ID | Current Phase |
|---|---|---|---|
| DNS Blocking: Benefits Versus Harms - An Advisory from the Security and Stability Advisory Committee on Blocking of Top Level Domains at the Domain Name System (R1) | SAC050 | CLOSED |
Description:
Blocking or altering responses to Domain Name System (DNS) queries is increasingly prominent. Domain name or Internet Protocol (IP) address filtering (or otherwise preventing access to web content as a matter of security policy) may be viewed by some organizations as a natural extension of historical telephony controls that aimed to block people within an organizations from incurring toll charges.
Technical approaches to DNS blocking are intended to affect users within a given administrative domain, such as a privately or publicly operated network. Preventing resolution of the domain name into an IP address will prevent immediate connection to the named host, although circumvention techniques may enable connectivity to the intended system anyway (this includes simply accessing the site via IP address rather than via a Fully Qualified Domain Name (FQDN)). A DNS resolver or network operator could also rewrite a DNS response to contain an IP address mapping the operator chooses, whether rewriting a Non-Existent Domain (NXDOMAIN) response or rewriting the DNS response for an existing FQDN, with potentially harmful effects on DNS Security Extension (DNSSEC)-supporting name servers and their users. A particularly coarse-grained approach is for an operator to silently discard DNS responses, although this results in non-deterministic behavior and may itself be problematic. Regardless of the mechanism used, organizations that implement blocking should apply these principles:
- The organization imposes a policy on a network and its users over which it exercises administrative control (i.e., it is the administrator of a policy domain).
- The organization determines that the policy is beneficial to its objectives and/or the interests of its users.
- The organization implements the policy using a technique that is least disruptive to its network operations and users, unless laws or regulations specify certain techniques.
- The organization makes a concerted effort to do no harm to networks or users outside its policy domain as a consequence of implementing the policy.
STATUS UPDATES
| Date | Phase | Type | Status Updates |
|---|---|---|---|
| Closed | Phase Change | This Advice Item is now Closed |
| Phase 5 | Board Update | This item has been processed as much as is relevant and is considered complete; no work is outstanding from the perspective of Board Advice (note that related implementation work may have been integrated into ICANN’s ongoing operations or other initiatives). Status provided in 19 October 2016 letter from ICANN Board Chair to SSAC Chair (https://www.icann.org/en/system/files/correspondence/crocker-to-faltstrom-19oct16-en.pdf). This specific advice item contains no action for ICANN as it is general advice to organizations implementing DNS blocking rather than advice directed to the ICANN Board. |
| Phase 5 | Phase Change | Now in Phase 5: Close Request |
| Phase 1 | Phase Update | SSAC published SAC050: DNS Blocking: Benefits Versus Harms – An Advisory from the Security and Stability Advisory Committee on Blocking of Top Level Domains at the Domain Name System: https://www.icann.org/en/system/files/files/sac-050-en.pdf. |
