52 comments

[ 4.4 ms ] story [ 24.9 ms ] thread
Weird hill to die on, but backing off from a country if you don't like its rules is a mature decision.
It's not weird, Net Neutrality should be universal.
Is that like a World Order new age think? Countries should be abolished and replaced by a world federation kind of anarchy?
Yeah ok no, not gonna surrender my country.
Why do courts do stupid things like this. It's easy to distribute a HOSTS file with the same information. Are they going to forbid that too?

The only people inconvenienced by this will be those who were only casually interested anyway.

Wouldn't that be the majority of people? In their eyes, that's good enough and considered mission accomplished... kinda hard to argue with that IMO.
Nobody is going to use a hosts file. They'll use a different public DNS that supports DoH (so the local ISP can't see/modify the traffic) but that has no physical presence in France and isn't subject to its laws, or a VPN to the same effect. That requires no greater effort than it is to use OpenDNS to begin with. All they're doing is requiring people who are subject to their jurisdiction to do this, which is entirely pointless when others aren't.

"The internet interprets censorship as damage and routes around it."

The real problem is that the people not willing to accept that will then be offended when this invariably fails to be effective, and lobby for ever-increasing levels of oppression in an attempt to make it work, when the only way to actually make it work is a totalitarian security state incompatible with a free society.

We can't allow ourselves to be dragged into that dystopia inch by inch.

Any service which is open to EU citizens, such as a DoH server, falls under the claimed jurisdiction of the EU. Whether they could successfully follow that claim depends entirely on geopolitical conaiderations which are hard to predict.

But as long as your services are opened to EU citizens, you are, in principle, liable for violating EU laws.

From the perspective of the French law, if your service is reachable in France, then you are liable.

In practice, Google has an operating branch in France, so they are weak.

Even if they didn't have the branch, in theory, extraterritoriality can still be applied between relatively friendly countries; though taking lot of time and bureaucracy.

Even with enemies: Russian company is totally safe from US law, and vice-versa, but they could get under sanctions for "promoting terrorism" (in some way, this could also be argued for these DNS servers as well if we push it a little bit).

The saying about routing around damage is an excellent countercultural rallying cry. What’s weird is that this same “censorship ain’t cool” thing we call The Internet also requires you to psuedonymously identify yourself in plain text on every single packet you send.

I wish the long haired folks in the 70s had thought of that angle too. We have onion routing but it’s hardly the same thing when using it puts involves putting oneself in a minority with some questionable company.

Don't let perfection get in the way of done.
A solution working in 90% of the cases is not bad. Especially if this is reasonably easy. Then progressively you can figure it out for the remaining % as the technological solutions progressively get more difficult to implement.
(comment deleted)
A good day for the lawyers pay packet

A frightening attempt to control DNS providers.

How are they going to stop public DNS servers? like OpenNic and others or people who set up their own.

There are thousands of DNS providers all over the world.

VPN also provide their own DNS servers so maybe the next assault on our freedoms will be VPN.

You are not free to perceive any information. In our society, some people have the right to decide whether or not you can watch a particular football game, look at a particular image, or know a particular prime number, as ridiculous as that sounds. Freedom of information consumption is an illusion from the days when law enforcement in the internet wasn't a thing.

Industry and state have a large interest in this and in just a few years they will have total information dominance. This won't require awkward measures like attacks on DNS or VPN providers. You simply won't be able to execute unvetted software soon. Chat control is just an example and the first step. The principle will be: You can only run software that fulfills all legal requirements, especially if said requirements monitor your well-behavedness.

> You simply won't be able to execute unvetted software soon.

Yes. Every microcontroller will phone home to verify your software’s signature.

Then perhaps we need to keep our buggy and memory unsafe softwares so that we can exploit them ourselves to bypass those in some cases.

How ironic

> How are they going to stop public DNS servers?

Block port 53 on an ISP level, just like many are already doing with port 25. Luckily that can be mostly bypassed with DoH / DoT, but adoption is far from universal.

Of the 3 I wouldn't have expected Cisco to be the first to take a stand. Well done them.

DNS blocking bullshit is especially bad in Portugal because the law is set up in a way that has copyright interest groups just send their block lists directly to ISPs without any kind of judicial process or review whatsoever. It's common knowledge here to change your DNS provider to bypass the ISPs for this reason.

So if I have a recursive nameserver then it will just get the correct answers from the TLD nameservers.

Unless the courts start legislating what people can run in their homes that will ignore any of these rulings.

Or port 53 starts getting blocked, at which point VPN providers will probably start getting a surge in business.
Port 53 is still needed to communicate with caching DNS servers like 8.8.8.8.
You could still use DNS over HTTPS or TLS protocols.
If your ISP or your government doesn't steal them in transit.

But yes, installing Unbound is easy and with the detailed logging you can actually see what your (or "your") software is quering

Hopelessly ignorant of DNS beyond basics. I see this page https://en.wikipedia.org/wiki/Public_recursive_name_server and there is a list of DNS servers. What do you mean by running it on your own computer? If feeling generous, maybe a quick rundown on how to get authoritative name resolution from TLDs? OS setting or need to run something (OS X)? TIA )
Dns is a hierarchical recursive service. When you make a DNS query, such as requesting "www.google.com", you typically do not do the full resolution in your application - but you do make the DNS query on your application. What you instead do is make a DNS request to your configured "recursive" server, asking it to make further queries on your behalf if it doesn't know the answer.

We do something obviously silly for this exercise - we assume that all caches are cold, because the point of a recursive DNS server is mostly to act as a cache. So we'll be going through a bunch of queries that usually are simply answered from cache instead.

At the top are 13 "root dns servers". These return responses for top level domains, such as ".com". When you want to request www.google.com, first you have to ask who controls ".com". Your recursive server (just "you" from now on) sends a request to the root servers - "Who are the nameservers (ns) for .com?" Also written as "QUERY .com NS". The root servers will answer - "A(answer) .com NS 1.2.3.4 AA (Authoritative answer)". The root dns servers believe they are the authority for the "." Zone, because they are.

The recursive resolver, you, then use this knowledge. You ask a similar query of the ".com" nameservers - "Q google.com NS" they respond, giving you an authoritative answer for google.com "A google.com NS nameservers.google.com AA". But you don't know who the nameservers for google.com, how do you resolve this loop? DNS has a mechanism for that. It includes a few extra records, called glue records, to close the gap. "X(tra) nameservers.google.com 8.8.9.9"

Finally, you know who the nameservers for google.com are - You then send them a request. "Q www.google.com A(Internet Protocol)" you might instead send an AAAA request, for an ipv6 address, instead.

There's a ton more - Support for text records of arbitrary type, support for addressing schemes that no longer see use, etc. but thems the basics. You can run your own whole Internet, if you want to - Just build your own recursive server pointing at your own roots, and then host whatever you want on whatever up you want - Just don't expect to be able to connect to the real Internet at the same time. Also basically everything phones home and breaks. :shrug:

DNS is a tree. The root of the tree is a "." (mostly left off). So for example "google.com" is actually "google.com.".

So who looks after "."? Those are the "root servers" that are basically hardcoded into a DNS server.

So when your app requests the IP address of "google.com" with a recursive DNS server, it does the following:

1. Application -> your server "What's the IP address of google.com"

2. Your server: Hmm, I know how to get to ".", I'll ask them about "com".

3. Root server(s) reply with "here are the name servers for "com"

4. Your server: Hey name servers for com, tell me about "google.com."

5. Name servers for com, "we don't know, but here are the name servers for google.com, and their IP addresses, go ask them.

6. Your server: Hey name servers for google.com, tell me the IP address (A) for google.com

7. Google's name servers: The IP address for google.com is a.b.c.d

In steps 3 and 5, the name servers for the higher level in the tree (".", "com") have "glue records" that give you the NS (name server) records for the next level down.

Here's the output of a trace of the lookup for google.com.

You can see first it finding out the NS (name server) records for ".", which are hardcoded in the server, then the name servers for "com.", then the name servers for "google.com." then finally the IP address (A record) for google.com. The RRSIG and DS records are related to DNSsec, which is a security mechanism for guaranteeing the answers:

$ dig +trace google.com

; <<>> DiG 9.18.27 <<>> +trace google.com

;; global options: +cmd

. 29650 IN NS h.root-servers.net.

. 29650 IN NS m.root-servers.net.

. 29650 IN NS d.root-servers.net.

. 29650 IN NS g.root-servers.net.

. 29650 IN NS f.root-servers.net.

. 29650 IN NS e.root-servers.net.

. 29650 IN NS l.root-servers.net.

. 29650 IN NS i.root-servers.net.

. 29650 IN NS c.root-servers.net.

. 29650 IN NS j.root-servers.net.

. 29650 IN NS b.root-servers.net.

. 29650 IN NS a.root-servers.net.

. 29650 IN NS k.root-servers.net.

. 29650 IN RRSIG NS 8 0 518400 20240720050000 20240707040000 20038 . 0M7/rD5sHnlEuTKN5gbTcpUlXvTSPm+uAhIoy4QFSTFV2DCmGDEP1hGg KR1fpO11wmzPhtAKGrDdxaEiWfiEf0/fUYMcl0pg65/FHBNvPM1VrgJ6 cBJ5M9Vq5Fk55ydLK1zKZr7fXP1E03v9k2f2U9dBPVvkMnGueOhNrs7S HfvmPM1oMdJsxLnFW7M1le4sFRnMz2SLb6TPUcuAiy0wl/+QQ6SoR8Pt cH+l095gBydGAA+yRk2FENC0med1e+pra5l+5xypKwGiUEKRLu7qO3hx RvXogiCJ6Y86phc7y+F/YQRu0RxhX41i6BsJSGfUWO+cpcmqSHAoqH+f Xov48A==

;; Received 525 bytes from 172.16.0.254#53(172.16.0.254) in 10 ms

com. 172800 IN NS g.gtld-servers.net.

com. 172800 IN NS a.gtld-servers.net.

com. 172800 IN NS b.gtld-servers.net.

com. 172800 IN NS m.gtld-servers.net.

com. 172800 IN NS c.gtld-servers.net.

com. 172800 IN NS k.gtld-servers.net.

com. 172800 IN NS f.gtld-servers.net.

com. 172800 IN NS d.gtld-servers.net.

com. 172800 IN NS h.gtld-servers.net.

com. 172800 IN NS e.gtld-servers.net.

com. 172800 IN NS i.gtld-servers.net.

com. 172800 IN NS j.gtld-servers.net.

com. 172800 IN NS l.gtld-servers.net.

com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A

com. 86400 IN RRSIG DS 8 1 86400 20240721050000 20240708040000 20038 . HMz1YGw7JwAmZ85745beLSsFWDbix2SV5ZGTyNZr3mE+9/H4D46v9z4x LMO9J+WqwoHeFRpUUePIZuCn1bxUsqxy8F0FBJRuISuQo7kTbEcYwZuF ksFsyyHDiPqAyq4qKvpwYJzSBEqpn+GlXmfZMim4p3xcmD8igYcb2d6Z jeFTOjkDQBudDhsVwSkhRpe5vHFY8aIeTMjzLZxSnUMBbbfrLMYqStx9 H4kV1nxCciwz4u4kxWgZeGvH36eJa/vb5QULBECMIow5LDrGvYoSn2A5 GSZnTjwDWsSPImQWR91bEqi6PrpH0mLm/JnrN1XBksYh1ij9Aw7G6h35 NVGf7g==

;; Received 1198 bytes from 192.112.36.4#53(g.root-servers.net) in 177 ms

google.com. 172800 IN NS ns2.google.com.

google.com. 172800 IN NS ns1.google.com.

google.com. 17280...

What would be the repercussions of everyone switching to per-site/customer caching, recursive resolvers instead of per ISP resolvers?

On the one hand if we assume the customer to ISP ratio to be about a million to one then the volume of traffic on popular nameservers is going to go up a huge amount.

On the other hand thoughif your nameserver is now required to handle millions more queries per second then either you are a central piece of infrastructure like .com or a high traffic service like cat.videos.example.com. With the latter, you’ve been handling millions of HTTP queries per second anyway. You’ll just have to handle massive traffic volumes for DNS now, too.

The end user is accustomed to the DNS part taking 10ms and tbd HTTP part taking 1000ms. They would probably now have to suffer the DNS part taking 100ms to 1000ms as well.

how would you know how to reach per-site resolvers?
The same way you advertise any other central service at your site (the default route to the internet, for example):

DHCP, or RA (IPv6).

If anything, I am more surprised that Google did comply with the order. The entire value of 8.8.8.8 lies in it being operated as a neutral and independent resolver. If they start returning bogus results for this, what's preventing them from returning bogus results for queries which are inconvenient to their other business units like Youtube? They clearly already have the infrastructure in place to falsify results on a country level...

And it'll of course open the floodgates to all kinds of government abuse. This time it's a French court order concerning copyright infringement, next time it might be a kangaroo court ordering Facebook to be blocked because of "political propaganda harming national security".

If they don't comply, French government could order ISPs to block / null-route 8.8.8.8 and 8.8.4.4 in France on a BGP level and sue the French branch.
Thereby breaking countless Chrome browsers, Android phones tablets and TVs, and various apps and IoT devices in the country. That would be fun to see.
> I am more surprised that Google did comply with the order

Why would it be surprising that a company complies with a court order or legislation of a country they operate in? Does Google routinely ignore court orders in the US?

> what's preventing them from returning bogus results for queries which are inconvenient to their other business units like Youtube?

Technically nothing. The threat of fines in case this is seen as an abuse is the real blocker.

> Why would it be surprising that a company complies with a court order or legislation of a country they operate in? Does Google routinely ignore court orders in the US?

Because it's a ruling by a lower court which sets a very dangerous precedent. I would expect a company like Google to appeal this until the French equivalent of the Supreme Court - or even a European court if possible.

Even if they still had to do this, I would expect them to suspend service like OpenDNS is doing rather than just comply. DNS is just too important to mess around with!

> Technically nothing. The threat of fines in case this is seen as an abuse is the real blocker.

Who's going to fine them? As far as I'm aware, DNS is pretty much unregulated. There's no law saying you have to pass DNS as-is, is there?

> a ruling by a lower court which sets a very dangerous precedent

There's no precedent of any kind being set here. Court orders have to be obeyed unless overturned, this isn't an unprecedented 2024 thing. France has a civil law legal system, not the precedent based common law legal system (like the US for example). This court set no legal precedent, it issued a ruling on this particular case.

> I would expect a company like Google to appeal this

If they have solid legal grounds to appeal. Are you aware of one?

> rather than just comply

Assume ceasing the service entirely is costing them more than complying.

> Who's going to fine them? As far as I'm aware, DNS is pretty much unregulated.

A court, for not respecting a court order.

The legal system and law in general are almost never common sense and there's a reason it takes so much work and experience to navigate them properly. If you've done none of that work, assume you're wrong.

If you're a techie and you start hearing people insist with personal opinions on how those RAM traces should be made longer and straighter you'd wonder why they keep talking.

Lawyers are pretty good at finding reasons to appeal against judgements. It is reasonable to suggest that Google should appeal despite the parent not being aware of reasons for appealing.

You are mostly right on the civil vs common law systems, but also have in mind that a sufficient body of decisions when interpreting a law do create increasingly stronger recommendations for future decisions even in civil systems.

> Lawyers are pretty good at finding reasons to appeal against judgements.

Good ones sure are. But OP saying "Google should appeal" implies OP is aware of one solid such reason, a reason why the French court was wrong, and Google was wrong to comply. Instead they just mentioned precedents, lower courts, or that you're free to ignore a legal court order because there's no "DNS regulation".

I get that Google has a vested interest to find any way to make it work because it supports their business. But OP's statement sounded to me more like "I don't understand the law but don't like the result so it should be changed", with no solid reasoning of any kind at the time of the statement.

> Because it's a ruling by a lower court which sets a very dangerous precedent. I would expect a company like Google to appeal this until the French equivalent of the Supreme Court - or even a European court if possible.

You can't appeal a court decision just because you don't like it. There needs to be some kind of basis for the appeal. What did you have in mind?

Note that the CJEU has already ruled that IP and DNS blocks for this purpose are compatible with EU laws.

"The entire value of 8.8.8.8 lies in it being operated as a neutral and independent resolver."

Or being perceived as such. But there was a specific reason that Google started an open resolver in 2009; It has nothing to do with the interests of web users. It relates to Google's interest in capturing search engine traffic; all the dirty stuff Pichai did before he became CEO, e.g., Google toolbar and paying to have Google be the default search engine on every computer. Google believed OpenDNS was "hijacking Google queries".

https://web.archive.org/web/20070525041655if_/http://blog.op...

https://domainnamewire.com/2009/12/03/google-public-dns-coul...

https://www.wired.com/2009/12/geez-google-wants-to-take-over...

https://patents.google.com/patent/US8806004B2/en

Wait until they find out about Big Texh piracy
Probably a stupid question, but humour me please: is a p2p/decentralized dns resolver a technical possibility?
DNS is decentralized already.
Decentralized and own by everyone. Impossible to censore.
(comment deleted)
So if someone from france asks me where a cafe selling marijuana in amsterdam is, and I tell them the address, that's illegal?

Oh wait, the internet is special.