ICANN Report Discusses Dangers and Benefits of DNS Blocking

In the United States, site blocking (or DNS blocking) has once again become a hot topic. A new bill, entitled the Foreign Anti-Digital Piracy Act (FADPA), would allow rights holders to obtain site-blocking orders against foreign pirate websites.

However, for many, this is a callback to late 2011 and early 2012. This was when the United States attempted its first attempt at site blocking through the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA). The bills were shelved after an intense public backlash spurred tech companies.

However, a great deal has changed in the 13 years since then.

In April 2012, just months after the SOPA/PIPA protests, a UK court ruled that local internet service providers (ISPs) had to block access to The Pirate Bay. In 2015, Australia passed legislation that required site blocking. Finally, in 2019, the EU passed its version of site blocking reform.

Since none of these efforts turned out to be the disaster that SOPA/PIPA opponents had feared or claimed, it makes sense that the United States would revisit the issue now. However, the United States isn’t the only one revisiting DNS blocking.

The Internet Corporation for Assigned Names and Numbers (ICANN) recently released a report examining the practice of DNS blocking (PDF).

Overall, the report took a neutral stance on DNS blocking itself. However, the report highlights several challenges that face DNS blocking and makes three recommendations for those who wish to utilize it as a tool.

Understanding ICANN and DNS

ICANN is a US-based non-profit that oversees much of the core infrastructure of the internet. This includes a key role in assigning Internet Protocol (IP) addresses and managing the root Domain Name System (DNS) servers.

DNS, as I discussed in 2012 during the SOPA/PIPA protests, is a system that converts domain names (such as plagiarismtoday.com) into IP addresses (such as 167.71.185.204). This is necessary because domain names, on their own, are meaningless to computers. The DNS system turns them into IP addresses that the computer can access.

In that regard, the DNS system is akin to a phone book. Except where a phone book converts human names into telephone numbers, it converts domains into IP addresses.

The system works by having root systems, which ICANN controls. Those tables are then distributed, or propagated out, to other DNS servers. A variety of third parties run those servers. These include internet service providers, public DNS providers such as OpenDNS, and individuals who host personal servers.

Due to its central role in the internet, DNS blocking has become a popular tool for blocking websites. The idea is relatively simple. If you require DNS servers not to provide the IP address or provide a false one, the site becomes essentially inaccessible.

To that end, DNS blocking has been employed for various purposes, from blocking pirate sites to the Great Firewall of China. Although there are ways to circumvent such a block, DNS blocking still prevents most visitors from accessing the site.

That, in turn, brings us to this report.

Understanding the Report

Entitled DNS Blocking Revisited, the report comes from ICANN’s Security and Stability Advisory Committee (SSAC). The report updates two previous reports from 2011 and 2012, acknowledging that “Internet technologies and practices have evolved, and more examples of DNS blocking have been implemented.”

The report doesn’t take a direct stance on DNS blocking as a practice. Instead, the report appears to acknowledge that DNS blocking is a reality and offers recommendations for implementing it.

The report examines two separate methods of DNS blocking. The first is blocking at a recursive resolver. This is where ISPs and other DNS providers are ordered to stop resolving DNS queries for a specific site. The second is suspending at authoritative nameservers. This is where a domain is “seized” and redirected to a different site. This impacts all users globally.

The report focuses mainly on the former. To that end, the major takeaway is the three recommendations the SSAC offers for implementing DNS blocking.

1. Any entity implementing or mandating DNS blocking should understand the implications of the technology.
2. That DNS blocking should only be used when it fulfills the objective, there is a clear policy, and efforts are made to minimize overclocking or impacts outside of the entity’s control.
3. DNS servers should provide extended error codes to indicate that a site is being blocked.

The first two are very logical but also very open suggestions. The third, however, has concrete steps that governments and DNS providers can take. Namely, providers can use special error codes that indicate to the user why the site is inaccessible. Currently, such queries generate a non-specific error that could mean that the site is offline due to technical reasons.

The report also examines several methods visitors can use to circumvent DNS blocks. This includes using alternative DNS resolvers, connecting via a VPN, and utilizing other anonymization tools, such as the TOR network.

In short, the report primarily presents an overview of the current situation rather than offering a commentary on DNS blocking.

What it Means

The report’s authors acknowledge that “The SSAC has no authority to regulate, enforce, or adjudicate.” In summary, this report lacks authority and is purely advisory. Governments are free to ignore this report if they choose; many likely will.

Instead, the report’s authors hope that this report will advise and educate those making decisions about DNS blocking. They hope those in power will utilize it in a more limited and targeted manner, supported by greater transparency.

The report acknowledges the utility of DNS blocking but also recognizes its limitations. By taking a neutral stance on the practice, the report aims to mitigate the harm caused by poor blocking.

That, in turn, is a recognition of today’s current reality. Site blocking, specifically DNS blocking, is simply a fact of life. Getting rid of it, most likely, isn’t practical. Instead, the goal is to minimize the harm while maximizing the utility of the tool.

To be clear, the efficacy of site blocking is still under scrutiny. According to this report, over 20% of all internet users already use open resolvers. With numerous simple ways to circumvent DNS blocks, it’s impossible to completely block users from otherwise functioning sites.

But the goal of DNS blocking isn’t to stop all piracy. That is an unreasonable and unattainable goal. The goal is to reduce it. There is little doubt that it can be effective if used properly. The debate is whether the risks are worth the reward.

Bottom Line

Much like this report, I’m largely neutral on site blocking. I don’t think it’s a panacea for copyright enforcement, nor do I believe it’s a boogie man of censorship. It’s a tool. Those in power can wield it well or they can wield it poorly. They can use it for legitimate or illegitimate reasons.

More than anything, what this report is is an acknowledgement of our current reality. Site blocking, specifically DNS blocking, is here and it’s not going anywhere soon. We have gone well past the question of “if” and now must answer the question of “when” it happens.

To that end, this report aims to broaden the understanding of the underlying technology as well as the risks associated with DNS blocking. Its recommendations are reasonable, but overly broad. It’s difficult to determine if governments are following the guidelines or not.

That said, I do agree with the need for new DNS error codes. Users should be aware of which sites their government is blocking access to. Though this might encourage circumvention, a lack of transparency brings with it much greater risks.

Ultimately, it’s a good report with some excellent, albeit basic, information. However, the most important takeaway is that site blocking is a reality in 2025. While we can do it better or worse, we are unlikely to eliminate it anytime soon.