Why You Shouldn’t Use DNS for Filtering

It is one of the easiest ways to modify and block access to a website or resource.  You don’t need to set up your own DMZ and install or configure a complex firewall.  Forget about paying a fortune for some expensive content filter which takes hours to set up and even more to support as you get bombarded with false positives and blocked URLs.    You will almost certainly already have this, so why not just use DNS to control access to the internet.

Downloading Torrents Anonymously

It’s a practice already established and used across the world, spoofing DNS sites to block people visiting them.  For example in Turkey it’s been used for many years, to periodically stop people using social networks and shares when there’s discord in the air.

So how’s it done?  Can you really use DNS to control access to web sites.

Yes you can, at least up to a point.  DNS is the Domain Name System and is largely responsible for resolving the friendly web address into the computer IP address which is needed to find the physical server you want to access.  The resolution takes place on a variety of DNS servers distributed all over the world.   The simple concept to DNS blocking is to merely modify these tables to point somewhere else.  So if Turkey wants to stop people visiting Facebook.Com it orders the ISP to change the address that is resolved when people try and use Facebook.  So they might route you to a Government Web Page instead of the real site.

It’s very simple, and surprisingly effective on a limited scale but there are many problems.   The first one, which many Turkish users have discovered, is that all  you need to do is to change the DNS server your client uses to resolve.  Although your ISP will normally assign a DNS server when you connect if you specify an alternative on your client or router it will use that instead.  So most Turkish tech savvy users point their laptops, PCs and phones to a proper DNS server.

DNS is actually also used by people trying to bypass blocks as well.  One of the most popular applications to avoiding the region locking which many sites apply by using a system called Smart DNS.   This routes your connection to effectively hide your IP address, you can read about one application here – Smart DNS Netflix.  This hides  your physical location in order to watch different versions of Netflix application.

The fundamental problem with these methods is that DNS is an important system which underlies the whole internet. Although there are other name resolution systems without the Domain Name system the world wide web simply doesn’t work.

James Williams