Sunday, December 05, 2010
Warning: Geeky article on DNS project to counter domain seizures
by Larry Geller
(This article is a little geekish. But there’s a prize at the bottom—how to set up your (Windows) computer so you almost never see ads. You can just skip to the bottom part if you like.)
Viviane Lerner asked last week for a translation from the geek of this article: BitTorrent Based DNS To Counter US Domain Seizures (Torrentfreak.com, 11/30/2010). I’ll have a go at it. That article was about domain seizures, but the subject has taken on new interest as WikiLeaks domains are shut down and they take action to keep their material going.
First, how do “domains” work? Like CNN.com, for example. CNN.com was originally registered with one of many “registrar.” Here’s what those registrars do.
If you go to CNN.com in your browser, your browser checks with a DNS (Domain Name Servers) to find out where CNN really is. That’s because CNN lives at an address on the web which is numerical. For CNN, it is 188.8.131.52.
No one would enjoy typing those numbers into the browser instead of just typing CNN.com.
If, for some reason, the feds decided to seize “CNN.com,” you could no longer type that in, but you could still get there by typing in the numbers. It’s kind of crude, and in the end, ineffective, because a website can go right out and get another domain name. We see that as WikiLeaks is being chased around the globe.
The feds can seize a domain for pretty much any reason. Typically the website would be allegedly involved in peer-to-peer file sharing, but a domain could be seized for other reasons as well. In the article above, the developers describe a way around domain seizures. In effect, they are creating a parallel Internet universe over which the feds have no control.
The objective of their project is this:
In a direct response to the domain seizures by US authorities during the last few days, a group of established enthusiasts have started working on a DNS system that can’t be touched by any governmental institution.
It turns out to be conceptually simple, but the heart of it, if I understand correctly, is something many computer users don’t know much about. It involves a secret file that lurks inside each of our computers. (If you are not interested in particular in learning about the inner guts of your computer, this is a good point to scroll down to the next blog post.)
Both Windows and Macs have a file called HOSTS. It has no extension, and is hidden away so that it is invisible. I wrote about this file in August 2008, but I’ll repeat the relevant part of that article below, so no need to click. If you learn how to use this file, ads will magically disappear from your computer. Almost (but not quite) all of them.
The developers working on this new system can’t do anything about the feds taking a domain name like CNN.com out of the servers. So they are setting up an alternative system. One that takes advantage of that secret HOSTS file in your computer.
The HOSTS file is really your own personal DNS server. You could put 184.108.40.206 CNN.com into it if you wished.
The browser, through your computer, actually checks the HOSTS file first. Since it doesn’t find CNN.com in there, it goes to the DNS servers out in the vast Internet.
So the clever developers are working on a way to load up your HOSTS file with web addresses. They’ll have to create a way to distribute them to you, which would likely be some kind of program or a peer-to-peer bit torrent system. Anything that works will do. The program will just put that list into your HOSTS file.
So suddenly you have CNN.com in the HOSTS file on your own computer, and you could care less about what the DNS servers have or don’t have.
If the feds seize a site but you have it, they are screwed. You can still get there.
In other words, you can have a list inside your own computer and not depend on the DNS servers.
Recapping: Your computer first checks the HOSTS file to match up domain names (like CNN.com or WikiLeaks.org) with a numerical address which is where the website really is. If it doesn’t find it, it goes to the external DNS server, someplace out there. So if you have the address inside your computer, the feds can do whatever they want, it doesn’t matter.
And that’s the whole thing, other than how the developers will get that list to you.
Now, I promised a prize at the end of this article. The prize is, that the HOSTS file can also be used to kill ads that would appear in your browser. It does a darn good job of it. The website hosting the ads will never be accessed by any program on your computer. Malware sites could also be put into that file to protect you from going there inadvertently.
What follows is extracted from my earlier article.
For geeks only
I’ve had some email requests for info on the “geeky” methods of ad blocking that I mentioned in an earlier post. In addition to blocking ads, these methods protect against malware that might be installed from blocked sites.
If you really are a geek and are comfortable with exploring your system, take a backup to be safe and check out one or more HOSTS file managers. These programs are free, and they are fiendishly effective. The HOSTS file can contain a list of sites you don’t want to fetch anything from. It’s simple, and works for all browsers. There are several pre-prepared lists that include the majority of ad-serving websites.
One of the oldest is Hostess. It lets you edit the block list, and add your personal sites to block local ads.
HostsMan is another and very popular program. I have no experience with it (being an older geek, I was raised on Hostess). This program automatically checks for the latest HOSTS file updates and should be a winner. It looks like the better choice. It checks multiple sources of information and even eliminates duplicates in the database. Kiss your ads goodbye if you have this one. There are several others besides these two.
If your Internet Explorer or other browser puts an ugly message in the space where an ad was, you can get rid of it with one more geeky program, eDexter. This is also a very old, established program. All it does is substitute nothingness, a picture of your choice, or maybe a tiny pink line where the ad should be. Their web page also has more info on the HOSTS file than I can include here.
Some anti-virus programs have expanded to include anti-spyware, firewalls, and now ad blocking. You may already have that capability in your security software, although it wouldn’t be as comprehensive as the two programs I’ve mentioned. On the other hand, you needn’t be a geek to use them.
For those of you with Windows Media Center, there is excellent commercial-skipping software. That’s off-topic for this article, but it reinforces my contention that skipping ads and commercials is a legitimate national pastime. And something that ad-based business models should be concerned about. No fast-forwarding needed, the software just sucks the ads out of the program like magic.
Hosts file distribution by torrent has a few disadvantages.
On the one hand, before DNS was invented, the hosts file was the only way to give names to addresses on the network. The system administrator added them in. Most of them were very short, too. But eventually these files got too big. These days we rely on DNS and the hosts files are only used for places not in the DNS or for use when DNS is unavailable (which incidentally is happing to a lot of Comcast customers lately!).
1. Your computer is not really efficient at reading the hosts file. Whether it reads it on an as-needed basis or loads it into memory, a long hosts file -- one long enough to contain all major websites (etc.) -- is potentially going to slow things down. Especially if it's not sorted (which your computer will assume it isn't). As this file gets longer, the time it takes for your computer to figure out where "www.disappearednews.com" is will take longer, with the "spinning browser" going but not looking like it's doing anything.
2. Who is going to be in charge of this file? How many different versions will there be? What happens when someone (like the government) deletes a site and redistributes this censored version? How will we even know who did it?
3. The flipside of #2 is how will they prevent someone from, say, sending www.bankofamerica.com to a hacker identity theft run "phishing" website? The very real possibility of this caused all of the major DNS servers to implement a complicated security scheme in the past couple of years. A file on torrent won't have that.
Ultimately the better option would be to augment the public DNS with a private DNS root like OtherNic or even just an alternative DNS server that everyone can add. It would at least be more reliable and easier to secure than a splintered file loose in the wild.
Thanks for your comment. You are correct in everything you said. If I went into more detail, more eyes would glaze over on this, since it really is very geeky.
Especially the risk #3 that you mentioned. Some malware right now attempts to modify the HOSTS file to hijack websites such as banks and deliver the user to a spoof site which takes their user name and password. It is a real problem.
One can defend against some of it with kernel level programs such as PeerBlock, but that's another level of geekiness still.
Perhaps the WikiLeaks cutoffs will spur the development of some safe, viable alternatives to the DNS system we have now.
I suspect you are more in touch with this than I am. If you should hear of any progress, I'd appreciate it if you could let me know. Thanks again.