Today the media is buzzing with the news of the Turkish government banning Twitter and even more with the fact that citizens are figuring out ways around that. “The Internet routes around censorship“, as the saying goes (or close to that). There are predictably MANY tweets out there on hashtags like #TurkeyBlockedTwitter and #TwitterBlockedInTurkey.
And many photos like the one I’m inserting here are appearing not only on Twitter but across the web and other media. As The Verge notes, it seems the Turkish government is just using a simple DNS block, presumably at all Internet service providers (ISPs) in Turkey, to prevent people from connecting to Twitter.
As the people in Turkey have discovered, this block can be easily circumvented simply by changing your device’s network settings to use public DNS servers such as those operated by Google.
Leaving the politics aside, my first reaction as a DNSSEC advocate was “Cool! Now we’ll see an uptick in DNSSEC-validated DNS queries!”
The reason, of course, is that Google’s Public DNS service performs DNSSEC validation by default on ALL DNS queries. So, not only are all those Turkish citizens getting around the ban on Twitter, but they are also getting more security and ensuring that the responses they get back from DNS for a domain are indeed the correct information entered by the operator of that domain (for companies/organizations that have signed their domain).
Hopefully the situation there in Turkey will stabilize and the ban will be lifted. In the meantime, though, I suspect those people doing DNSSEC measurements will see a burst in DNSSEC validation happening from that region.
P.S. As I pointed out at the bottom of the earlier post about Google Public DNS turning on DNSSEC validation that I reference above, the use of a public DNS resolver performing DNSSEC validation does not completely ensure the security of the results you receive back. There is still an opportunity for an attacker to inject or modify DNS packets on the path between your device and the distant DNS resolver. That is why we ideally want to see DNSSEC validation happening at a much closer level such as on the edge of your local network or perhaps even in your actual device. However, having it happen on public DNS resolvers is a great first step toward making DNS results more secure.