The EU is planning to develop its own government-run DNS resolver.
The project dubbed DNS4EU is meant to offer a counterweight to the
popular resolvers that are mostly based in the U.S. Aside from
offering privacy and security to users, the DNS solution will also be
able to block "illegal" websites, including pirate sites.

The Domain Name System has been an essential component of the
Internet since the mid-eighties.

DNS resolvers make it possible to map a human-readable domain name to
an IP-address, so a website or service can be easily located. Older
people also call it the Internet�s phone book.

Nowadays, there are several large DNS resolvers. Many ISPs operate
their own but third-party DNS services are very popular too. The most
used third-party options include Google, Cloudflare, OpenDNS and
Norton, which are all US-based. This large foreign footprint has the
EU worried.
DNS4EU

To offer some balance to the American dominance in the DNS industry,
Europe is proposing its own alternative titled DNS4EU. Last week the
European Commission published a call for proposals, which also
describes in detail what features the government-controlled DNS
resolver should offer.

The project overview makes it clear that DNS4EU is meant to protect
the privacy of end-users and keep them secure.

�DNS4EU shall offer a high level of resilience, global and EU-
specific cybersecurity protection, data protection and privacy
according to EU rules, ensure that DNS resolution data are processed
in Europe and personal data are not monetised,� the EU writes in its
overview.

In addition to serving individuals directly, the resolver will also
be available to Internet backbone networks that handle traffic in,
from, and to Europe. These backbones are part of global traffic
routes which means that millions of people could potentially be
impacted.

Many of the proposed DNS4EU features aim to protect EU citizens. For
example, the DSN resolver is not allowed to monetize user data and
has to comply with applicable privacy regulations including the GDPR.

At the same time, there is also a heavy focus on filtering. DNS4U
should help to block malware and phishing, for example, and protect
against other cybersecurity threats. These are quite common features
for DNS services nowadays.
Blocking Unlawful Traffic

The EU initiative goes a step further though. While details are
scarce at this early stage, the language in the official
documentation suggests that �illegal content� could be blocked as
well.

�Filtering of URLs leading to illegal content based on legal
requirements applicable in the EU or in national jurisdictions (e.g.
based on court orders), in full compliance with EU rules.�

The above suggests that pirate sites can be blocked by DNS4EU as
well, if there�s an applicable court order. These sites will then be
blocked for all users in the region. At the same time, it could also
affect traffic that passes through the Internet backbones that use
the DNS resolver.

Without knowing the full technical setup we�re cautious not to draw
strong conclusions. That said, backbones generally operate across
borders and continents, so potential overblocking is a serious
concern.

The project overview stresses that filtering and blocking measures
should be in line with national rules so we assume that the DNS
resolver may treat traffic from individual member states differently
if needed.
Censorship Risk?

Patrick Breyer, Member of the European Parliament (MEP) for the
Pirate Party, believes that the project is unnecessary. The current
DNS solutions work fine and adding government-run filtering and
blocking tools is dangerous.

�A government-run DSA scheme comes with the risk of online
censorship,� Breyer tells TorrentFreak, while adding that DNS
blocking itself is easily circumvented.

�Access blocking leaves content online and therefore can easily be
circumvented and often results in overblocking and collateral
suppression of legal speech hosted on the same website, by the same
provider or via the same network.�

This type of collateral damage is not just hypothetical. Breyer notes
that, in 2020, the public domain library Project Gutenberg was
blocked in its entirety in Italy because some content allegedly
violated local laws.
Borderless Backbone

That blocking won�t always stop at borders is also well known. In
2017, several websites were blocked around the world because Internet
backbone provider Cogent blackholed several Cloudflare IP-addresses
in response to an Italian court order.

According to Breyer, infringing content should be removed, not
blocked. Otherwise, there�s always the risk of overblocking.

�Illegal content should be removed where it is hosted,� Breyer says,
adding that this is why the civil liberties committee will ask the
European Parliament to scrap blocking orders from the Digital
Services Act.

The DNS4EU also raises other issues. For example, it will offer
better security options for �customers� who pay, which seems strange
for a government-backed service.

As said before, the project is still in its early stages and a lot of
details have yet to be fleshed out.

According to Breyer, this DNS solution shouldn�t turn into a �Chinese-
style Euro-Net.� It�s important that people are aware of these plans
and that they are amended where needed, in order to maintain an open
Internet.

Source:
https://torrentfreak.com/the-eu-wants-its-own-dns-resolver-that-can-
block-unlawful-traffic-220119/

On Thu, 20 Jan 2022 20:22:46 +0100 (CET), Nomen Nescio <nobody@dizum.com> wrote:
>people are aware of these plans

"The best laid schemes o' mice and men
Gang aft a-gley,
And leave us naught but grief and pain
For promised joy." --from 'To A Mouse'

Robert Burns was born to William & Agnes Broun-Burnes
at their cottage(4W38:00,55N25:58)in Alloway Ayrshire
Scotland on Thursday 25 January 1759(AA/BR).

On 1/20/22 12:22 PM, Nomen Nescio wrote:
> The EU Wants Its Own DNS Resolver that Can Block ‘Unlawful’ Traffic
> January 19, 2022 by Ernesto Van der Sar >
> The EU is planning to develop its own government-run DNS resolver.

Good for them.

I see no problems with there being /another/ recursive DNS operator.

I'm all for more recursive DNS server operators. Though normally I
advocate for people to run their own /personal/ recursive DNS resolvers.
But another bigger player in the game is still another player and
divides things up from the bigger players. I view additional recursive
DNS providers as a Good Thing™.

> The project dubbed DNS4EU is meant to offer a counterweight to
> the popular resolvers that are mostly based in the U.S. Aside from
> offering privacy and security to users, the DNS solution will also
> be able to block "illegal" websites, including pirate sites.

I would expect nothing less.

> The Domain Name System has been an essential component of the Internet
> since the mid-eighties.
>
> DNS resolvers make it possible to map a human-readable domain name to
> an IP-address, so a website or service can be easily located. Older
> people also call it the Internet’s phone book.

It's not just older people, but whatever.

> Nowadays, there are several large DNS resolvers. Many ISPs operate
> their own but third-party DNS services are very popular too. The
> most used third-party options include Google, Cloudflare, OpenDNS and
> Norton, which are all US-based. This large foreign footprint has the
> EU worried.
>
> DNS4EU
>
> To offer some balance to the American dominance in the DNS industry,
> Europe is proposing its own alternative titled DNS4EU. Last week
> the European Commission published a call for proposals, which also
> describes in detail what features the government-controlled DNS
> resolver should offer.

I would have never thought that American's dominate the DNS industry.
There's not anything that prevents others from entering the DNS industry.

Sure, being a root server operator has many technical requirements. But
any business that want's to can become a root server operator.

Anybody that wants to operate a private instance of a root DNS server
can easily do so. -- Ask if you want to know more.

> The project overview makes it clear that DNS4EU is meant to protect
> the privacy of end-users and keep them secure.

I would be surprised if this wasn't the case.

There's basic recursive DNS server operation and then there's value
added recursive DNS server operation. The value added is the only way
to make a business model.

Though a government funded service isn't the typical business model.

> “DNS4EU shall offer a high level of resilience, global and EU-
> specific cybersecurity protection, data protection and privacy
> according to EU rules, ensure that DNS resolution data are processed
> in Europe and personal data are not monetised,” the EU writes in
> its overview.

I wonder what "global and EU-specific cybersecurity protection" means.

I feel like what's good for the goose is also good for the gander.

> In addition to serving individuals directly, the resolver will also
> be available to Internet backbone networks that handle traffic in,
> from, and to Europe. These backbones are part of global traffic routes
> which means that millions of people could potentially be impacted.

So are they saying that people outside of the EU will be forbidden from
using DNS4EU? -- That's their prerogative. I'd just like some
clarification.

> Many of the proposed DNS4EU features aim to protect EU citizens. For
> example, the DNS resolver is not allowed to monetize user data and
> has to comply with applicable privacy regulations including the GDPR.

I don't view that as a problem. I believe that every recursive DNS
server operator should follow those rules. But I'm strange like that.

> At the same time, there is also a heavy focus on filtering. DNS4U
> should help to block malware and phishing, for example, and protect
> against other cybersecurity threats. These are quite common features
> for DNS services nowadays.

This can be a sticky wicket.

Filtering names that have been declared to be bad is one thing that's
fairly easy to do. With a given value of easy, what with DNSSEC and all.

Filtering and protecting against other cybersecurity threats ... that's
more problematic. What constitutes a cybersecurity threat?

Will DNS4EU (re)use a commercial provider's list of known problems?
Will they organically grow their own? Will they learn discover / learn
problematic names through other means?

I'd like to know more details of a technical nature.

> Blocking Unlawful Traffic
>
> The EU initiative goes a step further though. While details are
> scarce at this early stage, the language in the official documentation
> suggests that “illegal content” could be blocked as well.
>
> “Filtering of URLs leading to illegal content based on legal
> requirements applicable in the EU or in national jurisdictions (e.g.
> based on court orders), in full compliance with EU rules.”

Sure. Provide a fully above board court order and just about any
recursive DNS operator is capable of filtering things.

Wherein filtering means not resolving some content. Chances are still
quite good that someone will be able to detect said filtering. Thank
you DNSSEC.

> The above suggests that pirate sites can be blocked by DNS4EU as
> well, if there’s an applicable court order. These sites will then
> be blocked for all users in the region.

These sites will be unresolvable for people that use DNS4EU. The lack
of ability to resolve through DNS4EU does not mean that these sites will
be inaccessible.

> At the same time, it could also affect traffic that passes through
> the Internet backbones that use the DNS resolver.

If you're using DNS4EU then you should expect to have traffic filtered.
Period. End of story.

If you don't want the filtering, then don't use DNS4EU.

Adding a new recursive DNS service to the Internet does not force people
to use it.

> Without knowing the full technical setup we’re cautious not to draw
> strong conclusions. That said, backbones generally operate across
> borders and continents, so potential overblocking is a serious concern.

FUD alert!
Hype alert!
(See above.)

> The project overview stresses that filtering and blocking measures
> should be in line with national rules so we assume that the DNS
> resolver may treat traffic from individual member states differently
> if needed.

Okay. I see some minor technical hurtles to overcome, but nothing
insurmountable here.

> Censorship Risk?
>
> Patrick Breyer, Member of the European Parliament (MEP) for the Pirate
> Party, believes that the project is unnecessary. The current DNS
> solutions work fine and adding government-run filtering and blocking
> tools is dangerous.

I can see how such a tool could be abused and / or politicized.

But I see zero problems with countries wanting to operate their own
recursive DNS service. Russia was doing this a few years ago.

> “A government-run DSA scheme comes with the risk of online
> censorship,” Breyer tells TorrentFreak, while adding that DNS
> blocking itself is easily circumvented.
>
> “Access blocking leaves content online and therefore can easily
> be circumvented and often results in overblocking and collateral
> suppression of legal speech hosted on the same website, by the same
> provider or via the same network.”

I believe that's over generalized FUD.

> This type of collateral damage is not just hypothetical. Breyer
> notes that, in 2020, the public domain library Project Gutenberg
> was blocked in its entirety in Italy because some content allegedly
> violated local laws.

Like it or not, governments have the purview to filter some things
pursuant to their local laws. We don't have to agree with them, much
less support them. But we must let them uphold their laws in their
country as we want them to let us uphold our laws in our country.

> Borderless Backbone
>
> That blocking won’t always stop at borders is also well known. In
> 2017, several websites were blocked around the world because Internet
> backbone provider Cogent blackholed several Cloudflare IP-addresses
> in response to an Italian court order.

I have two BIG issues with that comment:

1) People have to choose to use DNS4EU to be impacted.
2) There are failed technical implementations all the time. Cloudflare
messed up in how the implemented what they were obligated to do. They
should have done os in a way that only effected people in Italy.

> According to Breyer, infringing content should be removed, not
> blocked.