Passed SOPA

How DNSSEC helps protect the Internet and how SOPA made it almost illegal

Domain Name System Security Enhancements (DNSSEC) is a security technology that can help address one of the Internet's weaknesses. We are lucky that SOPA failed because SOPA would have made DNSSEC illegal.

DNSSEC increases critical security in places where the Internet doesn't exist. The Domain Name System (DNS) is working properly, but it is never checked, which allows attackers to close loopholes.

The current state of affairs

We explained how DNS worked in the past. In short, when you connect to a domain name like google.com or howtogeek.com, your computer contacts the DNS server and looks up the associated IP address for that domain name. Your computer will then connect to this IP address.

What is important is that there is no verification process involved in a DNS lookup. Your computer asks its DNS server for the address associated with a website, the DNS server replies with an IP address, and your computer reports "OK!" And happily connects to this website. Your computer keeps checking to see if this is a valid answer.

Attackers could redirect this DNS requesting or setting up malicious DNS servers designed to return incorrect responses. For example, if you're connected to a public Wi-Fi network and try to connect to howtogeek.com, a malicious DNS server on that public Wi-Fi network could return a completely different IP address. The IP address could lead you to a phishing website. Your web browser cannot really verify that an IP address is actually associated with howtogeek.com. It just needs to trust the response it gets from the DNS server.

HTTPS encryption provides some verification. Let's say you connect to your bank's website and see HTTPS and the lock icon in your address bar. They know that a certification authority has verified that the website is owned by your bank.

If you accessed your bank's website through a, if the access point is compromised and the DNS server returns the address of a fraudulent phishing site, the phishing site will not be able to display this HTTPS encryption. However, the phishing site may be using HTTP instead of HTTPS. She assumes that most users don't notice the difference and enter their online banking information anyway.

Your bank cannot tell that these are the legitimate IP addresses for our website.

How DNSSEC helps

A DNS lookup actually takes place in several steps. For example, if your computer asks for www.howtogeek.com, it does this search in several steps:

  • First it asks the "root zone directory" in which it is located .com.
  • Then the .com directory is asked in which it is located howtogeek.com.
  • It then asks howtogeek.com where to find it www.howtogeek.com.

DNSSEC involves "signing the root." When your computer asks the root zone, where .com is located, it can verify the root zone's signature key and make sure it is the legitimate root zone with the correct information . The root zone then contains information about the signing key or .com and its location. That way, your computer can contact the .com directory and make sure it's legitimate. The .com directory contains the signing key and information for howtogeek.com. In this way, it can contact howtogeek.com and verify that you are connected to the actual howtogeek.com. This is confirmed by the zones above.

When DNSSEC is fully in place, your computer can confirm that DNS responses are legitimate and true. However, at this time he cannot determine which are fake and which are real.

Further information on encryption can be found here.

What would SOPA have done?

So how has the Stop Online Piracy Act, better known as SOPA, to play in all of that? Well, if you followed SOPA you find that it was written by people who did not understand the internet so it would "break" the internet in several ways. That's one of them.

Remember that DNSSEC domain owners allow them to sign their DNS records. For example, thepiratebay.se can use DNSSEC to specify the IP addresses it is associated with. If you do a DNS lookup on your computer - whether it is google.com or thepiratebay.se - using DNSSEC the computer can determine that it is getting the correct answer, which has been verified by the domain name owners. DNSSEC is just a protocol. No attempt is made to distinguish between "good" and "bad" websites.

SOPA would have needed an internet service provider to redirect DNS lookups for "bad" websites. For example, when an ISP's subscribers try to access thepiratebay.se, the ISP's DNS servers return the address of another website informing them that the Pirate Bay has been blocked.

With DNSSEC, such a redirection would be indistinguishable from a man-in-the-middle attack that DNSSEC is supposed to prevent. ISPs that provide DNSSEC would have to reply with the actual address of the Pirate Bay and would therefore violate SOPA. To enable SOPA, DNSSEC would have to have a large loophole that would allow Internet service providers and governments to redirect DNS queries from domain names without permission from domain name owners. Doing so would be difficult (if not impossible) in a secure manner and would likely open new security holes for attackers.


Fortunately, SOPA is dead and hopefully won't be back. DNSSEC is currently being deployed and is an overdue solution to this problem.

Photo credit: Khairil Yusof, Jemimus on Flickr, David Holmes on Flickr