The Domain Name System – How it works – EDU 02 2018
5 June 2018 | 14:30-16:00 | EVENT ROOM |
Consolidated programme 2018 overview
This is a basic training on how the domain name system (DNS) works. The training explains the underlying infrastructure of the DNS, the stakeholders involved, and why and what you should know about IP addressing to understand the DNS. Attending this session will give you the means to more effectively participate in other EuroDIG sessions.
- Domain name system
- IP addressing
- Internet ecosystem
- Technical basics
The start and end point of the training will be the DNS. We will take you on a journey of what and who makes the DNS work and ensures that you are directed to the address you are looking for. You will understand that the internet is not “the cloud” but runs on pretty hard infrastructure. By means of practical examples (bring your laptop!), you will also learn how your request for a domain name travels through the infrastructure. We will also show you what operators do to make sure that the system remains resilient, stable and available. Last but not least, we will touch upon regulatory or voluntary activities, such as blocking and backdoors to encryption, that could interrupt the smooth functioning of the DNS and harm its resilience.
The training on the DNS will last approximately 60 min including practical exercises, followed by 30 min for Q&A and discussions. Pointers to policy issues and legislative developments establish the connection to current debates and can be used to trigger the discussion.
Links to relevant websites, declarations, books, documents. Please note we cannot offer web space, so only links to external resources are possible. Example for an external link: Website of EuroDIG
Please provide name and institution for all people you list here.
- Peter Van Roste, CENTR
Organising Team (Org Team)
- Peter Van Roste, CENTR
- Alexandrine Gauvin, CENTR
Until 14. May 2018. Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance. Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.
Trainer / Moderator
- Peter Van Roste (CENTR)
- Alexandrine Gauvin, CENTR
Current discussion, conference calls, schedules and minutes
See the discussion tab on the upper left side of this page. Please use this page to publish:
- dates for virtual meetings or coordination calls
- short summary of calls or email exchange
Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.
Find a blog post of the overall experience of CENTR on EuroDIG 2018 at https://centr.org/news/blog/eurodig-2018-in-tbilisi-exploring-new-frontiers-and-looking-into-the-digital-future.html
Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at https://dig.watch/resources/domain-name-system-%E2%80%93-how-it-works
Provided by: Caption First, Inc. P.O Box 3066. Monument, CO 80132, Phone: +001-877-825-5234, +001-719-481-9835, www.captionfirst.com
This text is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text is not to be distributed or used in any way that may violate copyright law.
>> One, two. Thank you. Microphone working. Yes, we are just going to announce that we are starting in about two minutes, just so you have time to have the last minute people coming in.
>> ALEXANDRINE GAUVIN: All right. I think we will be good to start. So we can assume that everybody who is not in this room knows perfectly well how the Internet works. So that's good news.
But never too late to learn a little bit. My name is Alex, my colleague Peter, and we're both from CENTR and we are here today to explain how the Internet works and now the DNS works.
Just a few practicalities before we start. The red pointers, like this, they indicate policy aspects throughout the presentation. For asking questions, what we would like is for you to take notes of your questions throughout the presentations so we can address them at the end, because very often we have answers throughout the presentation. So it will be nice to have them at the end.
If you have more questions later, of course, do not hesitate to reach out to us and another important point is this is a basic training. There will be corners that will be cut. Hmm? So just to put a bit of expectation management here.
And before we start, who are we? Who is CENTR, it's for the country code for top level domain names. How did I explain to my mother where I work and what we do is was the challenge. So the way that I managed to explain it is the simplest way is when you have a URL in your browser, at the very end after the last dot that you see, you have either a .ge, .ca, .com. They are managed by registries. The registries that maintain the top level domains. They are generic top level domains or country codes. Country codes are two codes. You will recognize them very easily. First question for this audience, ge is a country code for...
>> PARTICIPANT: Georgia!
>> ALEXANDRINE GAUVIN: Excellent. That's a good start. And CENTR represents country codes in Europe mostly. Only one registry per country because there's only one country code, the best way for them to exchange with peers is to talk to their neighbors. So Spain wants to talk to the Netherlands, and Canada wants to talk to Israel, and this is why our association exists, basically, to exchange that type of information. We have 54 full members that are all country code. Nine associate members that include country codes that are outside of Europe, but also generic top level domains and 13 observers.
And just to give you an idea of our membership, we represent all together all the registries is about 73 million domain names which is about 50% of the registered ccTLDs worldwide and another important aspect about ccTLDs, we will come back to, it is that most of our members are not for profit organizations. And we have our members have this commitment to the local Internet community and that includes a lot of education and awareness. So that's also what we are doing here today.
What CENTR does, we provide and help aggregate a lot of statistics and data for them. We have public documents and documents that is just for the members, but just so you know, some of the documents you might recognize, we produce reports for some of the big meetings that you have probably heard about. ICANN, IGF and RIPE and CC and those are publicly available. That's important to know.
So what are we going to learn today? Why this slide is important, because there's a lot that it implies there's a lot we will not have time to cover today. So that's why we want to frame a little bit the context of what will happen today so if you have other questions, we can address them afterwards.
What the Internet really looks like, what IP addresses look like and how they connect to each other and how the Domain Name System works and why the route is important and PTI matters and I'm just going to intercede here and say you will see a lot of acronyms. Do not fear. They shall be explained throughout the presentation. You also have a reference on that sheet that we provided on the Internet ecosystem. If you flip it over, you have a list of a lot of acronyms, and that's a good reference.
Who does what in the technical layers of interest, and why this matters to Internet Governance discussions?
So for starters, I will show you this news item. That was a bit over a year ago, and Google was basically blocked in France for about an hour. By the end of this presentation, you will understand what happened and why it was so important for the DNS to work properly.
What is the Internet made of? It's made of carets and by that, we mean it's not made of sticks. The way that the Internet was built was on based on standards an protocols that everybody that wants to be involved in and get into the Internet, agreed on, but there are no sanctions, you know. Any technical person is free to use a protocol or the standard that they wish. The only advantage is that if you agree to use the agreed protocols and standards, then you get access to the wider Internet.
So that's the idea and that's the concept of standardization.
Who governs the Internet? We do! Excellent! We do! Exactly! It's a multistakeholder approach, which is quite unique when you consider the importance of Internet in our world today. This is, like I said, a bit overwhelming in quantity of acronyms but we will be covering today on the bottom, you see all this section in the bottom is a technical layer of the Internet and at the top is the content layer. And we'll go a bit more into detail, but before we do that, I want to first take you on a bit of a journey on the physical part of the Internet, so the actual infrastructure, what happens physically, what does it look like? And it all starts with your device, laptop, phone, tablet, and what happens when it connects to the Internet?
Well, the connection goes through the router. The router is connected to the Internet network within your office or at home, and all of those cables will collect and be gathered and go through the wall all the way down the elevator and into the streets and the cables are protected, of course, hmm? And all of those cables are running all across the streets. It will gather eventually at junction boxes a bit like this. And that's when we are within the city. What happen his when with want to connect one city to another? Can someone tell me why we have an image of a railroad here? You will have a little gift if you can tell me why we have a railroad. Yes.
>> PARTICIPANT: So in many countries, we have used railroads to actually have fiber and a lot of telecommunication cables next to it because it's a really perfect place to put them in.
>> ALEXANDRINE GAUVIN: Excellent answer. Why is it already a path?
>> Participate: Because it's already a path from major cities to major cities.
>> ALEXANDRINE GAUVIN: Yes, I'm really bad at this, so not bad. Excellent.
So that's between cities. What happens if we want to connect between continents? I'm sure you have seen that. We have undersea cables. We have a lot of undersea cables and more and more over time. It has already evolved of all the undersea cables. We saw this in the news about a month ago, when one undersea cable was cut and there was the Internet shortage across all the west side of the continent of Africa.
Let's just make sure that to make this clear that this happens very it's very rare now, because there's a lot of redundancies. So if one cable is cut, there are plenty of others to take over. So we will get over that. So this is rare, but still, it reminds us of the importance of the physical part of the Internet.
But, of course, there's not only cable. We have satellite to connect to the internet, 4G, soon 5G. We have balloons, sometimes even experiences with drones. They are available the drones and the balloons and the satellites are still not used very much for Internet access because they are still quite expensive but in emergency situations, they have been used quite a bit.
So back to your device, you remember that's where we started from, and what's the end point? Where are we going through all of those cables? What's the end point? Well, it's all the data centers. And what do the data centers store is basically the content. It's everything that's on the Internet. We often forget it because we use the word "cloud" to refer to this, but they are very real physical locations where that content is stored. I think that's something that we need to remind ourselves. There are plenty of examples. Facebook has a huge quantity of data centers.
Data centers can be quite interesting as well, just because they produce a lot of energy, hmm, because of the servers heating up. So there's quite a few of big data centers that found ways to renew the energy and cool down but in a sustainable way. This is in North Korea or South Korea. North Korea, I would not have a picture.
And, of course, we are talking in this case about eprivacy, the free flow of data and to finish this physical part of the Internet, this is just a fun picture of three of the founding fathers of Internet and the image that you see there is the ARPANET, which is the ancestor of the Internet. We don't have the time to go into the history, so we have Vin Cert and others.
And now I give the floor over to Peter to take over.
>> PETER VAN ROSTE: All right. So Alex took you on a journal a cross the physical infrastructures, the networks, cables, coppers, waves but so far nothing is happening. It's just that infrastructure.
So what happens when we start to put traffic on it? The first thing we need to understand is that every device connected to the network needs to have an address. Without an address, it can not be found. It can not connect to other devices, and these addresses are called IP addresses. The format you are most familiar with, because everybody has probably tried to fix a router network a router problem on their WiFi at home, or tried to connect a printer. These are IPv4 addresses, a format that we are used to. I will get to IPv4 and IPv6 in a minute.
There an organization called PTI, public technical identifiers. They are part of ICANN. PTI, one of their three main functions is maintaining the globalized resource of IP addresses. They need to make sure that they don't distribute the same IP address to different entities. So your laptop, as soon as it is connected to the public Internet has a unique public Internet and it's PTI is managing that on a global level by cutting the global resource into regional address pools. So every region gets its own address pool and they are managed by a regional organization. For Europe, this is RIPE NCC. I'm not sure if RIPE is here. If you have any questions on how they set their policies, feel free to reach out to them.
So PTI is splitting up that whole pie across the regions and they are sending blocks of IP addresses.
So then on a regional level, the organization sets their policies. Who can get blocks of IP addresses and typically, they are members because we need to be a member to receive your share of IP addresses or ISPs or mobile operators, resource institutions, government, law enforcement. I think RIPE has over 15,000 members. So there's 15,000 organizations in Europe that receive address blocks from them, and then distributes those address blocks to their customers.
They can be static and dynamic, which is an important thing when we discuss privacy. Static IP addresses are typically used for servers who host content. They are allocated to that server and they typically do not change regularly. Dynamic IP addresses is what we as customers get assigned to by our ISP. If you know how to find your IP address, for instance or mobile, every couple of hours, depending on what part of the network you are on or if you are roaming, your IP address will be reassigned and the reason the original reason for having dynamic addresses because it seems quite clumsy to reassign an address, is they wanted to use a scarce resource as efficiently as possible.
So rather than having customers assigned an IP address that they don't get used. IP addresses got signed on a need basis. So when you needed an IP address, you got assigned one. ISPs or mobile operators anyone who assigns the IP addresses to the user levels keeps logs. And these logs, as probably some of you have been engaged in data retention discussions, they are crucial because it's the one of the only efficient ways of identifying users later on in this stage. They are law enforcement and during criminal investigation. It's exactly these logs that they are after, which user got assigned which dynamic IP address or which point in time?
IPv4 versus IPv6 addresses. In full disclosure, I'm a lawyer not a technical person. If you compare the amount of IPv6 with the size of a golf ball and the amount of IPv4 addresses is amount the size of the sun. They told us years ago that we wouldn't run out of IPv4 addresses, and now they say the same thing about IPv6. So the IPv4 address you are familiar with and the IPv6 addresses slightly more complicated.
Benefits of IPv4, it's compatible with old equipment and old equipment is where you probably least expect it. It's in your cupboard, at your home or flat, it's that out router, old as in more than five or six years that can easily deal with IPv4 addresses but not always compatible with IPv6. The advantages of IPv6 addresses, there's no scarcity and we will have more addresses. And developing countries will have no problem getting space. It's more stable and has more routing capabilities.
An interesting aspect of the move from IPv4, to IPv6, we will see less dynamic IP addresses. There's need to assign IPv4 addresses on a need to use basis, but you could assign IPv6 addresses permanently to the devices and to users.
And so that will have a sequence on the logs that the ISPs are keeping about their users.
So now a bit more in concrete terms. Your laptop so Alex's story about the infrastructure, it started with the laptop and it ended with data servers. How can we visualize that journey, that starts whenever you are typing in domain name or an IP address or send an email on your machine here? First of all, it's quite easy to identify the IP address on your machine. You looked at the properties and this is for, I think Windows 9, and there's probably Windows 10 here. They are easily identifiable, the IPv4 address on your machine. I'm using the central website. Anyone tried to do a DNS look up in the techies in the room can't answer that one. I see a few hands.
There's an easy way to find the ape dress of the content that you are trying to reach, that is if you know the domain name, www.central.org, you can use your command prompt, which is the '80s style interface that does plenty of useful things on your machines. For Mac, it's obviously also available. It's NS lookup. Do you NS lookup and then you end the domain name and it will provide you with an IP address. For the central website, it gives us even two. It gives us the IPv6 address, the top one and IPv4, for anyone would wants to publish content online. We have the IP address of our computer and the website and we will see how both connects to each other.
So this is the highest level possible of visualization of what the Internet looks like. It's a network of networks. So when Alex talked to you about the infrastructure, it was not lit yet. The moment you start seeing traffic on those individual networks across the street to the crossroad hub, along the railroad lines to the other cities, networks owned by individual operators kind of look like this. So how do they interconnect? And if you zoom into details you can see fun stuff here. For instance, there is a and it's color coded. There's a large Asian network. A huge Asian network, actually, basically without any connection to the rest of the Internet. It could easily be a military network from a major Asian country.
How do these networks connect? If you look at this picture, you will see that there is some parts of the network and these are the white lines where many white lines get together. This is an important element of the infrastructure that nobody I mean, we shouldn't underestimate it and it's the importance of the Internet exchanges. Internet exchanges are places where your different commercial providers or academic networks get together and literally, in one room, with their individual server recs across the room, they drag cables across the room to each other and that's where they peer. Peering is essential, because there's no money exchanged in a peering agreement. If even a smaller telecom operator peers with a larger one, they both agree that the value of the traffic, even if it's different in amounts, a smaller sums, less traffic to the public internet. Even if the amount of traffic is different, they agree that they will not pay compensation. And we all know a different example, another example, went pretty wrong, basically. And that's the model networks. We all suffer from large expensive interconnection ratings, expensive roaming, because phone networks, country to Internet operators do not peer. They have no such agreements in place.
So this is what's happening at the Internet exchange. It's happening in Germany, in Frankfurt, one of the larger ones with the Netherlands. If anything happens to one of the operators in Germany or even to the German Internet exchange, others in the region can easily take over.
It is so good to see in African countries we see more and more Internet exchanges and the huge response of that is that it's cheaper. 15 years ago, traffic between two European IPs, crossed across the Atlantic back and forth because this was only an exchange between their two networks on the East Coast of the US; whereas, now the traffic remains in Europe, and it's quicker. You gain a couple of milliseconds of your traffic being sent back and forth, and, again, it's cheaper.
Relevance on policy and poll discussions of these Internet exchanges is the security directive. More and more, core infrastructure internet infrastructure is considered to be critical infrastructure and as such, some of the rules and regulations apply. The spread the Internet exchanges across the world, you see that Africa has a bit of catching up to do but it's already an enormous difference from a few years ago. And Europe has a very high density of these Internet exchanges.
So we have changed the trajectory to you. The really fun part is you can see how it works and the so you go back again to that '80s style command prompt and you use a trace route command. TRACERT. You do the same thing. So I'm doing a trace route to CENTR. TRACERT www.CENTR.org. And then the journey starts. What we told you so far is visible in that list of IP addresses. So this is on our central office. The first one is where we connect to the WiFi router. Sorry, the first one is the IP address of the machine and then we connect to the WiFi router. We get to our firewall and then we get on the public part of the Internet through Bell Hickam. It's easily and conveniently listed in the name of the router. So you the have the IP addresser and the name of the server. We hope along the Bell Hickam network from the router downstairs to the one near the crossroads to the one near the park, larger and larger until you finally get to that really important crossroad that I mentioned, it's the Internet exchange. This is the Belgium one, and so it's called BNIX. It's moving to the competitor's network. It's the largest add broadband operator in Belgium and then we start hopping across their hubs, probably zooming somewhere along the railway. We are not crossing the Atlantic because the CENTR servers or in Belgium in a city called Ghent and this is where the trace route ends.
This is the journey that the package makes. These are all the hubs that the information travels to.
So now let's add the Domain Name System. Why do we need it and the importance the route and who is managing it and the quick journey along the top level domains and their different forms and policies.
That probably maybe with the exception of Peter. He's hiding behind that pillar. Peter is the CTO of Eunuch not CTO, you are the R&D (off microphone comments).
He's providing us with technical support for these trainings and it's always very reassure for me and Alex to have him around. Typically nobody can recognize any of those addresses, but they are some of the most used addresses by European Internet users.
It's not just IPv4. It's IPv6. It's not just for web traffic. It's also for mail, which is called SMTP traffic. So it already shows one of the first reasons why we need a DNS. We can remember those addresses. We know where to send an email address without having to look it up. And that's exactly what the DNS does. It's a lookup system. So the first reason it's convenient for humans.
Here is an interesting one. It's only recently that the potential of the Internet actually got unlocked to more than just the about 2 billion people that can read and write Latin characters. What is called the IDNs, the internationalized domain names got added to the Domain Name System about just under a decade ago and we have 49 scripts that are fully functioning. In is the Cyrillic one. Some of you may have seen the Cyrillic addresses. They are not very popular yet.
There's a couple of reasons for that. There's the reason of universal acceptable, but the possibility is there. And in some Asian countries, they are getting some traction.
>> PARTICIPANT: Just to mention the IDN names actually have an equivalent in Latin letters. It's typically xn//something. So you can use them, or
>> PETER VAN ROSTE: Puni code? Yes so remember the address is the first one. The flexibility of the DNS is the second one. I told you that all machines, all servers, every device connected to the Internet has an IP address. But what happens if the IP address is or the machine breaks down? The place where the machine is held burns down.
It happens more than you would think. In data centers, fires happen occasionally, I would say. Typically there is data backup. For instance a large newspaper will not have their data just stored on one server. They have it on multiple servers. But as a user, you type in the name of your favorite newspaper because the DNS converts it to an IP address. If it's changed in the background by your operators, as a user, you wouldn't notice it, but would you still easily get to the same information. So your newspaper, one of their servers burns down, they quickly switch the IP address of the domain to their backup facilities, and as a user, you will not see a glitch in the access to information.
The third reason is a domain system. It can help to divert traffic loads. Some of the server attacks can be mitigated partially by procedure use of the DNS. And a fourth reason and more of a fun one. Unfortunately we don't have too much time to go into internet of things. I really cool example is a flood warning system using dock UK and they are using the Y space, the old abandoned DB air raid space to connect to devices that they stuck you are in bridges in Oxford. It measures the distance of the water. If that is decreasing, they know a bit further down they will be expecting floods. And so they are using they are providing this open data to the community. Really nice tools have been built with that.
And DNS has a part here. They named these devices according to their occasion for easy reference and also referring to the backup system. It pries flexibility if anything happens one device stuck under a bridge, they can switch to another IP address of another device under that bridge.
We have a movie on YouTube, on CENTR DNS that explains how DNS works. It's in two minutes and I think ultimate really like it. I will take you through a slightly different version of that explanation.
So how does the DNS work. It is a hierarchical system. And the advantage of that hierarchical system is that it allows every zone, for instance, .eu or .com or .ge, that allows each zone to set its policy.
It allows for differences or being respectful of local laws of different needs of local Internet communities. Some of the CENTR members restrict their zone to inhabitants of their region or country. .EU is a good example. Only when you are an inhabitant. The EU can you get a .EU domain name.
Par so it's a hierarchical system that starts with the root, and in that root, currently, there's about 1,500 top level doe mains held in the root zone file and then every of those zones manages their second level zone. So for EU, Europa.EU, every single domain with.EU is held in.EU's database. And for the third level, because the hierarchy, it's the European Commission, it's Europa.eu that sets the policies on who can get one and for Europa.eu, it's only the European institutions.
There's three players the root zone maintainer, PTI and you will remember them from the IP address allocation. In addition to assigning IP blocks they are also maintaining that root zone. It's an ICANN affiliate.
It used to be the US government that was overseeing the root zone maintainer. At that point it was called IANA. And the US government administration decided it was time to hand it over to the multistakeholder community, convened by ICANN. So ICANN organized what for me is one of the most spectacular successes of the multistakeholder model. They made sure everybody agreed, governments, end users. Everybody who is represented or can be represented in ICANN agreed on a model of oversight of PTI and that is important, because for once and for all, we got rid of the stories that the US government holds the key of the Internet. From that moment, it was the multistakeholder community and they set their policies for. ICANN policy development mechanisms. So that's one that's a key player. The one maintaining the root zone.
Secondly for the TLD itself, we have European country code top level doe main names. This is where our members come into play. They manage the zone for a particular country, whether it's ge or EU, be or UK and then on an alternate level, you have the domain name for alter organizations. It's the European Commission who is the main administrator for.EU and I will use that example through the next couple of slides.
So I already shared this. This is a bit underlying after I underlined how crucial and important it is, but it is actually a pretty simple thing. Importance of the root are more the policies that that guides implementation of new TLDs or specific standards that need to be applied. But this is what the root looks like. It's the one in Amsterdam, managed by RIPE.
So maybe just briefly on that, there's not one copy of the root zone. There are 13 identical copies. It's a resilience measure just to make sure if one gets if one gets into trouble, whether it's organizationally or financially or there's maybe hostile takeover even, and there's still plenty of backup. These 13 have done on their terms plenty of copies all around the globe. For instance, I think a country like Belgium has three or five authoritative copies.
I told you about the US government no longer overseeing PTI as of October 2016.
This is what a root zone file looks like. It's a flat text file, it's not an interesting read. I will take you through the essence of what it does. This is an example taken from the root zone file of .eu. And by the way, there's a prize. And you can't answer that one and Peter can't answer that one. But does anybody know about the hidden dot?
The hidden dot?
(Off microphone comment)
>> PETER VAN ROSTE: Anybody explains what it does in any time you add a domain name, we add a dot at the end. We never do. The browser adds that. If you add a dot, it will still work. The browser will probably think that you are a bit nerdy, but there's a hidden dot and it tells your browser to start looking at the top level when trying to translate a domain name into the IP address. If you look at the couple of lines, it's not easy to read, but it says EU dot, so that's the hidden dot. It has in this case, .eu has eight named servers. Eight named servers for resilience, of course. They technically only need one. They can balance the load between those eight servers and in a minute, I will take you through a journey of how that request works. This is the root zone file. That is eight entries for .eu and it's not very inspiring, xy, and z, and uk, which is where they are locate then it explains where each of those named servers, what IP address each of those named servers are connected to. In the middle there's a bit of a signature and it's used for DNSSEC. It's a security extension that's added to the DNS. ICANN is doing a fabulous job to make the DNSSEC. DNSSEC relies on a public signature and that can be found in the root there. Oh, thank you. Yes.
There's differences amongst the TLDs. You are doing a remote participation. So this one is for you. There's differences in TLDs there's country codes and the generic domains. The biggest one for those two, policies for country codes are set on a local level. Policies on who can get a generic top level domain are set on a global level through multistakeholder model under ICANN umbrella. That's a crucial difference. There are fewer ccTLDs, than gTLDs and it changed five or six years ago when there were 150 new generic top level domains. You don't see them too often but there's a.lawyer and.car and.ninja. And there are 311 ccTLDs more than there are countries, and TLDs. India has and you have Japan who has two or three iterations of IDNs.
CcTLDs are limited and the three guys that Alex showed a picture of they did something really clever, Jean postal. One on the left there was the main architect and the most clever thing they did was make sure nor ICANN nor the multistakeholders have to decide on what a country is. So they relied on a list that's maintained by a UN agency, the same agency that manages the ISO standards. And as 30166, it's just two letters. It's a limited list.
If this is a new country, former Yugoslavia split up in five or six different entities, then there is a policy development process to add individual ccTLDs to the root zone.
But the process before that, what should they cigarette one in the first place. Some of these things are controversial, but the community probably from a very sound, pragmatic engineering perspective, there were not too many lawyers around at that time, they decided to stay way from this. So no discussion whether Yugoslavia should get a country code or not, no discussion whether Taiwan should get it. Who should get KR North Korea or South Korea? That's a political discussion we don't get involved in.
Yes. How to get a country code, well, talk to your local community, if it's if you have a new country and then it will be delegated by ICANN.
There is no costs related to having a country code into the root zone. For the gTLDs that's a different thing. You can think of it as a not for profit world, ccTLDs and for profit gTLDs. GTLDs are run by commercial entities and they cost a lot of money. It's about 180,000 Euros or dollars to apply for one. and then that multiplies the moment you actually run one.
Yes, I a couple of examples of policies by ccTLDs a local presence discussion. Relevant policy discussions for gTLDs is who sets three policies for.wine. The French manufacturers of wines the guys running the champagne region. They want to only get champagne.wine. And there's all sorts of policy discussions around that.
So I mentions that our members are managing the ccTLDs. So what it does, and this is basically a summary slide to make sure that we are clear on that. It provides the domain name resolution services. If there's a query, then the manager of .eu will make sure that that query gets answered, and runs the hardware. So it's infrastructure. It's redundant infrastructure and typically ccTLDs work with each other to say I will most a mirror of your databases if you hot a mirror of my database. Do you that all across the globe and a quick and resilient infrastructure.
If you want EuroDIG.org, you talk to registrar, the registrar registers EuroDIG.org in the database of the toe main register, which for.org is a not for profit organization run from the U.S. Managing its own local zone file. Someone who is involved in GDPR discussions who is the who is, is managed with country code, the top level domain manager.
In Europe, I'm taking a side step here. We hear and we are often asked at EuroDIG, what do CENTR members think of the ICANN of who is access? Well, not much actually.
Because as I already mentioned, policies are set on a local level. They are not deciding on how the .eu or de for Germany, determines who should set their policies. And then there's billing and contract related services. It's a very technical function.
As Alex said, how to explain to your family what we do and what our members do, the amazing thing is nobody knows about the existence of this quite complex part of the internet ecosystem because it functions. Trust me if ethnic who is running Fr and every .fr domain would be unavailable, even if it's for a couple of minutes very quickly everybody would know what a registry is. But so far for the last 30 years, they have been doing a perfect job.
I have talked about how the top level domain sets its policies. And let me show you this.
You can go to who is dot and then whatever registry or just type in Google who is for a specific zone. And you will get to the who is interface. One caveat here, this dates from a couple of months ago. So maybe with GDPR they have updated it I should change that. So for this one, I used a specific example. I asked the who is to give me data for Europa.eu. These are the responses you get from the who is interface. This is a web interface and there's a machine interface which is obviously less exciting to look at. Here you can see that a guy named Peter has registered the name on behalf of European Union. His address is one of the central streets in Brussels and you have his phone number. This is the hierarchy of the system. I showed you what a root zone file looked like, a flat file where you have a named server address file and then an IP. This is for the second level, identically the same thing. Here you have the address for the named services of Europa.eu, and it gives you the IP address and. Commission does a proper job, and it needs to have not just IPv4 but also IPv6 addresses.
In one minute, let me take you through this. I type in a domain name, and then the query starts where can I find www.example.eu. So I asked that question to my ISP. Your ISP30 milliseconds ago, somebody asked, so let's assume nobody asked that question in the last ten minutes or so, then your ISP. Say, I don't know. And your ISP will start at the top. It will start looking for .eu. Where do I find .eu in your query? So it asks the root zone run by PTI why can I find .eu and PTI sends a response. This is where you can find the named serves for .eu and then the next question, where do I find example.eu and that question it sends to the .eu named servers. Again, you get a response. Had think of the hierarchical response, and then you finally know where to find www.example.eu. I have an IP address now and it's only then that the connection starts before that, you no idea where to find that information. Part of we give this training to the European Commission three times a year.
And one aspect that is always the most interesting, they have questions, how can we use or how could some use the DNS to control access to content if we don't want to you go to your local newspaper, what would happen? What should law enforcement do? Sometimes courts will ask us that information too, right? They are in the middle of a court case and they ask technical information, how the DNS works and the one thing they are always thinking of, can we block access to information or not?
Here's the answer. I will show you what they are trying to do when they are blocking access to information. You can have a court order or a government or a law enforcement agent that tells your ISP that if I'm taking one slide back. If you are asking that question, where can I find this what is the IP address for the domain I'm looking forward, your access provider will be forced to tell you that there is no such domain.
If in Belgium, you are typing in the name of some of the peer to peer search engines, pirate bay. That's not an example. For some of these peer to peer websites, your ISP will tell you it doesn't exist. If you type in the IP address, it will still get there.
This is the way of the most popular way of implying the DNS blocking. Instructing ISPs to lie to their customers. A slightly different version of that is to tell the ISP that it should provide you with the wrong answer. So it should give you an IP address of a typically law enforcement, and it's considered illegal in your jurisdiction or anything along those lines. So that's the second way. So not just telling that a domain doesn't exist but sending you somewhere else. From a technical perspective the DNS was built to be extremely resilient and give control of each level to the local internet community.
This system undermines the reliability of the DNS. Just imagine what would happen if people would not be 100 sure that if they typed the name of their bank, .be or wherever their location is, that they would be sent somewhere else. If you wouldn't be able to trust the DNS. We would really have a big issue. So the technique where the authorities are actually using DNS, by making your ISP lie is quite scary from a technical perspective.
And Peter, correct me, it was not scalable either. If you do that with a handful, maybe 100 names where you tell your ISP to lie to their customers, that still worked but it's not scalable if there are thousands or tens of thousands of names. That would be a really bad idea.
Importantly, DNS blocking actually doesn't work. I mean, I showed you what they are trying to go, but it's very simple ways of circumventing the DNS blocking. The easiest one is to change the domain names. I told you how the flexibility. System is a great way of dealing with any particular technical issue, of fire, a cable that got cut and the same way the DNS is a very efficient tool to avoid that type of censorship or blocking.
So if you have www.example.eu you take the Spanish version or the Dutch version or whatever you would like. A perfect example is anybody hear about pirate bay? Swedish courts tried to block it. It didn't really work. In the long term, I think they made some progress. What happened in most European countries is piratebay.se was blocked by the local ISPs.
They got within a day, at least 50 alternative names. They went from the piratebay.se to pirate.se to tbp.org, and they suddenly had so many names that he thought it was so quite funny to set up their hydro website. Every time they cut off one of the heads being a domain name, they had to another site that took over.
I will come to that. I will have a slide on that. So I showed you earlier on that it's easy to find the IP address for a domain name. You can type in that IP address into your browser. It doesn't always work anymore these days since not all content is hosted on dedicated for instance, if you are talking to if you are looking for the IP address of the European digital rights, they still have a dedicated server. But if they are blocked, people can reach the content by typing in the IP address in the browser. So many companies run their DNS revolver. I was giving this presentation at commission and I tried to show them when they are pirate bay and I got to the pirate bay there.
Was no blocking because the European Commission doesn't answer court orders from the Belgian courts. They are not relying on a local ISP and as such, the blocking of the piratebay.se was a bit pointless there.
Third party DNS revolvers. Some of you might know if you go to your settings of your operating system, you can change your DNS revolver. Typically it's set to automatically take the revolver of your ISP. So the moment you establish a connection you get an IP address from the ISP and that's the DNS revolver, the thing that keeps asking the questions that will be used. You can use a different one. You can change it and you can have your preferred DNS server set to something different, the one that everybody remembers is 18.104.22.168, anywhere where you are in the world and that's Google's revolver. Obviously there's a price to pay. I'm sure they will be happy to see all the traffic that you are generating is.
But there is alternatives. You can simply change your DNS revolver so it doesn't ask the local ISP.
It asks a third party and typical it doesn't oblige. Please take that with you when you engage here at EuroDIG. DNS blocking, it's not an outcome. It's a pretty blunt tool and very inefficient tool. And if you talk to well, I'm sure parent of you in this audience qualify, but if you talk to younger people, they know a thousand ways to get to illegal content, despite DNS blocking. It doesn't work it should be the last resort for government or authorities trying to fix a problem. It will never stop users from getting content. It probably stops users from accidentally getting to content that they should not be getting in contact the Phishing sites are a good example.
There's no point that you would send someone to a site that looks like a bank but it's not a bank. That's a big difference.
Time to wrap up. I completely lost track of time. I'm doing quite okay.
Alex showed you this picture. You have a copy on your desk. If you don't have a copy, there's more here and just wave and we'll get you one.
Interestingly, believe it or not, so we focused on the technical layer. We told you that we will tell you the short story of how the internet works and what is on top of there is related to content or governance. It's anything that is not related to the infrastructure. And there's a whole acronym soup below the big red dot in the middle.
Believe it or not, we touched about every single aspect of it. So I'm going to use this one as a guide. No. I will talk up. It's easier. Then I can point.
So and feel free to follow in your things there.
On the infrastructure level, we talked about the network operators. They are the guys running the copper and the fiber and the waves. We talked about the roots servers, PTI run infrastructure. We showed you that very underwhelming picture. We talked about the Internet exchange points, crucial to strengthen the Internet, to create a strong local connectivity between ISPs, making sure that traffic doesn't have to go outside the country.
We talked about hosting providers. This is a cool picture that Alex shows of bunkers, and huge Norwegian facilities. We talked about domain registries, country codes and generic top level domains. We didn't do them justice. There are a couple of organizations most of them probably all of them on a volunteering basis with a small Secretariat that gets the troops to go.
The W3C, they set HTML standards. They set the standards for disability access to specific websites.
ITU, we sometimes have the tendency to ignore them in our corner of the world but international organizations play a vital role in running some of the basic protocols and standards that run the Internet and the frequencies in which waves you can use. The architecture and the bureau and the ITF groups of people. This sets the standards and the formatting of your IP address. The formatting of email headers. Practical things that people need to agree to before that traffic can exchange. They are doing an incredible job and there's open organizations and welcoming considerations although ITF has a quite expensive entry fee to their meetings, about 400 Euros. You can follow them for free online.
So standards and protocols, it's Alex's caret story. You don't have to apply these standards and protocols but if you don't do, then you will not be successful in talking to a couple of billion users but you your own internet.
These guys distribute the box of IP addresses to the local communities, such as ISPs and mobile operators. We talked about PTI. We explained that they are in charge of the root zone. So true ICANN, over here. True ICANN is setting the policies of who can get.Korea. But they also deal with the numbers. So the IP addresses that they split off and they also hold a database of protocols and this is a pretty technical thing but it basically means if as a developer, would you like to get a list of time zones or a list of country codes maybe, Peter. No?
(Off microphone comments)
>> PETER VAN ROSTE: All sorts of DNS, this is maintained by PTI as well. You have one place where you can check upon the standards.
ICANN is playing an essential role in there. We keep on telling you that ICANN is a multistakeholder initiative. It's us, plus quite a few others running ccTLDs, or ccTLD organizations. It's a generic named supporting organization. These are the guys dealing with the gTLDs. But there's also the GAC, the Government Advisory Committee. You have about 118 these days. And so it's growing every like a meeting, I think.
ALUC, the at large user group. Any user organizations that typically have the resources to send people to ICANN.
The security and advisory committee, they make sure that these do not undermine the security and the stability of the DNS system. So they are the fall back.
Yes, here the regional organizations that are dealing with country codes. We are centered but we have three sister organizations and that's it, basically.
So this is it. There's no secrets. I'm happy that we managed to take you through that.
All right. Let me just so the carrot story, I think it's a very important one since we have a minute left. A really great example of why carrots work happened in the '90s. There was one ISP and large enough and pretty arrogant because of its side. That DNS thing, we will add additional domain names and.hotel for our users and people will register.hotel name and we will make some money but they we don't have to abide by these policies that somebody in the US is doing. I think they had 10 or 15 top level domain names that they introduced to the users. Whenever the user asked a question to the ISP, it gave its own response. They said .IU, we can find them here. But that worked great until they started realizing that the 400 million users at that time in the '90s could actually access the.hotel site. So the people who had registered one and who had spent money on building a website and a payment system and whatever you have, they were real annoyed to find out only later that their ISP had basically cheated them into spending money on something that was completely point less. A.hotel is pointless when you can use the French and the German but the Italian users were not terribly interested. So you don't have to stick to the rules, as this showed us in the '90s. But the carets in access to a couple of billion eyeballs really works. So we learned how flexible it is and that we so far haven't messed up. We learned the DNS is a hierarchical system. If you want to change the policies of your local TLD you can do that on a local level. And most of the European companies, the policies happen through multistakeholder model. It's far from as delicate and complex as the ICANN one but typically you would have law enforcement, the users and the government sitting around the table before making changes to that policy.
And then coming back to the story that Alex shared with you at the beginning and kind. Promised that you will probably hopefully all understand what happened there. Anybody could without actually reading it, because it's spelled out there. Anybody can imagine what happens. So just to refresh your memories on a Monday morning, the French ministry of internal affairs went completely black. It was attacked. And at the same time, Google, Wikipedia and the largest French hoster were unavailable. Anybody can guess?
Think about the story about the lying ISPs. No.
When they were told not to mess with the DNS. Every Monday morning the French minister of internal affairs I don't know if they still do it this was 2016, used to send a list every Monday morning to all French ISPs saying please block these sites. On that particular Monday morning, somebody probably didn't have his cup of coffee yet and he sent the wrong list. He sent a test list, that amongst others included Google, YouTube, Wikipedia, oviash and they told the ISPs to lie to their users and send them to a different address, theirs. They thought it was a good idea to suddenly have millions of queries prosecute second to Google and millions of questions per minute to Wikipedia and YouTube to send that to the service of ministry of interior affairs where they should have received a notice saying your trying to get access to content that is illegal in France. It wasn't by the way. It was a mistake.
So they organized their attack against themselves. They committed digital suicide and they did so because they thought it was a really good idea to use the DNS for blocking purposes. So just in case it was still necessary and to underline, it is not a good idea.
Closing down, some corners were cut. We had an hour and 15 minutes to take you what is a really fascinating story and there's plenty of information on YouTube and reading. I recommend it wholeheartedly.
Thanks to links, the London Internet exchange, one of the largest Internet exchanges. They helped us with the fancy slides on blocking.
We still have time for questions. And if you don't, you have our email addresses if you want to reach out.
>> I would like to ask about providing country codes in regards to non recognized, what is the policy maybe on example of Kosovo, if you could explain a bit?
>> PETER VAN ROSTE: The easy answer is I can refer to something I mentioned earlier. ICANN, nor other country codes will have any role in deciding whether country is recognized or not. It's a United Nations issue and they deal with it practically for country codes which is far more reaching effects. So it's not something that ICANN, nor obviously CENTR is dealing with.
Any other questions?
>> PARTICIPANT: Could you explain how passive DNS works? Passive DNS works. Yes, Peter is great at that?
>> Now you know the trick why we are both named Peter.
So passive DNS is passive DNS is a technology that let me start a bit earlier. We have two more minutes. So what you see happen is that all of these queries for the names, for the dots in are and the responses they go over the wire. And today, all of this traffic is unencrypted. You also have elements in the system, so called named servers and revolvers that receive and emit the questions and digest the responses and compile these responses and something that goes back to your computer and web browser so that actually the web browser can address something.
Now what is happening, these packets are going back and forth, you can eavesdrop on the network, and in that case, the eavesdropping is usually done it can be done by a malicious actor, but the massive DNS is something where people put sensors in their networks to record the traffic, look into the traffic, and it is mostly done to understand from over time, which domain name mapped to what IP address.
So that means that over time, the CENTR networks Al semble bigger databases saying that www.CENTR.org, pointed to whatever IP or IPv6 address. And well, this is this is primarily an academic exercise but it's used in practice to to follow up or to understand, like, malware things.
Usually these mappings are kind of static, like the center website is hosted on a certain web server for sometime and then maybe Peter and his team decide and nobody of us will notice because the name remains the same as you explained.
In such a CENTR network, you would be able to detect that there was a change. That's not really what they are after. There are things that would probably be far beyond the scope of the exercise here, but there's some, like some malware relies on DNS queries and it asks for strange domain names and that refer to certain IP addresses which is some bot net systems will be somewhere in the network and they find the DNS to find their command and control center and so the bot net, the infected PCs talk to some command and control center which gives them the instructions to attack systems and so on and so forth. And that's from the bot net mitigation perspective, it's interesting how to find how these things change and who is asking for what and where are these command and control systems and so on and so forth. This is not, though, an integral part of the overall Domain Name System. So these these systems, these center networks are installed by some ISPs. There's a amount of debate around the data protection and privacy of all of this.
It's not an integral part but it's used in the cybercrime the anti cybercrime mitigation part. If we want to expand open that, I would suggest we take it offline and not to steal too much time.
>> PETER VAN ROSTE: Thank you, Peter and thank you for the question. Anybody else?
All right. Then we're done. Thank you so much for joining us. I hope you enjoyed it. Thank you. Bye.
This text is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text is not to be distributed or used in any way that may violate copyright law.