Cloudflare Vows to Fight Global 1.1.1.1 DNS Blocking Orders

Copyright holders are expanding their web-blocking horizons by going after DNS resolvers. Cloudflare is one of the key players that’s being targeted. While the Internet infrastructure company complies with targeted blocking orders related to the websites of its CDN customers, it believes that blocking domains on its 1.1.1.1 DNS resolver goes a step too far.

1111

Website blocking has become an increasingly common anti-piracy tool around the globe.

In dozens of countries, ISPs have been ordered by courts to block pirate sites. In some cases, these blocking efforts are part of voluntary agreements.

Cloudflare ‘Pirate’ Blocking Orders

In the United States, these types of injunctions are rare. However, since the Internet has no clear borders, the effects sometimes spill over. The American Internet infrastructure company Cloudflare, for example, has been ordered to block pirate sites in Germany and Italy.

This week, Cloudflare published its latest transparency report covering the second half of 2021. The company explains that after weighing the potential impact on freedom of expression, it generally complies with blocking orders that target websites operated by its CDN customers.

These blocking efforts are not global. Instead, Cloudflare only blocks access to the location from where an order originates. These sites include DDL-Music in Germany and nearly two dozen sites in Italy.

“If we determine that the order is valid and requires Cloudflare action, we may limit blocking of access to the content to those areas where it violates local law, a practice known as ‘geo-blocking’,” Cloudflare explains in its transparency report.

Target: DNS

The aforementioned blocking orders apply to the websites of Cloudflare customers. However, Cloudflare also operates a DNS revolver that is the target of a newer anti-piracy campaign.

DNS resolvers are the address books of the web. They link domain names to the correct IP addresses to make these accessible through a web browser. They are a key component of a well-functioning Internet.

Interestingly, these DNS servers are often used by ISPs to comply with site-blocking orders. By removing a domain from the address book, users are unable to load the site in question.

This is a relatively simple blocking method that’s easy to circumvent by using an external DNS resolver, such as the ones provided by Google, OpenDNS, Quad9, or Cloudflare. For this reason, DNS resolvers have become the target of blocking requests as well.

In Germany, Quad9 was previously ordered to block a pirate site through its DNS resolver following a complaint from Sony. Similarly, in Italy, a court ordered Cloudflare to block several pirate site domains on the DNS level.

Cloudflare Opposes 1.1.1.1 Blocking

In its transparency report, Cloudflare makes a clear distinction between blocking requests that target its customers’ websites and those that apply to DNS functionality. DNS blocks can target any website on the web and are not easy to restrict geographically, the company writes.

“Because such a block would apply globally to all users of the resolver, regardless of where they are located, it would affect end users outside of the blocking government’s jurisdiction.

“We therefore evaluate any government requests or court orders to block content through a globally available public recursive resolver as requests or orders to block content globally,” Cloudflare adds.

Cloudflare doesn’t want to meddle with its DNS resolver, which puts the company in a tough spot that requires a creative solution.

The company says that, thus far, it hasn’t actually blocked content through the 1.1.1.1 Public DNS Resolver. Instead, it relies on an “alternative remedy” to comply with the Italian court order.

“Given the broad extraterritorial effect, as well as the different global approaches to DNS-based blocking, Cloudflare has pursued legal remedies before complying with requests to block access to domains or content through the 1.1.1.1 Public DNS Resolver or identified alternate mechanisms to comply with relevant court orders.”

The above clearly shows that the company is determined to fight DNS blocking orders in court. And even if it loses, Cloudflare will seek alternative solutions. What these alternatives entail is not clear, but Cloudflare likely has the know-how to find a technical ‘circumvention’ mechanism.

A copy of Cloudflare’s H2 2021 Transparency Report is available here (pdf)

2 Points