Russia threatens to set up its 'own internet' with China, India and pals – let's take a closer look
El Reg dives into global DNS split threat
Analysis Russia is intending to set up its "own internet" according to a number of Russian news sources citing a document signed by President Vladimir Putin earlier this month.
At a meeting at the end of the October, the Russian Security Council ordered its telecoms ministry to look at a "system of backup DNS root name servers, independent of the control of ICANN, IANA and VeriSign, and capable of servicing the requests of users from the listed countries in the case of faults or targeted intervention," according to the policy document, which RBC authenticated this week.
The "backup" servers would be placed in BRICS countries – Brazil, Russia, India, China, South Africa – and be exclusively for their use. The rationale for setting up such a system is, according to the document, "the increased capabilities of western countries to carry out offensive operations in information space, and their willingness to use them."
The document also points to the "dominance of the US and several EU countries in matters of internet control," as justification for setting up the alternative platform.
Its stated goal is to ensure that, from Moscow's point of view, Russian .ru websites remain accessible even if the .ru top-level domain is removed or hijacked in the main root zone file; the implication being that the United States could use the web as a weapon, and force changes onto the internet's main address book to effectively knock Russian websites and services offline. The world's domain name system is run by ICANN, a non-profit based in California, USA, and could be leaned on by Uncle Sam, it's feared.
Several Russian news outlets referenced a 2016 interview with Alexey Platonov, the director general of the Technical Center of Internet (TCI) – .ru's technical body – to explain why such a system is necessary.
In that chat, Platonov said that in 2014 the Russian Ministry of Communications tested the stability of the global domain name system, and found that "the DNS network worked inadequately" if "information about the .ru [top-level] domain was removed from the ICANN database." In other words, the .ru domain space was at the mercy of someone modifying IANA's root zone file, the central address book of the internet.
As a result of that exercise, Platonov said, "TCI, [Russian internet exchange] MSK-IX and other telecommunications companies had to maintain the performance of the national segment of the Internet," and noted that MSK-IX has its own backup server with a mirror of the planet's DNS root zone file.
Russian internet engineers had to, essentially, set up machines to keep .ru domains online regardless of whatever changes ICANN and its IANA department implemented, allowing the nation to use its native websites even if the top-level domain .ru was somehow blocked globally.
Platonov explained: "With such a backup server, you can make the system continue to work – that is, ICANN 'removes' domain information from the root servers, but it is stored on our server."
So, that's the background context. This Putin-signed policy document has been widely reported as a sign that Russia is setting up its own version of the internet, however, you can start to see it's not quite that.
Vlad the blockader: Russia's anti-VPN law comes into effectREAD MORE
Setting aside the question of whether the United States would ever use the domain name system as a weapon – especially having handed full control of the DNS platform to ICANN in 2016 – the reality is that there are already numerous "backups" of the root zone file.
First up, it is important to understand how the world's domain-name system works. There is a single root zone file – a rudimentary text document – that lists all the top-level domains (TLDs) on the public internet, such as .com and .uk, and each entry points to the authoritative name servers for that TLD.
Those next-level name servers are each under the control of whatever outfit runs each TLD, and those servers provide the addresses of other name servers that can resolve the domain names underneath the top-level domain into an IPv4 or IPv6 network address to connect to.
For example, when a browser tries to connect to theregister.com, the software goes to a .com TLD name server, owned and run by Verisign, based in Virginia, United States, for further information on how to connect to the site.
The vast majority of internet users' requests for a specific domain name never actually go to either the TLD server nor to one of the 13 official root zone servers, because their ISP – or their DNS lookup provider, such as OpenDNS – will have cached the details of common domain names in order to speed things up.
So type in theregister.co.uk and the chances are that your ISP's DNS resolver already knows the server's IPv4 address of where our website resides. What the ISP will typically do is check back with the various TLD servers around the globe at least twice a day for any changes. And those TLD servers will themselves typically check back with one of the 13 official root servers twice a day to make sure there are no changes.
This is how DNS works, and it's why, if you make a big change to your website – its server location for example – you are warned that it may take a day for everyone on the internet to reach it (in reality most internet users will do so within an hour or so).
So back to "backups" of the DNS. There are already "backups" for the 13 official root servers that form the top level of the internet. There are mirrors of these systems, and they are all over the world. In fact, the organizations that maintain the root zone file – ICANN and its IANA department – actively encourage the provisioning of such mirrors because these machines will provide greater global redundancy and stability in the event of an electronic or physical attack or something like a natural disaster.
You can see a map of where all these hundreds of instances are across the globe. According to that dataset, Russia already has, er, 10 root server mirrors. It already has skin in the mirror game. If Uncle Sam or ICANN went bananas and maliciously edited the root zone file to boot, say, .ru off the internet, there are already mirrors in place within Russia to cope with the meddling.
It is a virtual certainty that there are lots of organizations and governments who have their own DNS failsafe systems in place right now as well as these mirrors in case the root servers are compromised. If Russia wants to deploy more mirrors and connect them up, be our guest. But quite why it has to kick up such a fuss over it is a little baffling.
Sponsored: Becoming a Pragmatic Security Leader