Who Controls Your Internet? The Debate Over DNS Blocking • Stimson Center

Understanding DNS Blocking

Each June, the Internet Corporation for Assigned Names and Numbers (ICANN) convenes a 4-day policy forum for stakeholders to engage in bottom-up, consensus-driven policymaking on global domain name system (DNS). At ICANN83 in Prague, DNS blocking was a key topic. When someone enters a website address (like stimson.org) into a browser, DNS servers translate it into an Internet Protocol (IP) address. When DNS blocking is implemented, it restricts access to a domain name or IP address and the content or services associated with them, by blocking the query or redirecting them elsewhere. If you require DNS servers to not provide an IP address or direct it to a false one, the website becomes essentially inaccessible and often displays the familiar “site not found” message.

Why is DNS Blocking an Issue?

DNS blocking continues to be a method used for addressing online threats, but its effectiveness and broader implications remain contested. While it may disrupt some malicious websites, it also frequently blocks legitimate content, frustrates users, and undermines trust in digital security.

The Stimson Center’s Cyber and Southeast Asia programs have highlighted the region’s growing online fraud problem, much of which originates locally but impacts victims worldwide. This has promoted governments to turn to DNS blocking as a low-cost, scalable solution to address complex cyber threats. As a recent study of Southeast Asia indicates, website blocking, despite attempts by users to bypass the restrictions, can provide a significant deterrent to malicious online activities and contribute to a safer digital environment. It highlights that in regions with developing digital infrastructure and varying levels of cybersecurity awareness, the simplicity and scalability of DNS blocking make it an attractive tool for governments and ISPs to combat a range of online harms, from intellectual property infringement to cyber scams and disinformation campaigns.

However, its widespread use in Southeast Asia and elsewhere also brings to the forefront critical questions about the impact of DNS blocking on access to essential services, information, and the overall impact on internet governance. In regions with uneven digital infrastructure and limited cybersecurity awareness, DNS blocking can inadvertently restrict access to legitimate services and information. The absence of consistent legal frameworks and clear implementation standards makes it difficult to ensure that blocking is both effective and rights-respecting.

Recent developments in Malaysia illustrate these tensions. In late 2024, the government was under scrutiny for implementing an even more intrusive form DNS control called DNS hijacking which occurs when “ISPs or authorities redirect users’ DNS queries to their own DNS server, allowing them to control what websites users can access.” This is closely tied to internet censorship as it grants governments or ISPs to block websites they consider harmful, which can be subjective and can impact free speech, human rights, and access to essential services. The Malaysian Communications and Multimedia Commission (MCMC) issued a directive to block certain websites deemed harmful, particularly those related to online scams, gambling, and pornography. Without any public consultation or notification, individuals using public DNS services like Google or Cloudflare were redirected to ISP-controlled services, causing frustration and disruption of service. This directive lacked clarity and raised concerns about censorship, lack of transparency, and unjustified service disruption.

Similar instances of DNS hijacking and related techniques have been recorded globally, including in France, Russia, Portugal, and are constantly being tracked by organizations such as the Internet Monitoring Action Project and by tools like the Open Observatory of Network Interference.

Moving the Needle Towards Responsible Blocking

As debate at ICANN83 demonstrated, the path toward more responsible use of DNS blocking is fraught with challenges. While some view DNS blocking as a necessary tool to combat online fraud and scams, others raise concern over its responsible implementation.

Transparency and Accountability

To mitigate these risks, transparency and accountability play a crucial role in DNS blocking implementation. In Southeast Asia, for example, it can be one of the tools at easier disposal for government use but, in some contexts, that can bring a heightened risk of opaque implementation and potential for abuse. Some argue that to maintain public trust, blocklists with information on domains that are intentionally being blocked or filtered should be public and open to scrutiny or independent review. Mechanisms for redress should be easily accessible, and ISPs should provide clear thresholds for what constitutes “harmful content” and thus justifies a block. Engaging with civil society organizations and technical communities in the development of these policies can help ensure a balanced approach that respects both security and fundamental rights.

Technical Precision

One of the biggest challenges for the effective implementation of DNS blocking is the risk of a lack of technical precision. In an ideal world, when a domain is blocked, the action should narrowly target only the malicious content, without disrupting access to legitimate services. In many parts of the world and especially the Global South, diverse websites, especially small businesses and NGOs, rely on shared hosting environments. This means that multiple domain names are hosted on the same server or IP address. If a DNS block is applied to an entire IP address or hosting provider, this could take down many unrelated websites. This can undermine trust in the government or ISPs, disrupt economic activity, and create legal and reputational challenges for regional or national law enforcement.

User Notification

DNS blocking not only impacts systems and infrastructure, but individual end users. As highlighted during a collaborative session in Prague between ICANN’s At-Large Advisory Committee (ALAC) and ICANN’s Security and Stability Advisory Committee (SSAC), there are growing concerns about how DNS blocking is experienced by end users. The dual responsibility of internet governance bodies like the ALAC is clear: to help ensure that users do not engage with harmful content while also preserving essential services and access to information. Yet, in many instances, DNS blocking is implemented without adequate user notification, leaving individuals confused and unaware that their access has been deliberately restricted. Instead of generic “site not found” messages, users should be clearly informed that the content has been blocked and by whom. Though technically demanding, such transparency improves user understanding, reduces frustration, and strengthens the legitimacy of DNS blocking practices.

DNS Blocking Through the Lens of ICANN

These issues were captured in a recent report published by SSAC and discussed at ICANN83. The report details that DNS blocking can be done either at a recursive resolver level, where DNS providers (the systems that look up website addresses on behalf of users) are ordered to stop resolving DNS queries for specific domains or at the authoritative nameserver level, where the servers that hold the official records for a domain are modified so a domain is effectively seized and redirected globally.The SSAC report itself takes a neutral stance on DNS blocking, while emphasizing that it is not a foolproof solution to any problem. It can be circumvented through open resolvers, public DNS servers that answer queries from any user, or encrypted DNS protocols, a technique used to mask queries so they cannot be publicly viewed or intercepted. However, it remains a simple and scalable tool to disrupt access to harmful content, so it is important to understand how it could be implemented with care, transparency, and technical precision.

The report also offers specific suggestions for some of the issues described above. For example, on the topic of technical precision, it encourages three things:

1. Using domain-level blocking rather than IP-level blocking whenever possible.

2. Regularly audit blocklists to ensure the malicious content remains present and the blocking is still necessary.

3. Coordinating with hosting providers to isolate and remove malicious content at its source, which is often a more effective and less disruptive approach than network-level blocking

The recently released SSAC report, although neutral overall, is correct in saying DNS blocking is not going anywhere. Despite its limitations and risks, it continues to be used by governments and other stakeholders as a tool to digital security norms and prevent online harm. But its persistence should not be mistaken for legitimacy. The ASEAN context demonstrates a growing reliance on DNS blocking and illustrates the need for creating shared norms and best practices to prevent unnecessary and illegitimate loss of services. The discussion of cooperation for norms in cyberspace cannot and should not be limited to accountability after harm has been done. DNS blocking is far from a silver bullet. Its simplicity makes it attractive, but can easily spill over as a security mechanism to one of censorship.

Still, in the hands of responsible actors and guided by regional cooperation, DNS blocking could serve as a litmus test for broader internet governance. The challenge is not just to make it more effective, but to ensure it is used in ways that respect rights and preserves access. That means moving beyond reactive measures and investing in proactive, inclusive approaches to norm-building in internet governance.