Rostelecom proposed to prohibit access to the use of public DNS servers “in order to organize stable access for subscribers to the Internet,” the company sent a letter to that effect on Wednesday, September 8. The text of the letter was published in the Telegram channel ZaTelecom, its authenticity was confirmed by a representative of Rostelecom, but did not specify to whom it was addressed. RBC's source in the IT market claims that Rostelecom's request was addressed to the company's macro-regional branches.
In particular, Rostelecom proposed to ban public DNS servers Google (with IP addresses 8.8.8.8 and 8.8.4.4) and Cloudflare (1.1.1.1 and 1.0.0.1), as well as the DoH protocol.
DNS is a domain name system that converts the literal address of a page on the Internet into the IP address of a specific device or server (thanks to this, a user, typing in the address bar, for example, rbc.ru, can get to the RBC website). Google's and Cloudflare's public DNS servers are Internet services of these companies that provide access to public DNS servers. With its help, you can speed up the loading of web pages, protect against spoofing (when one site is disguised as another). The DoH protocol is implemented on public DNS servers Google and Cloudflare, which allows you to encrypt web traffic so that operators do not see which resource the subscriber is accessing. Thanks to this, the user, among other things, can get to the resources prohibited in the country.
Instead of the indicated servers and DoH, Rostelecom suggested using its own DNS servers or the IP addresses of the National Domain Name System.
A representative of the press service of Rostelecom, answering a question about the reasons for the initiative, said that “we are talking about technological work aimed at improving the reliability and optimization of the communication networks.”
Why you need to restrict public servers
Rostelecom expects to unify all DNS servers for which users' devices are configured, explains a source for RBC in the IT market. Since Rostelecom is the union of many networks, each of which has its own equipment and settings, they needed to bring all equipment to a single standard, since the fragmentation of DNS servers can complicate the provision of services to customers, RBC's interlocutor explained.
The technical director of Roskomsvoboda Stanislav Shakirov believes that Rostelecom will transfer its clients to use other servers in advance in case of a possible blocking of public DNS servers Google and Cloudflare. He recalled that in early September Roskomnadzor restricted access to the Smart Voting application.
Earlier, the Alexei Navalny Foundation was included in the list of extremist organizations, after which access to its resources should be limited in Russia. Foreign Ministry spokeswoman Maria Zakharova stated that the Internet addresses of the Smart Voting servers are predominantly located in the United States, and the companies that participated in the development of the site are associated with the American military.
Last week, RKN appealed to foreign IT companies, including Apple, Google, Cloudflare and Cisco, to stop providing users with the ability to bypass the blocking of the site. In the letters of the service it was stated that during the pre-election campaign the provision of services that violate Russian electoral legislation, including those related to the conduct of election campaigning on the Internet, is not allowed.
According to Shakirov, public DNS servers are used in many types of hardware and software of various companies, so a potential blocking of them in Russia could lead to “the fall of many systems.” Shakirov believes that users of gadgets running on the Android operating system will suffer the most in this situation, since “this platform uses Google DNS inside its services, and massive disruptions in its work may occur.”
Alexei Lukatsky, an independent information security expert, believes that blocking public DNS servers is part of a campaign in which last week some state-owned companies sent letters to their subsidiaries, and the Bank of Russia to financial institutions asking them to check whether companies have corporate, industrial networks and applications that use encryption protocols that hide the site name (Google DNS servers, Cloudflare and DoH service). According to Lukatsky, such actions lead to a significant restriction of the public DNS servers of Google and Cloudflare in Russia. “This can provoke unpredictable consequences. In many services and applications, these public DNS servers are registered, blocking which will lead to a stop or disruption of their work, ”Lukatsky comments.
On Monday, September 13, a number of users reported difficulties downloading applications from the App Store. For example, the applications “Gosuslugi” or “VKontakte” could be downloaded only using a VPN. Alexei Lukatsky believes that failures in downloading applications from the App Store “show the negative effects of limiting the operation of public DNS servers in Russia.”
According to another RBC source in the telecommunications market, the main purpose of the current restrictions is to stop the DoH protocol. He recalled that on mobile networks, there are practically no problems with blocking access to resources prohibited in Russia, since large cellular operators have installed expensive systems for deep filtering of traffic (Deep Packet Inspection, DPI), and Roskomnadzor – its technical means of countering threats (within the so-called of the law on the sovereign Runet allows you to block access to prohibited sites and, for example, slow down the speed of Twitter in Russia; through the same equipment, Roskomnadzor will also be able to manage traffic routing in the event of threats to Runet's work from the outside). “In addition, in mobile devices, the choice of the DNS of a cellular operator is strictly prescribed, and in order to change it to, for example, Google's public DNS or install DoH, special skills are needed. Whereas on fixed communication networks, the process of installing and using DoH is much easier, with almost no Roskomnadzor or DPI equipment installed, ”this source pointed out to RBC. The fact that small fixed-line operators are now much worse blocking access to prohibited sites was confirmed by two more interlocutors of RBC in the IT market.
Representatives of the press service of Roskomnadzor, the Ministry of Digital Science and Google did not respond to RBC's request.
