What happens to country specific TLD's in a war involving that country?
I'm trying to find out what could happen, and what is likely to happen - I'm based in the UK and own UK domains as well as foreign domains such as Russian and USA TLD's, eg: domain.co.uk, domain.ru, domain.us.
I don't fully understand how DNS works, but what I'm trying to find out is if I own foreign TLD's and they're hosted on a server that is in my own country, can access to the URL be stopped or restricted by the TLD host country, and then if this is possible, is there any likelihood that this would happen in the event of their involvement in a war or major political breakdown between the countries?
- Is it physically possible that a country could restrict or ban access to their specific TLD's from some or all other countries? (eg, USA and Russia at war, is it physically possible to stop Russia from accessing their .us TLD's?)
- Is it likely that the TLD's would be restricted or banned in any way? Would it achieve any advantage to any country to do this? (eg, UK and USA at war, would it have any advantage for USA to ban UK from accessing their .uk TLD's?)
- Would any country restrict their own country from accessing other countries' TLD's? (eg, UK at war with Russia, would UK have any reason to ban access to Russian websites?)
I'm trying to find out is if I own foreign TLD's and they're hosted on a server that is in my own country, can access to the URL be stopped or restricted by the TLD host country
The short answer is yes (but please do not think only about URLs, that is the web, but any kind of services, like email, VOIP, etc.)
Here is it why. The IANA DNS root delegates each TLD to some registries. gTLDs are delegated by registries under contract with ICANN and ccTLDs registries are delegated to governments of relevant countries, that each decide technically how the ccTLD is managed (there is a lot of models: sometimes it is still run by the government itself, sometimes it is outsources to a non profit organization and sometimes it is just put under tender for the best offer, including companies).
These registries manage nameservers in which then each registered domains under the TLD is delegated, through NS records.
Said differently, without any cache, each access to a domain name in a TLD, for its resolution, at some point comes to the nameserver of the TLD. Hence, theoretically they could reply anything and forward your domain to anything else.
This is constrained because the DNS has a cache, so the TLD nameserver will not be queried at each resolution, only for some time to time.
This process is easily seen by using dns +trace
, such as:
dig www.openstreetmap.fr +trace @1.1.1.1 +nodnssec
; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.openstreetmap.fr +trace @1.1.1.1 +nodnssec
;; global options: +cmd
. 6313 IN NS a.root-servers.net.
. 6313 IN NS b.root-servers.net.
. 6313 IN NS c.root-servers.net.
. 6313 IN NS d.root-servers.net.
. 6313 IN NS e.root-servers.net.
. 6313 IN NS f.root-servers.net.
. 6313 IN NS g.root-servers.net.
. 6313 IN NS h.root-servers.net.
. 6313 IN NS i.root-servers.net.
. 6313 IN NS j.root-servers.net.
. 6313 IN NS k.root-servers.net.
. 6313 IN NS l.root-servers.net.
. 6313 IN NS m.root-servers.net.
;; Received 431 bytes from 1.1.1.1#53(1.1.1.1) in 64 ms
fr. 172800 IN NS f.ext.nic.fr.
fr. 172800 IN NS d.ext.nic.fr.
fr. 172800 IN NS g.ext.nic.fr.
fr. 172800 IN NS e.ext.nic.fr.
fr. 172800 IN NS d.nic.fr.
;; Received 357 bytes from 192.33.4.12#53(c.root-servers.net) in 62 ms
openstreetmap.fr. 172800 IN NS a.dns.gandi.net.
openstreetmap.fr. 172800 IN NS c.dns.gandi.net.
openstreetmap.fr. 172800 IN NS b.dns.gandi.net.
;; Received 110 bytes from 194.0.36.1#53(g.ext.nic.fr) in 68 ms
www.openstreetmap.fr. 10800 IN CNAME osm146.openstreetmap.fr.
osm146.openstreetmap.fr. 10800 IN A 217.182.186.67
openstreetmap.fr. 10800 IN NS b.dns.gandi.net.
openstreetmap.fr. 10800 IN NS a.dns.gandi.net.
openstreetmap.fr. 10800 IN NS c.dns.gandi.net.
;; Received 147 bytes from 217.70.179.1#53(c.dns.gandi.net) in 81 ms
You can see each step recursively, at left the label (root, then the TLD, then the domain, then the final hostname) and at right in the NS
records the authoritative nameservers at each step, first IANA ones for the root, then the ones for the TLD, then the one for the domain name.
At each step a nameserver can lie and provide a false response, like any active elements in the path could change either the query or response. DNSSEC provides some protections against this, but first not all domains are protected with DNSSEC (very few of them in fact), and then that could not solve a "rogue" TLD.
This is the technical part. Your other questions are more a political problem. But note that for these exact same reasons some countries decided, or at least announced, that they want to operate their own DNS root. The rationale is that the current root is under US supervision (which is a complicated point that could be argued endlessly so I will not develop that specific point here and now), and some countries fear that the US could "censor" a TLD that way, especially some countries that are considered as enemies by the US government. However many actors believe that if this should ever happen one day it will be metaphorically on the same level as a nuclear attack and would fragment Internet in a way that may never be stitched back together.
Note for example this case: some plaintiffs sued to get indemnities for casualties after terrorist attack and demanded (but this was refused) for that to get control of come ccTLDs that they considered being the source of terrorism. See this article for some part of this story: "Killing .IR to compensate terrorist victims: IGOs to the rescue?"
The other important point to also understand first is that as soon as you buy a domain name in any TLD you are bound (even if you do not read it when you should) by the regulations of that TLD, which dictate the eligibility requirements and any other constraints regarding registering and keeping a domain name. For ccTLDs this specifically include abiding by the laws of the country.
And since some ccTLDs are marketed as nice TLD for domain names games some people do not realize this. For example the trend at one point was on .LY
, and as funny as you want to look at it to do nice domain name, this is still the ccTLD of the country "Lybia" and hence you need to follow its laws and the Sharia. Some companies did loose or risked to loose their domain name for these exact same reasons. See for example: "Trouble In Clever Domain Land: Bit.ly And Others Risk Losing Theirs Swift.ly" or "Libyan domain shutdown no threat, insists bit.ly"
Since we are on .LY
and you spoke about wars these articles could give you some hindsight of what wars can do to domain names (TLDs) or just struggles around controls:
- "Dr Hosni Tayeb and the case of the disappearing Internet; Why Libya went awol" (2004)
- "Libya's internet goes dark as upheaval spreads; Net communications severed" (March 2011)
- "Gaddafi ousted from Libya’s Whois" (November 2011)
But do remark too that drastic changes can happen to ccTLDs, even without wars. This is a (in)famous example: "The story of stolen Slovak national top level domain .SK"
Let us go back to your specific questions, but do note that they involve part of subjective answers.
Is it physically possible that a country could restrict or ban access to their specific TLD's from some or all other countries? (eg, USA and Russia at war, is it physically possible to stop Russia from accessing their .us TLD's?)
Yes, you technically could imagine that the .US
nameservers deny replying to requests coming from a specific geographical places in the world. However this would be far from 100% for many reasons: IP geolocation is not an hard science with 100% reliability, DNS have caches, it is easy to use a VPN, anyone (including people from the affected countries) could use an open resolver, such as Google Public DNS or CloudFlare one or Quad9 one (in fact this was used in the past to counter state censorshipt, see for example: "Google DNS Freedom Fight: 8.8.8.8"), etc.
Is it likely that the TLD's would be restricted or banned in any way? Would it achieve any advantage to any country to do this? (eg, UK and USA at war, would it have any advantage for USA to ban UK from accessing their .uk TLD's?)
Like written above, technically the IANA root lists the TLD active today. Technically this could change, and does change but under specific processes, like the ICANN new gTLDs round in 2012. As for changes in ccTLDs (since countries can decide to change various details on their TLD, including the technical manager), they have to follow "Delegating or transferring a country-code top-level domain (ccTLD)".
Now besides the technical part, there are "politics" in the generic sense:
- IANA is currently more a "function" than a structure. The structure is PTI (Public Technical Identifiers) which is currently an affiliate of ICANN. See https://www.iana.org/about for details
- ICANN is a not-for-profit organization , incorporated in California, USA. It went recently a profound set of changes, after pressure from many foreign governments so that it can be seen as more "international" and less into direct control from the US government, as it happened in the past (see the infamous fiasco around
.XXX
delegation). Now there is not anymore a specific contract between ICANN and the US government specifically for the IANA functions. - the technical operator of the A root nameserver which is the master of all from which each other root nameserver is "purely" a copy is managed by VeriSign, an US company under direct contract by the US government.
Would any country restrict their own country from accessing other countries' TLD's? (eg, UK at war with Russia, would UK have any reason to ban access to Russian websites?)
This is a form of DNS censorship and it targets more the recursive nameservers instead of the authoritative ones. Yes, countries can order the local operators to forbid access (more precisely: resolution) to some specific websites. This happens everywhere: USA, Germany, France, China, Australia, etc. (to be honest I am not sure you could find a lot of countries with absolutely no censorship like that) for various reasons based on the local politics and because some websites are deemed illegal to be consulted from a given country.
But like any form of censorship it can be evaded by more or less complicated mechanisms. Like the examples given above, when in some countries the local recursive nameservers were banned to resolve some given names, people have written 8.8.8.8
(IPv4 address of Google Public DNS Resolver) so that anyone could reconfigure its system to use it instead of the local (lying) DNS resolver, since, obviously, the given country could not impose Google to change its replies for some of the queries. In other cases in the past, where even Internet as a transport was disrupted, some ISP in other countries provided phone lines attached to modems that you could dial to to get again access to the Internet, even if all local FAIs were shutdown.
DNS censorship is currently more often about some specific domain names, in multiple TLDs, but the basis would be exactly the same to censor a whole TLD.
This technical article could give you many hindsights on both how it is done, and how it is circumvented: "DNS Censorship (DNS Lies) As Seen By RIPE Atlas"
This sole point of DNS/Internet censorship could be expanded in many ways to detail everything that happened in the past but I hope the previous points already give you ideas on what is technically possible and how this fits in the whole politics/governance framework.
This is an interesting question. It is possible for a country to deny access to subdomains of their ccTLD? Yes. Is it likely, even remotely, that they would do so? No.
If someone is navigating to your domain.ru addresses, their resolvers would ultimately go to the name servers for the .ru ccTLD and ask 'where are the name server's for domain.ru?'
Under international standards, DNS is a fair protocol, meaning that every question receives a response. It is possible that the .ru TLD servers would say 'aha! that IP is from the UK and we won't tell them where the domain.ru name server is', but this would not go over well for them.
Ultimately, the direction for everything is controlled by the root servers. These are 13 independent root servers, operated by 12 independent organizations, that work together to maintain equal access to the DNS. If this were to truly happen, the root servers, in collaboration with the International standard bodies, could quite literally replace the Russian servers with someone else. That is, instead of saying, 'go find .ru there in Russia' they could say 'go find .ru here in Urkraine'.
While possible, it really goes against all international behavior and is extraordinarily unlikely.
edited: change wording to clarify not 13 independent organizations, but 13 root servers.
I'm trying to find out is if I own foreign TLD's and they're hosted on a server that is in my own country, can access to the URL be stopped or restricted by the TLD host country, and then if this is possible, is there any likelihood that this would happen in the event of their involvement in a war or major political breakdown between the countries?
It’s possible and it already happened without a war.
China owns .cn TLD. It used to be open to the world. If the Chinese government would want to take down a .cn domain because it doesn’t like some content on it, it could change the DNS record of that .cn domain.
However, it was not a perfect way for the Chinese government to manage it, because who knows what content is served from which .cn domain. So one day the government decided that all .cn domains need to point to IP addresses physically inside China. (If you owned a .cn domain pointing to an out of China IP at the time, they gave you some time to migrate or shut down your domain.)
By forcing people to host .cn domains physically inside China, Chinese government can inspect what services each domain provides and what content each domain serves. It could even force people to install backdoor on their servers as a requirement to put any server into data center. (It tried that idea for a while.)