Security and Stability Advisory Committee (SSAC)
SAC127 | Executive Summary for DNS Blocking Revisited
[PDF, 5.25MB]
SAC127 is intended to update SAC050 (DNS Blocking: Benefits Versus Harms – An Advisory from the Security and Stability Advisory Committee on Blocking of Top Level Domains at the Domain Name System, 2011) and SAC056 (SSAC Advisory on Impacts of Content Blocking via the Domain Name System, 2012). Relevant Internet technologies and practices have evolved since then, and more examples of DNS blocking have been implemented.
This advisory describes the technical means by which DNS blocking can be accomplished, along with its intended and unintended effects. DNS blocking is a method for restricting or regulating access to a domain on the Internet by altering the normal behavior of servers in various ways and for various purposes.
As a tool, DNS blocking is not 100% effective at all times in all contexts as users may circumvent different methods of blocking. Parties implementing DNS blocking, such as governments or organizations should be aware of the potential for negative side effects and collateral damage. Because of the risks of harm related to DNS blocking, the SSAC puts forth recommendations for parties seeking to use this mechanism to control access to Internet services.
Recommendations
- Recommendation 1: SSAC recommends that any entity implementing or mandating DNS blocking understand the implications of the technology.
- Recommendation 2: SSAC recommends that DNS blocking implemented by any entity—by a government or any organization that has policy, legal, or operational control over a network or service—follow these guidelines:
- The entity should determine whether DNS blocking will fulfill its objectives.
- The entity should have a clear policy about what and how it will block, with well-defined review and decision-making processes that minimize risk.
- The entity should implement the policy using a technique that minimizes overblocking or collateral damage that could affect its users.
- The entity should not affect networks or users outside its administrative control.
- Recommendation 3: SSAC recommends that operators of recursive servers use DNS Extended Error codes (see section 6.6 Extended DNS Error) to indicate to end users and troubleshooters that DNS blocking is taking place.

