One of the interesting questions in relation to the Draft Investigatory Powers Bill is whether it would allow a retention order to require an ISP to log DNS lookups.
What is a DNS lookup?
The Domain Name System is a key part of the Internet - its primary use being to convert the names you use on web sites (like www.me.uk) to the addresses used within the protocol itself (e.g. 2001:8b0:0:30::51bb:1e51).
It is actually a pretty good distributed database system, and can hold more than simply name to IP address lookups. It can do reverse lookups (IP to name), and hold text records and mail server records, and a number of other record types.
Why would you want to log DNS?
Well, the government have made it clear that they would like to see the web site names people access. Usually, when accessing a web site, before you access it you have to convert the name to an IP address, and hence to a DNS lookup. Trying to extract the name of the web site from the web site access itself it a lot harder than just logging the DNS lookup.
How easy is it to log DNS lookups?
Mostly the ISP runs DNS servers for their customers, and such servers could produce logs. To be honest, that would mean beefing up the servers, as they typically are not logging (it would be a lot of logs). Also it would mean finding a good way to store and search the logs, but it is possible.
What gets a tad more complex is when people do not use the ISPs DNS servers. Normally this is a simple thing to do, and some people use googles 220.127.116.11 or OpenDNS which can provide some parental control filtering. There are ISPs that do not run DNS at all themselves and subcontract it.
However, DNS packets are not encrypted, and are always on the same port, so it is technically possible to log the requests as they go past. This is a headache to do - you cannot easily divert these packets or copy them on a normal router - you have to look at a switch mirror port of all traffic and filter out the DNS packets. The only good news is that you probably do not have to do session tracking, simply catching the DNS replies would allow you to see the (apparent) requester and the answer they got. You'd also get all DNS reflection attack traffic.
Of course, it is easy to see how protocols could advance to allow encrypted DNS lookups, and I am sure that will come.
Why would people not use their ISPs DNS resolvers?
There are lots of reasons, but one of the reasons that is increasing a lot is because bypassing ISP DNS resolvers can bypass the ISPs ability to block access to some web sites in some cases. It is somewhat ironic that the governments moves to try and ban porn, copyright infringement, and extreme content are making the public at large much more tech-savvy in ways to bypass the controls of the ISPs, and hence also logging.
Should DNS lookup logging be allowed?
This is where it gets tricky! In the telephony world a call to Directory Enquiries is essentially the same function as a DNS lookup - however telcos are not expected to record, listen to, and log the content of that call any more than they can log the content of any other call. So it seems obvious that DNS requests should not be logged.
Will the bill allow DNS lookups to be logged?
The bill tries to define content and meta data (communications data) - which is a complex task. In principle, an "identifier" or data about a communications address is considered meta data and so could be logged. On that basis, maybe they could ask to log the content of these DNS lookups.
The problem is that DNS can be used for more than just a name/IP lookup. Only some types of DNS request will come within that somewhat loose definition of communications data. Any other type of lookup would be "content" which the ISP must definitely not be logging and retaining.
Even more complex is that you do not know for sure that a name/IP lookup is actually be used to look up a protocol address. The IP address returned could be used to signal something else - one common usage is a blacklist lookup. This is using DNS as a database query system, and the reply indicates a yes or no, and not actually an IP address, even though it looks like an IP address is returned.
Ultimately the ISP has no way to know for sure what purpose exists for the DNS lookup - it is simply a database. With that in mind, and with a ban on logging the "content", I do not think any ISP could legally log the content of DNS lookups under a retention order.
How would we know?
One huge problem here is that if this is not clear in the bill, once passed an ISP could be asked to log DNS requests. If they don't appeal that, then end up making and retaining such logs. If that is in fact not allowed (and presumably even one logged request which was not a protocol "identifier" would make it illegal) then that could cause problems. The issue here is nobody knows - the retention order is secret.
Indeed this is a more general issue with the secrecy - the definitions are not crystal clear and if the government decide something is in scope of "communications data" they could include it in a retention order and simply get away with it. One level example was the idea of grabbing from emails the details of calendar events. These seem obvious that they are "content" except the define the time of an event, and that is something that is defined as "communications data" in the bill. The fact that it was within the "content" part of an email may not matter. This is yet another reason that retention orders must not be secret.
What did the Home Office say?
They seemed unsure. As per my written evidence I think this needs spelling out in the bill that DNS lookups must not be logged.