Due to an error in 1&1’s DNS server, the provider’s customers could not reach heise online for several days. Apparently the domain ended up in a copyright filter by mistake.
On Friday, March 17th, our editorial team received the first notification, on Monday more messages followed, all from customers of the provider 1&1: When trying to open heise online, the browser responded partly with a certificate error, partly with the text “This website is not available for copyright reasons.” On Friday, editors and system management administrators began to pinpoint the error in more detail. We received crucial details from a reader: He had set up his provider’s standard DNS server with the IP address 82.144.41.8 as the DNS server in his router. This temporarily answered a question about www.heise.de with a CNAME entry that referred to the notice.cuii.info page. Other readers also confirmed that they were using the provider’s default DNS servers.
With a 1&1 DSL connection in the editorial office, we tried to reproduce the problem at different times – but without success. And even with the first whistleblower, the problem later disappeared on its own. Finally, on March 21 at 4:00 p.m., we called the 1&1 press office and were promised to investigate the problem with the technical departments. Since then, no further information has been received, but 1&1 has not yet been able to give us any details about the cause. The case remains a mystery: Only a small proportion of the queries to 1&1 DNS servers seem to be affected, and it is also not a regional problem. The tips came from Berlin and Hesse, among others.
The blocking page of the CUII should appear before “structurally copyright infringing websites”. Individual 1&1 customers also saw them when they called up heise.de.
What does the CUII do?
Behind the notice.cuii.info address, which is referred to in the CNAME, is the “Copyright Clearing House on the Internet” (CUII). Members of the organization are telecommunications companies such as Deutsche Telekom, Vodafone, Freenet and 1&1, as well as rights holders such as the German Football League (DFL), the German Book Trade Association and the Federal Association of the Music Industry. They merged in 2011. The goal of the cooperation: “Structurally copyright infringing websites” (SUW) should be more difficult to access. The rights holders describe sites on which almost exclusively copyrighted material is offered – such as series, cinema films and sports broadcasts – as structurally infringing on copyright.
In order to determine whether a side belongs to the SUW, the CUII has implemented a two-step process. When a rights holder submits a page for review, a CUII Review Board meets. If the committee decides that the blocking is reasonable and permissible, the CUII submits the decision to the Federal Network Agency for review. If it comes to the conclusion that net neutrality is not being violated, the Internet providers involved implement the DNS blocking in their DNS servers. The CUII publishes all decisions at the address cuii.info/empfehlungen.
problems and ways out
The fact that some 1&1 users experienced at least a temporary network ban when calling up heise.de makes it clear how problematic the network ban tool is in general. Access to the DNS, the address book of the Internet, is dangerous and can not only be used to block “structurally copyright-violating websites”. Censorship and attacks are also fundamentally possible if DNS responses are manipulated.
There is an effective remedy against German DNS blocks: German Internet customers are under no circumstances forced to use their provider’s standard DNS servers. On the contrary: Other DNS servers are often even faster and not tied to organizations like the CUII. Changing the DNS server in your home router is quick and easy. In the Fritzbox, for example, you can find the setting under the menu item Internet/Access data/DNS server.
Changed quickly: In the Fritzbox you change the DNS server for the home network under Internet/Access data/DNS server. If you no longer rely on the DNS server of a German provider, you are not affected by German network blocks.
DNS server without locks
There are many alternative DNS servers that are not operated by the providers and the following list is by no means complete. When deciding on a DNS provider, you have to be aware that the operator can theoretically draw conclusions about your own surfing behavior. It’s a good idea to use the first and second DNS from different providers – then it can still be resolved if one provider has a problem.
One of the most popular DNS offerings is Google’s 8.8.8.8 (and 8.8.4.4 as a backup address). Coming from Cloudflare is 1.1.1.1 (and 1.0.0.1 as a backup). Both companies are based in the USA. A European alternative is Quad9, operated by a Swiss foundation. Their IP addresses are 9.9.9.9 (and 149.112.112.112 in reserve). The DNS.Watch project with the IP address 84.200.69.80 (and 84.200.70.40) has no legal form.
| Cloudflare |
USA |
1.1.1.1 |
1.0.0.1 |
||
|
USA |
8.8.8.8 |
8.8.4.4 |
2001:4860:4860::8888 |
2001:4860:4860::8844 |
|
| Quad9 |
Switzerland |
9.9.9.9 |
149.112.112.112 |
2620:fe::fe |
2620:fe::9 |
| DNS.WATCH |
Deutschland |
84.200.69.80 |
84.200.70.40 |
2001:1608:10:25::1c04:b12f |
2001:1608:10:25::9249:d69b |
The fact that alternative DNS providers do not comply with the request for network blocking is a thorn in the side of the rights holders. At the beginning of March, a lawsuit against the foundation behind Quad9 was decided in the first instance by the Leipzig Regional Court. Sony, as the rights holder, had complained that Quad9 had refused to install a lock. The verdict is not yet legally binding.
(jam)
