National Cyber Warfare Foundation (NCWF)

TDL 012 | The Architect of the Internet on the Future of Trust
0 user ratings		2025-12-27 02:56:16
milo
Blue Team (CND)

Summary


In this episode of The Defenders Log, Paul Mockapetris, the architect of DNS, discusses the evolving role of the Domain Name System from a simple directory to a sophisticated security tool. He posits that modern networking requires “making sure DNS doesn’t work when you don’t want it to,” comparing DNS filtering to essential services like spam filters and firewalls.


Key Security Concepts


Mockapetris highlights how companies like ThreatSTOP use DNS intelligence to “craft” a network. By utilizing threat feeds, organizations can block traffic based on:



  • Geography: Restricting connections to specific regions (e.g., avoiding conflict zones).

  • Domain Age: Blocking domains less than seven days old to avoid fraudulent sites often registered with stolen credit cards.

  • Rational Filtering: He argues that choosing who to communicate with is a business necessity, not censorship.


Future Challenges and Infrastructure


The conversation shifts to the impact of AI, with Mockapetris warning that trillions of automated agents will soon accelerate the scale of spam and network “jabber.” He also critiques the rapid adoption of DNS over HTTPS (DoH), noting that while hyperscalers like Google and Mozilla have improved privacy, they have often removed the network operator’s ability to configure and understand their own traffic.


Finally, the dialogue touches on the tension between centralization and distribution. While entities like Amazon appear centralized, they operate as massive distributed systems internally. Mockapetris and David Redekop conclude that while centralized services offer convenience, maintaining distributed architectures is vital for long-term data sovereignty and network resilience.


Full episode of The Defender’s Log here:


The Architect of the Internet on the Future of Trust | Dr. Paul Mockapetris | Defender's Log


TL;DR



  • DNS as a Security Filter: Paul Mockapetris (inventor of DNS) argues that modern networking requires “making DNS not work” when you don’t want it to. Just as we use spam filters for email, we must use DNS filtering to secure a network.

  • The “7-Day” Rule: A practical security tactic is to block any domain registered less than seven days ago. Most fraudulent domains are caught by credit card chargebacks within a week, making older domains statistically safer.

  • Tailored Connectivity: Businesses should “craft” their network by blocking specific geographies or “looky-loos” (attackers scanning for vulnerabilities). This is framed as rational business logic rather than censorship.

  • The AI Threat: The scale of the internet is shifting from billions of humans to potentially trillions of AI agents. These agents will communicate faster and generate significantly more “noise” and spam than current users.

  • Loss of Control (DoH): The rapid adoption of DNS over HTTPS (DoH) by “hyperscalers” (Google, Apple, Mozilla) has made it harder for individual network operators to see or control their own traffic, prioritizing vendor optimization over user configuration.

  • Centralization vs. Distribution: While the internet looks centralized due to big tech ownership, these companies are internally massive distributed systems. The “long game” for security and sovereignty is maintaining distributed architectures where users own their data.



Links


View it on YouTube: https://www.youtube.com/watch?v=lgLF8Amm9QE


Listen to the episode on your favourite podcast platform:


Apple

https://podcasts.apple.com/us/podcast/the-architect-of-the-internet-on-the-future/id1829031081?i=1000742772779


Spotify

https://open.spotify.com/episode/6pmeUMvHYqGDTVy7Iogz0l


Amazon Music

https://music.amazon.ca/podcasts/d7aa9a19-d092-42a6-9fe9-9e8d81f68d30/episodes/46e9a3a9-4e38-4a70-b8db-1fbe4e149495/the-defender’s-log-podcast-the-architect-of-the-internet-on-the-future-of-trust-dr-paul-mockapetris-inventor-dns


ADAMnetworks

https://adamnet.works



Video Transcript: The Defender’s Log | Episode 12



Paul Mockapetris: One of the things people ask me a lot is, ‘How did you get this important job designing the DNS?’


David Redekop: I think it’s quite staggering how much the internet has grown and how it continues to grow in the domain name space.


Paul Mockapetris: And I said, ‘My day job is making sure that DNS doesn’t work when you don’t want it to.’ That is really the whole tagline.


David Redekop: You know, when I think about the browser being a user agent, it is my agent, and I am to tell my agent what to do.


Paul Mockapetris: There’s lots of ways to decide who you… you know, people say for some reason that DNS is censorship. And I always tell people that the DNS is the result of some of my experiences…


Chapter 1


Video Transcript: Does ThreatSTOP Make Your Network Safer?



Paul Mockapetris: Another interesting direction is in my day job. I tell people, ‘Well, my day job is making sure that DNS doesn’t work.’ And they say, ‘What?’ And I said, ‘My day job is making sure that DNS doesn’t work when you don’t want it to is really the whole tagline.’ And that has to do with just basic security. You know, what you want to do is you wouldn’t do email without spam filtering, right? And you probably wouldn’t set up your own network without a firewall. So you have to do the same stuff at the IP and DNS level if you want to have a useful network. So what, you know, what ThreatSTOP does is it provides the raw data and intelligence so you can craft your network. And what that means, for example, is if you come to us and you want to say, ‘We want to make all IP addresses and domain names that are in the part of the Ukraine that the Russians control, we want to not talk to them.’ Okay, because, well, we don’t really want to backhaul their drone traffic or whatever. That’s an extreme example, but there’s lots of commercial companies that just say, ‘Hey, I have a set of customers that I want to deal with.’ You know, maybe that’s geographical because I’m delivering my pies with a limited radius or they go bad, or certainly if I was in the croissant business, that would be it. But there’s lots of looky-loos and there’s lots of people that are just surveying the network and looking for vulnerabilities and so forth. So what we say is that you want to kind of tailor your internet experience, and that means there’s a bunch of domain names that you really don’t want to resolve. You know, one of the things that people do to you, you can use the credit card companies to help your security. And you might say, ‘How does that work?’ Well, one of the things you can do is there’s a threat feed that says, ‘Don’t resolve a domain name if it’s less than seven days old.’ Well, why is that? Well, because if a domain name is registered for fraudulent purposes, it’s probably done with a fraudulent credit card, and the chargeback mechanism will take that domain name away. So if you only deal with domain names that have at least seven days of age on them, then you’re going to spare yourself a lot of threats. Anyway, there’s lots of ways to decide who you want. You know, people say for some reason that DNS is censorship. It’s okay to do IP addresses and it’s okay to do email filtering, but somewhere in between in that layer in between in the stack, it’s censorship. Well, it is if, if somebody is forcing that filter on you. But if you’re just configuring, if you’re running a business and you only want to talk to people that are customers rather than potential attackers, you know, it’s just rational to do that. And that’s something I never thought about way back when. And actually, the thing that’s kind of amusing about that is you can use the DNS to keep track of the parts of the DNS that you don’t want to talk to. So there’s kind of the shadow namespace that’s out there. I can download the zones and the DNS data that various people have about who you shouldn’t talk to or, you know, various other kinds of restrictions. And you use the DNS to keep track of what parts of the DNS you don’t want to have work, which is kind of an interesting application. And this blacklist, you know, distribution by DNS has been going on for over a decade now at both the IP level and the DNS level. And it’s just a way for making a tailored internet that helps you do what you want to do. But I never thought way back when that you’d be doing that. I certainly didn’t think that we’d be using AI. And when you think about AI, you know, it’s going to be… it’s bad enough when you have a few billion users, but, you know, you probably could easily have a trillion agents that are out there jabbering, right? You know, how are they going to do their thing? Because they’re certainly going to do it faster. And you know, how do you think about the mismatch about having all of these agents all of a sudden deciding that they want to talk to you? You know, it’s bad enough with the spam that you get now; it’s going to get worse in the future. I’m sorry, I’ve been rattling on there.


David Redekop: This is exactly what I was hoping for. We don’t give, we don’t listen to voices like yours often enough, often enough in our industry. And I really, I was looking forward to you just speaking the entire time. If I don’t have a single question to ask, that’s, that’s a good thing because that means that your voice and what you think is important ends up getting heard.


Chapter 2


Video Transcript: Does ThreatSTOP Make Your Network Safer?



Paul Mockapetris: Another interesting direction is in my day job. I tell people, ‘Well, my day job is making sure that DNS doesn’t work.’ And they say, ‘What?’ And I said, ‘My day job is making sure that DNS doesn’t work when you don’t want it to is really the whole tagline.’ And that has to do with just basic security. You know, what you want to do is you wouldn’t do email without spam filtering, right? And you probably wouldn’t set up your own network without a firewall. So you have to do the same stuff at the IP and DNS level if you want to have a useful network.


So what, you know, what ThreatSTOP does is it provides the raw data and intelligence so you can craft your network. And what that means, for example, is if you come to us and you want to say, ‘We want to make all IP addresses and domain names that are in the part of the Ukraine that the Russians control, we want to not talk to them.’ Okay, because, well, we don’t really want to backhaul their drone traffic or whatever. That’s an extreme example, but there’s lots of commercial companies that just say, ‘Hey, I have a set of customers that I want to deal with.’ You know, maybe that’s geographical because I’m delivering my pies with a limited radius or they go bad, or certainly if I was in the croissant business, that would be it.


But there’s lots of looky-loos and there’s lots of people that are just surveying the network and looking for vulnerabilities and so forth. So what we say is that you want to kind of tailor your internet experience, and that means there’s a bunch of domain names that you really don’t want to resolve. You know, one of the things that people do to you, you can use the credit card companies to help your security. And you might say, ‘How does that work?’ Well, one of the things you can do is there’s a threat feed that says, ‘Don’t resolve a domain name if it’s less than seven days old.’ Well, why is that? Well, because if a domain name is registered for fraudulent purposes, it’s probably done with a fraudulent credit card, and the chargeback mechanism will take that domain name away. So if you only deal with domain names that have at least seven days of age on them, then you’re going to spare yourself a lot of threats.


Anyway, there’s lots of ways to decide who you want. You know, people say for some reason that DNS is censorship. It’s okay to do IP addresses and it’s okay to do email filtering, but somewhere in between in that layer in between in the stack, it’s censorship. Well, it is if, if somebody is forcing that filter on you. But if you’re just configuring, if you’re running a business and you only want to talk to people that are customers rather than potential attackers, you know, it’s just rational to do that. And that’s something I never thought about way back when.


And actually, the thing that’s kind of amusing about that is you can use the DNS to keep track of the parts of the DNS that you don’t want to talk to. So there’s kind of the shadow namespace that’s out there. I can download the zones and the DNS data that various people have about who you shouldn’t talk to or, you know, various other kinds of restrictions. And you use the DNS to keep track of what parts of the DNS you don’t want to have work, which is kind of an interesting application.


And this blacklist, you know, distribution by DNS has been going on for over a decade now at both the IP level and the DNS level. And it’s just a way for making a tailored internet that helps you do what you want to do. But I never thought way back when that you’d be doing that. I certainly didn’t think that we’d be using AI. And when you think about AI, you know, it’s going to be… it’s bad enough when you have a few billion users, but, you know, you probably could easily have a trillion agents that are out there jabbering, right? You know, how are they going to do their thing? Because they’re certainly going to do it faster. And you know, how do you think about the mismatch about having all of these agents all of a sudden deciding that they want to talk to you? You know, it’s bad enough with the spam that you get now; it’s going to get worse in the future. I’m sorry, I’ve been rattling on there.


David Redekop: This is exactly what I was hoping for. We don’t give, we don’t listen to voices like yours often enough, often enough in our industry. And I really, I was looking forward to you just speaking the entire time. If I don’t have a single question to ask, that’s, that’s a good thing because that means that your voice and what you think is important ends up getting heard.


Chapter 3


On the Role of DNS and Security


Paul Mockapetris: "One of the things people ask me a lot is, ‘How did you get this important job designing the DNS?’ Another interesting direction is in my day job—I tell people, ‘Well, my day job is making sure that DNS doesn’t work.’ And they say, ‘What?’ And I said, ‘My day job is making sure that DNS doesn’t work when you don’t want it to.’ That is really the whole tagline.


And that has to do with just basic security. You know, what you want to do is—you wouldn’t do email without spam filtering, right? And you probably wouldn’t set up your own network without a firewall. So you have to do the same stuff at the IP and DNS level if you want to have a useful network.


So what ThreatSTOP does is it provides the raw data and intelligence so you can craft your network. And what that means, for example, is if you come to us and you want to say, ‘We want to make all IP addresses and domain names that are in the part of the Ukraine that the Russians control… we want to not talk to them.’ Okay, because, well, we don’t really want to backhaul their drone traffic or whatever. That’s an extreme example, but there’s lots of commercial companies that just say, ‘Hey, I have a set of customers that I want to deal with.’ You know, maybe that’s geographical because I’m delivering my pies within a limited radius or they go bad—certainly, if I was in the croissant business, that would be it.


But there’s lots of looky-loos and there’s lots of people that are just surveying the network and looking for vulnerabilities and so forth. So what we say is that you want to kind of tailor your internet experience, and that means there’s a bunch of domain names that you really don’t want to resolve.


David Redekop: I think it’s quite staggering how much the internet has grown and how it continues to grow in domain name space. When I think about the browser being a user agent, it is my agent, and I am to tell my agent what to do.


The Philosophy of Control and Filtering


Paul Mockapetris: You can use the credit card companies to help your security. And you might say, ‘How does that work?’ Well, one of the things you can do is there’s a threat feed that says, ‘Don’t resolve a domain name if it’s less than seven days old.’ Well, why is that? Well, because if a domain name is registered for fraudulent purposes, it’s probably done with a fraudulent credit card, and the chargeback mechanism will take that domain name away. So if you only deal with domain names that have at least seven days of age on them, then you’re going to spare yourself a lot of threats.


Anyway, there’s lots of ways to decide who you want. You know, people say for some reason that DNS is censorship. It’s okay to do IP addresses and it’s okay to do email filtering, but somewhere in between—in that layer in between in the stack—it’s censorship. Well, it is if somebody is forcing that filter on you. But if you’re just configuring—if you’re running a business and you only want to talk to people that are customers rather than potential attackers—you know, it’s just rational to do that. And that’s something I never thought about way back when.


And actually, the thing that’s kind of amusing about that is you can use the DNS to keep track of the parts of the DNS that you don’t want to talk to. So there’s kind of the shadow namespace that’s out there. I can download the zones and the DNS data that various people have about who you shouldn’t talk to or various other kinds of restrictions. And you use the DNS to keep track of what parts of the DNS you don’t want to have work, which is kind of an interesting application.


This blacklist distribution by DNS has been going on for over a decade now at both the IP level and the DNS level. And it’s just a way for making a tailored internet that helps you do what you want to do. But I never thought way back when that you’d be doing that. I certainly didn’t think that we’d be using AI. And when you think about AI, you know, it’s going to be… it’s bad enough when you have a few billion users, but, you know, you probably could easily have a trillion agents that are out there jabbering, right? You know, how are they going to do their thing? Because they’re certainly going to do it faster. And you know, how do you think about the mismatch about having all of these agents all of a sudden deciding that they want to talk to you? You know, it’s bad enough with the spam that you get now; it’s going to get worse in the future. I’m sorry, I’ve been rattling on there.


DNS over HTTPS (DoH) and User Choice


David Redekop: Paul, I have so many questions lined up since you were speaking, and we don’t have time to get to most of them, so I’ll pick my best shot. One is in the area of DoH. You mentioned earlier about how hyperscalers are the ones that are architecting the future direction, and I noticed that is exactly how DoH was adopted so incredibly fast. It was through the combined effort, as I understand it, between Mozilla with how they implemented quickly in Firefox, and how Cloudflare was one of the first, if not the first, to offer it on their recursive resolver. And that seemed to ruffle a lot of feathers, especially those of us that are in the defensive space. Talk to me about how—give me a broad picture of what your experience was, how we got there, but then also how you feel about DoH today.


Paul Mockapetris: You know, I think that the Microsofts of the world and the Apples of the world owe us a better way to choose what DoH we want to use. You know, people that operate networks would like to be able to understand what the traffic is on their network. You referred to the encrypted connection coming out of my TV set going somewhere and we’re not sure why. Once my TV set gets a camera, I think it’s going to be game over. And why is it ‘quad eight’ and so forth? So I think the question is, there’s an ease of use and it should be easy for me to decide what configurations I’m going to allow. And the design doesn’t make that desirable or possible, and they probably didn’t want to. I mean, they’re optimizing the environment that they want to have.


Centralization vs. Distribution


Paul Mockapetris: Sometimes if you want, you can go take a look at—are you familiar with the real-time bidding network?


David Redekop: I am not.


Paul Mockapetris: Okay, so supposing I just popped up the New York Times on my browser here. In the corner of the front page, there’s going to be an ad for something. How did that ad get there? Well, in the background what happened is that the information that’s been collected is sent out to a hundred different organizations to say, ‘Hey, do you want to pay to put an ad in this space?’ And those organizations may just be collecting that information for their own purposes and never want to place an ad, or they may be bidding to put the ad in place. And that’s all done in the background. It’s fascinating to me how all of my information gets exported in milliseconds or microseconds in the background. And it’s kind of the way that a lot of the content that you see gets put up because there’s more ads probably than useful content on what you look at. You just tune it out.


David Redekop: How much of the centralization efforts—some of the ones that you just described—are as a direct result of it making the world faster, and commercial entities have found a way to capitalize on that and make a profit out of delivering a better end-user experience? Without going down to conspiracy theories, how much of it do you think is just a function of economics?


Paul Mockapetris: I mean, you know, people say, ‘Oh, the network is less distributed.’ One of the things is that if you take a look at any of these Amazons or Googles or whatever, their interior is a huge distributed system, right? So the question is: to whom does the benefits of distribution accrue? So Amazon, Akamai, content distribution networks… to the outside world it looks like centralization. In a way it is—it’s sort of like centralization of ownership, although the distribution takes place within that ownership. So it’s a yin and yang.


But at any rate, messaging seems to be the hope of the rebel alliance here. I’m not sure, but they face a lot of the same things. They go, ‘Okay, we can figure out how to do end-to-end messaging between you and I, but what if you’re not online? Where do I store the message so you can pick it up?’ You know, there’s a bunch of those issues.


The Evolution of Network Metrics


David Redekop: We internally for our own team use the Matrix protocol and host our own, and that’s our way of making sure that we maintain sovereign data custody out of all of the internal messaging. But it’s kind of like the mail systems approach. The reason Gmail—or the reason Google and Microsoft own the bulk of mailboxes around the world—is because it’s easily done, right? With economics, they’ve solved a problem that otherwise requires a tremendous amount of maintenance. I mean, when our Matrix environment needs maintenance, it affects all of us, and so we don’t have the level of uptime as WhatsApp, as Signal, or as Microsoft 365. But the price you pay for distribution isn’t worth it if you don’t attach a value to the distributed architecture. To me, it seems somehow we need to continue to foster the culture of distributed systems being the better long play. Non-distributed systems is a short game versus distributed being a better long game.


Paul Mockapetris: Yeah, if you believe the economics will change—you know, quantum computing or whatever—the engineering changes. A long time ago I read this paper talking about the design of the ARPANET IMPs and how there was a balance between the amount of memory you had, the processing speed, and the link speed. Certainly, the processing speed has gone up, although it’s sort of hit a little bit of a wall. You hear about people building 20 GHz silicon, Moore’s Law, memory size has gone up, and fiber optics—the bandwidth that you have available there has certainly scaled up. So if you design a system to exist 100% optimized for the current settings, well those settings are probably going to change over time. It’s just like the UDP packet size; it’s going to change, isn’t it? Well, I would sort of hope so. It’s kind of funny—remember once upon a time people said, ‘Oh, ATM is going to solve this by having short, fixed-length packets’? And today’s largest Ethernet packets take up less time on the fiber optics than an ATM cell would way back when, because of the length of the bit train in nanoseconds. It’s gotten shorter.


David Redekop: You mentioned about the relationship between memory and process and link speed, and that reminded me of where we are today. When we look at the quality of an internet connection like this call, we’re actually looking for a different set of three, because it’s assumed now that link and process and memory are no longer a limiting factor. And now we’re thinking about packet loss, latency, and jitter as the three key metrics that determine the quality of our call, right?


Paul Mockapetris: Right. Although, as long as we’re riding the ‘more is better’ curve, we’re going to keep driving it.


David Redekop: This is exactly what I was hoping for. We don’t listen to voices like yours often enough in our industry. If I don’t have a single question to ask, that’s a good thing, because it means that your voice and what you think is important ends up getting heard.


1 post - 1 participant


Read full topic


The post TDL 012 | The Architect of the Internet on the Future of Trust appeared first on Security Boulevard.



Carly_Engelbrecht

Source: Security Boulevard
Source Link: https://securityboulevard.com/2025/12/tdl-012-the-architect-of-the-internet-on-the-future-of-trust/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.