Ineffective self-blocking by the National Enquirer

It used to be simple to explain how browsing works. You type a link into the browser, the browser asks a DNS server at your ISP to translate the human-friendly hostname into the IP address of the web server, and then the browser contacts the server with an HTTP request requesting the page that you want to view.

It’s not quite that simple any more — which is rather bad news for the National Enquirer, the US tabloid which decided, three years or so ago, following a brush with the UK libel laws, that it would not publish a UK edition, or allow visits to its website from the UK. Unfortunately, the Enquirer’s blocking is no longer working as effectively as it used to.

In the US, a public figure cannot be libelled unless there is “actual malice” whereas in the UK, publishing defamatory untruths can lead to substantial damages being awarded. This has led to “libel tourism“, with foreigners with tenuous links to the UK taking action in the UK courts.

In 2005 the National Enquirer, published a defamatory (and untrue) story about Cameron Diaz — and a writ was issued in the UK because the story had been viewed 279 times from UK Internet addresses. As a result, in March 2007, shortly after apologising to Ms Diaz (and paying damages) the Enquirer blocked access to their website from the UK.

This has all come to notice again because of the present campaign to reform the UK libel laws and the National Enquirer’s decision has come back into the popular consciousness. More significantly, several other (perhaps more likely to be missed) newsites such as the New York Times, Boston Globe, and Los Angeles Times are considering following suit.

However, some UK-based people claim to be able to see the National Enquirer’s website just fine. The reason is that the blocking mechanism that is being used is not as effective in 2010 as it probably was in 2007.

Remembering how browsing works (see above); we can see that at the point at which www.nationalenquirer.com is resolved by the DNS server, a UK specific answer is given:

www.nationalenquirer.com. 3600 IN CNAME ne.ami.nsatc.net.
ne.ami.nsatc.net. 1800 IN A 216.109.89.58

the “216.109.89.58” machine is the one giving the unavailable page, whereas in the US, the answer would be

www.nationalenquirer.com. 311 IN CNAME ne.ami.nsatc.net.
ne.ami.nsatc.net. 1771 IN CNAME www.nationalenquirer.com.c.footprint.net.
www.nationalenquirer.com.c.footprint.net. 201 IN A 199.93.42.126
www.nationalenquirer.com.c.footprint.net. 201 IN A 204.160.98.126
www.nationalenquirer.com.c.footprint.net. 201 IN A 209.84.7.126

which, as you can see, will lead you to the National Enquirer site on the footprint.net (Level Three) content distribution network (CDN).

So it’s the National Enquirer’s DNS server that knows about UK Internet addresses. This makes some engineering sense, since doing the address lookup at the web server, on the CDN, would be rather more expensive and inconvenient.

However, the National Enquirer has a serious problem in that a great many UK Internet users will not be making DNS queries from UK address space, and that number is almost certainly substantially increasing.

Two common choices of DNS server that people make are OpenDNS (who claim to offer security, by suppressing lookups to “bad” places), or the “8.8.8.8” (feeling lucky?) service offered by Google (who are trying to improve web response times). If you change to one of these services then the DNS request to the National Enquirer will no longer be done from a UK IP address, and the site will be visible — in all its (sometimes defamatory) glory!

So it looks like more work for Eady J and colleagues, more damages for aggrieved Hollywood starlets (will I get a cut for expert assistance?), and a system redesign for the National Enquirer when they get around to reading this little corner of the web.

3 thoughts on “Ineffective self-blocking by the National Enquirer

  1. I have a copy of the first edition of the Ladybird Book you reference. I keep trying to find a way to work a reference into something I write.

  2. Update: Testing (rather than speculating) now suggests that OpenDNS will not be suitable for avoiding the National Enquirer block. They use an anycast system for accessing their servers and it looks as if the “nearest” instances are (for the locations I have tried) being given the censored version of the DNS.

  3. FWIW even if google and openDNS both anycast to geographically close servers this approach is pretty poor.

    Anyone who has a way to access a US based DNS will beat this block – for example people working in multinational companies where DNS requests are (generally) handled by a single central server even though access may be via local routers will discover that they can read the national enquirer.

    Companies and individuals who want to block UK access would do better to build a blocklist on the firewalls/loadbalancers in front of the DNS that contains all the UK assigned IP address ranges. This is kind of the reverse of what the BBC does for access to iPLayer (at least I think it is, haven’t verified this). I’m sure there will be holes even so (e.g. companies with their own IP address ranges in multiple locations and access through VPN tunnels terminating in the US) but it would be hard to prove that access comes from the UK in such cases so Eady & co might not be able to defend a claim of jurisdiction.

Leave a Reply

Your email address will not be published. Required fields are marked *