One of the newspapers in Mauritius reported that the Internet regulator for Mauritius issued a directive in February 2024 which required Internet Service Providers (ISPs) to install filtering infrastructure to block harmful content. This is a major step forward in the fight against piracy according to MC Vision. MC Vision is a joint venture between Currimjee Jeewanjee and CANAL+, a major French media company. The directive could be a response to a complaint relating to broadcast rights. A filtering infrastructure generally intercepts or interferes with Domain Name System.
A domain name is an easily recognized address on the Internet. The address is usually a combination of letters (a-z), digits (0-9), and one or more dots. www.google.mu, for example, is the domain name for Google's search engine in Mauritius.
Domain names are organized in a hierarchy. The part of the domain name, reading from right to left, up to the first dot is known as the top level domain. The top level domain in the previous example was .mu. It is also the country code top level domain which was assigned to Mauritius.
Another address which is used on the Internet is an IP address. A domain name record maps a domain name to an IP address. A web browser looks up that record by requesting the operating system of a computer a DNS query to a (recursive) domain name server. It then initiates a request to the IP address to retrieve a web page.
The user historically relied on the company operating the (recursive) domain name server to provide an accurate DNS answer.
The (recursive) domain name server in the first example (included below) provided an accurate DNS answer for the l.facebook.com record
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36307
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;l.facebook.com. IN A
;; ANSWER SECTION:
l.facebook.com. 300 IN CNAME z-m.c10r.facebook.com.
z-m.c10r.facebook.com. 60 IN A 57.144.138.6
;; Query time: 315 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
The DNS answer for the l.facebook.com record from another domain name server was inaccurate. The service running at the 89.208.103.43 IP address was used by spam advertising sites.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26741
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;l.facebook.com. IN A
;; ANSWER SECTION:
l.facebook.com. 0 IN A 89.208.103.43
;; Query time: 4 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
Domain Name System Security Extensions (DNSSEC), introduced in 2010, allow cryptographic signatures to be used to validate whether the DNS record is accurate.
The (recursive) domain name server running on IP address 198.168.0.1 uses DNSSEC to validate DNS records. The DNS record could not be validated in the example below:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9990
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 6 (DNSSEC Bogus): 76 61 6c 69 64 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 20 3c 64 6e 73 73 65 63 2d 66 61 69 6c 65 64 2e 6f 72 67 2e 20 41 20 49 4e 3e 3a 20 6e 6f 20 6b 65 79 73 20 68 61 76 65 20 61 20 44 53 20 77 69 74 68 20 61 6c 67 6f 72 69 74 68 6d 20 52 53 41 53 48 41 31 20 66 72 6f 6d 20 36 39 2e 32 35 32 2e 32 35 30 2e 31 30 33 20 66 6f 72 20 6b 65 79 20 64 6e 73 73 65 63 2d 66 61 69 6c 65 64 2e 6f 72 67 2e 20 77 68 69 6c 65 20 62 75 69 6c 64 69 6e 67 20 63 68 61 69 6e 20 6f 66 20 74 72 75 73 74 ("validation failure <dnssec-failed.org. A IN>: no keys have a DS with algorithm RSASHA1 from 69.252.250.103 for key dnssec-failed.org. while building chain of trust")
;; QUESTION SECTION:
;dnssec-failed.org. IN A
;; Query time: 5005 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
The .mu ccTLD (country code top level domain) enabled DNSSEC in March 2025. It is currently possible to validate .mu domain names. cloud.mu is DNSSEC enabled:
;; Got answer:
; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41641
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;cloud.mu. IN A
;; ANSWER SECTION:
cloud.mu. 85 IN A 172.66.40.229
cloud.mu. 85 IN A 172.66.43.27
cloud.mu. 85 IN RRSIG A 13 2 300 (
20250515192516 20250513172516 34505 cloud.mu.
jm3tzK5O1l7XlN6CXhISMfREuARiB1TPoShosFmMhA7t
hLN7akPCWUjLq/RA6TwYd3MVljQkjcch6JZVhIOL5g== )
;; Query time: 1 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
Internet users rely on on a (recursive) domain name server for accurate DNS answers. Domain name registrants could consider whether it would be useful to Internet users if their domain name records can be validated. Companies operating (recursive) domain name servers could consider whether to deploy DNSSEC on their servers to detect DNS interference and to send reliable DNS answers.
1. "Blocage des sites pirates: MC Vision et Mauritius Telecom à l'abordage", lexpress.mu, July 2024
2. "MC Vision - Currimjee Group", www.currimjee.com
3. "Droits de Diffusion : L'ICT Appeal Tribunal renverse une décision de l'ICTA ", lemauricien.com, September 2018
4. "DNSViz", Sandia Corporation, March 2025