In September 2024, the Malaysian Communications and Multimedia Commission (MCMC) instructed local internet service providers — including the country's main mobile network operators Maxis, CelcomDigi, U Mobile and YTL Communications (Yes) — to redirect customer DNS queries away from public resolvers such as Google's 8.8.8.8 and Cloudflare's 1.1.1.1 toward locally operated DNS servers. The aim was simple and explicit: ensure that when MCMC orders a website blocked, mobile and fixed-line users in Malaysia cannot trivially escape that block by changing a setting on their phone.
After a sharp public and industry backlash, MCMC suspended the directive within days. But the underlying policy reflex did not go away. Almost eighteen months later, the same enforcement logic is being routed through new and more durable instruments: the social media Class License regime that took effect on 1 January 2025 under the Communications and Multimedia Act 1998 (CMA), and the Online Safety Act 2024 (Act 859), which together hand the regulator far broader powers to compel ISPs and platforms to act on its instructions.
What the DNS Order Actually Did
DNS — the Domain Name System — is how a browser translates 'peopleofinternet.com' into the numeric address of a server. Public resolvers run by Google, Cloudflare and Quad9 are popular because they are fast, encrypted (via DNS-over-HTTPS and DNS-over-TLS) and operate outside any single jurisdiction. When MCMC issues a blocking order, ISPs traditionally enforce it at their own resolvers. Users who switch their phone to 8.8.8.8 simply bypass that block.
The September 2024 directive sought to close that loophole at the network layer by transparently rerouting outbound DNS traffic on port 53 back to ISP infrastructure. In practice this is a form of state-mandated traffic interception. It does not 'shut down' the mobile internet in the dramatic sense of an outage, but it does narrow what users can reach from a Malaysian SIM — and it does so silently, without the user ever knowing a redirection occurred.
Why the Backlash Mattered
Civil society groups, technologists and parts of the local tech press warned that the order created three concrete harms:
- Security regression. Forcing traffic through ISP resolvers strips users of encrypted DNS and the integrity guarantees of independent providers. That weakens defences against DNS spoofing and phishing — the very threats MCMC says it wants to fight.
- Performance degradation. Many Malaysian businesses, CDNs and SaaS deployments are tuned around major public resolvers. Silent interception introduces latency and breakage that disproportionately hits smaller firms without enterprise networking teams.
- Scope creep. A redirection pipe built for, say, gambling sites is trivially repurposed for political speech, opposition outlets, or VPN providers. The infrastructure does not care what is on the blocklist.
To MCMC's credit, the agency listened. The directive was paused. But the suspension was framed as a delay, not a reversal, and the regulator has continued to lean on the same theory of enforcement through 2025 and into 2026.
The Class License and the Online Safety Act
The more consequential shift is statutory. Under guidelines issued in 2024 by MCMC, any social media or internet messaging service with more than eight million users in Malaysia must register for a Class License under the CMA. Non-registration is itself an offence. Once a service is licensed — or refuses to be — MCMC can direct mobile and fixed ISPs to throttle or block it.
Layered on top is the Online Safety Act 2024, which Parliament passed in December 2024. The Act introduces duties of care on 'application service providers' for categories of 'harmful content', and gives MCMC and the courts powers to order takedowns and access restrictions, with criminal liability for non-compliance. Together, the Class License and Act 859 make the September 2024 DNS order look less like an outlier and more like a draft of standard operating procedure.
A Proportionate Path Forward
There are real harms online — scams targeting Malaysian seniors, non-consensual intimate imagery, child sexual abuse material — and a regulator has every right to act on them. But the lesson from the DNS episode is that how you act matters as much as what you act on. Network-level interception of cryptographic infrastructure is a heavy tool. It is also a brittle one: users who care will simply switch to encrypted DNS-over-HTTPS, leaving the order to bite hardest on the least technical citizens while doing little against determined bad actors.
A more proportionate model would do three things. First, target the platform layer with clear, narrowly drawn obligations — the Class License framework can be tightened to focus on illegal content rather than 'undesirable' speech, with judicial review of blocking orders. Second, leave the DNS and routing layers alone; Malaysia's reputation as a regional data-centre hub depends on the open, neutral internet stack that operators like Maxis and CelcomDigi sell to multinational customers. Third, publish blocking orders. Transparency is the cheapest accountability mechanism available, and it disciplines regulators and platforms alike.
Malaysia has spent two decades positioning itself as the open, business-friendly alternative in Southeast Asia's digital economy. The suspended DNS directive was a reminder of how quickly that positioning can be undermined by a single enforcement instinct. The Class License and Online Safety Act will define the next chapter — and the question for Putrajaya in 2026 is whether the country's regulatory toolkit grows in the direction of due process and platform accountability, or in the direction of quiet, network-layer control.