# The collateral damage of internet censorship by DNS injection

### Summary

* Great Firewall of China injects DNS responses to restrict access to domain names&#x20;
* This affects traffic originating outside China&#x20;
  * 26.4% of open resolvers affected&#x20;
  * .de is the most affected TLD (70% of open resolvers in kr)&#x20;
* Explain how, where, and why this happens&#x20;
* Present several possible solutions&#x20;
* Restricting access to computers outside China&#x20;

<figure><img src="https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2F1zsFYu8rZLjR522EpFFd%2Fimage.png?alt=media&#x26;token=75c3276b-8273-4b5a-b6f6-3d15311c74c0" alt=""><figcaption><p>DNS Explain </p></figcaption></figure>

<figure><img src="https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2Fkm7ODSPYLLJMHG9QilLH%2Fimage.png?alt=media&#x26;token=80b0b7ca-d8c6-4dfd-96bc-e9669c6fadb6" alt=""><figcaption><p>DNS Injection</p></figcaption></figure>

* DNS injection&#x20;
  * Affects both inbound and outbound queries&#x20;
  * Typically does not suppress "correct" response, wins the race to respond&#x20;
  * Query to Chinese AS --> respond a different IP address \[injected responses]&#x20;

### Methodology

* HoneyQueries: detect autonomous system paths to whom see DNS injection
  * DNS query to sensitive domains, sent to unresponsive IP&#x20;
  * Assumptions: all observed DNS responses are from DNS injectors&#x20;
  * Sent from a single vantage point (AS 40676)
  * 14 million IPs that cover /24 subnets
  * Paths spread to discover all injecting autonomous systems&#x20;
  * Record IPs in responses: lemon IPs&#x20;
  * ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FK7ymDRWDzJ4aUy4sYHR7%2Fimage.png?alt=media\&token=42603e1e-54c8-488c-8a9e-a3cf6bf205d0)
  * ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FtuFMbG3tVfQOO1bI2AFx%2Fimage.png?alt=media\&token=25577745-9600-4d6e-a90a-97d1f9a07e96)
* TraceQueries: identify location of injectors on affected paths
  * ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FQj3AdFmi2LR9JI9MhZYg%2Fimage.png?alt=media\&token=feddc76a-eae2-4cc2-8f35-a0d4e5bec605)
  * ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FGEkYTjry4aaG0RQhZRgg%2Fimage.png?alt=media\&token=3ad96370-6d90-4a4c-aa27-79f3c0c56033)
  * ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FEPBtLk1AyQTMkYErUpeo%2Fimage.png?alt=media\&token=54ebfe8e-7ed8-4025-9235-2bab7242d6b4)
    * TCP-based queries will not be injected against&#x20;
* StepNXQueries: measure collateral damage of DNS injection&#x20;
  * ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FhFUwnOS0jcFmAG6AszUs%2Fimage.png?alt=media\&token=52fd3e56-f754-4f4f-8b79-106644c890f2)
  * Who's affected&#x20;
    * ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FghmJ5bl7Stl813L5TqDE%2Fimage.png?alt=media\&token=7475e5c0-6d38-4a66-8cb5-43407fb5ccc5)
    * This is surprising!&#x20;
    * Whose resolvers?&#x20;
      * ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FU6XWcTlZzFonOSE31dCp%2Fimage.png?alt=media\&token=e55491fb-6cca-4270-85e5-eee37c11ac13)
  * Details&#x20;
    * ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FpMYqad4E0WdrVvn68VdE%2Fimage.png?alt=media\&token=15fe03eb-a012-4780-8335-b04f6e00dcd1)
    * ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FOayhd28xabCp39nIUfme%2Fimage.png?alt=media\&token=a3eed3f6-5f81-47ea-8f14-af9ae123b2c9)
* Solutions&#x20;
  * DNS injectors could filter out transit queries&#x20;
  * Autonomous systems could avoid transit through injecting neighbors&#x20;
    * Particularly, TLD operators could monitoring peering paths&#x20;
  * Security extensions for DNS (DNSSEC) prevent injection&#x20;
    * DNSSEC has signed responses&#x20;
    * Resolvers would reject injected responses, accept slower ones from authoritative servers
    * .de and .kr both support DNSSEC&#x20;
* Conclusion
  * ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FiLU8Mojdc57PF0DK1o7g%2Fimage.png?alt=media\&token=c6b36a3d-6e60-4bfc-a32a-e5123baf68f6)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sliu583.gitbook.io/blog/networking/index/cs-268-adv-network/ethics/the-collateral-damage-of-internet-censorship-by-dns-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.