https://conferences.sigcomm.org/sigcomm/2012/paper/ccr-paper266.pdf
Last updated
Was this helpful?
Great Firewall of China injects DNS responses to restrict access to domain names
This affects traffic originating outside China
26.4% of open resolvers affected
.de is the most affected TLD (70% of open resolvers in kr)
Explain how, where, and why this happens
Present several possible solutions
Restricting access to computers outside China
DNS injection
Affects both inbound and outbound queries
Typically does not suppress "correct" response, wins the race to respond
Query to Chinese AS --> respond a different IP address [injected responses]
HoneyQueries: detect autonomous system paths to whom see DNS injection
DNS query to sensitive domains, sent to unresponsive IP
Assumptions: all observed DNS responses are from DNS injectors
Sent from a single vantage point (AS 40676)
14 million IPs that cover /24 subnets
Paths spread to discover all injecting autonomous systems
Record IPs in responses: lemon IPs
TraceQueries: identify location of injectors on affected paths
TCP-based queries will not be injected against
StepNXQueries: measure collateral damage of DNS injection
Who's affected
This is surprising!
Whose resolvers?
Details
Solutions
DNS injectors could filter out transit queries
Autonomous systems could avoid transit through injecting neighbors
Particularly, TLD operators could monitoring peering paths
Security extensions for DNS (DNSSEC) prevent injection
DNSSEC has signed responses
Resolvers would reject injected responses, accept slower ones from authoritative servers
.de and .kr both support DNSSEC
Conclusion
