The collateral damage of internet censorship by DNS injection


  • Great Firewall of China injects DNS responses to restrict access to domain names

  • This affects traffic originating outside China

    • 26.4% of open resolvers affected

    • .de is the most affected TLD (70% of open resolvers in kr)

  • Explain how, where, and why this happens

  • Present several possible solutions

  • Restricting access to computers outside China

  • DNS injection

    • Affects both inbound and outbound queries

    • Typically does not suppress "correct" response, wins the race to respond

    • Query to Chinese AS --> respond a different IP address [injected responses]


  • HoneyQueries: detect autonomous system paths to whom see DNS injection

    • DNS query to sensitive domains, sent to unresponsive IP

    • Assumptions: all observed DNS responses are from DNS injectors

    • Sent from a single vantage point (AS 40676)

    • 14 million IPs that cover /24 subnets

    • Paths spread to discover all injecting autonomous systems

    • Record IPs in responses: lemon IPs

  • TraceQueries: identify location of injectors on affected paths

      • TCP-based queries will not be injected against

  • StepNXQueries: measure collateral damage of DNS injection

    • Who's affected

      • This is surprising!

      • Whose resolvers?

    • Details

  • Solutions

    • DNS injectors could filter out transit queries

    • Autonomous systems could avoid transit through injecting neighbors

      • Particularly, TLD operators could monitoring peering paths

    • Security extensions for DNS (DNSSEC) prevent injection

      • DNSSEC has signed responses

      • Resolvers would reject injected responses, accept slower ones from authoritative servers

      • .de and .kr both support DNSSEC

  • Conclusion

Last updated