The collateral damage of internet censorship by DNS injection

https://conferences.sigcomm.org/sigcomm/2012/paper/ccr-paper266.pdf

Summary

• Great Firewall of China injects DNS responses to restrict access to domain names

• This affects traffic originating outside China

  • 26.4% of open resolvers affected

  • .de is the most affected TLD (70% of open resolvers in kr)

• Explain how, where, and why this happens

• Present several possible solutions

• Restricting access to computers outside China

DNS Explain

DNS Injection

• DNS injection

  • Affects both inbound and outbound queries

  • Typically does not suppress "correct" response, wins the race to respond

  • Query to Chinese AS --> respond a different IP address [injected responses]

Methodology

• HoneyQueries: detect autonomous system paths to whom see DNS injection

  • DNS query to sensitive domains, sent to unresponsive IP

  • Assumptions: all observed DNS responses are from DNS injectors

  • Sent from a single vantage point (AS 40676)

  • 14 million IPs that cover /24 subnets

  • Paths spread to discover all injecting autonomous systems

  • Record IPs in responses: lemon IPs

  • 

  • 

• TraceQueries: identify location of injectors on affected paths

  • 

  • 

  • 

    • TCP-based queries will not be injected against

• StepNXQueries: measure collateral damage of DNS injection

  • 

  • Who's affected

    • 

    • This is surprising!

    • Whose resolvers?

      • 

  • Details

    • 

    • 

• Solutions

  • DNS injectors could filter out transit queries

  • Autonomous systems could avoid transit through injecting neighbors

    • Particularly, TLD operators could monitoring peering paths

  • Security extensions for DNS (DNSSEC) prevent injection

    • DNSSEC has signed responses

    • Resolvers would reject injected responses, accept slower ones from authoritative servers

    • .de and .kr both support DNSSEC

• Conclusion

  •