ViewDNS.info - Your one source for DNS related tools!
ViewDNS.info > Research > DNS Cache Poisoning in the People's Republic of China

DNS Cache Poisoning in the People's Republic of China
Added September 06, 2011 @ 11:05 pm

  

Internet censorship in the People's Republic of China is but the modern day manifestation of the China's long history of literary censorship. In 213 B.C. emperor Qin Shi Huang ordered almost all books, with few exceptions, be burnt in order to prevent comparisons of his leadership with past leaders. Some 2000 years later, with the rise to power of the Chinese Communist Party, censorship in the People's Republic of China increased yet again.

Since it's rise to power in 1949, the Chinese Communist Party has mandated that countless films, books, newspapers and television shows be destroyed or cancelled. In its constant battle to prevent negative images of its time in power, the People's Republic of China has adapted it's censorship schemes for modern times, with the introduction of the 'Golden Shield' Project by the Ministry of Public Security. The goal of this project was to implement what is now known as the 'Great Firewall of China', a system to allow the Chinese Communist Party to control Internet use within China.

This system uses a number of different techniques in order to achieve this goal, with one of the more common being DNS cache poisoning. This article will cover the basics of DNS cache poisoning as well as take a look into how it has been implemented by the Great Firewall of China.

Domain Name System (DNS) basics

First, it is probably prudent to quickly describe how DNS functions. After you enter a domain name into your browser, your computer needs to determine the IP address where the domain name is located in order to know which server to retrieve the content from.

When determining this IP address, the system will first check whether this information is available in a local DNS cache, and if not, will attempt to retrieve the IP address from the DNS servers currently configured for your machine. These servers will then initiate a series of queries, firstly to the 'root' servers, then to the 'parent' servers for that domain extension (e.g. the servers for .com), and finally to the authoritative servers for your specific domain.

Once the DNS server has retrieved the IP address from these authoritative servers, it will most likely cache it locally (to prevent the need for the series of queries for a set period of time) before returning the IP address to your computer. You can see what data is returned from a DNS query using our DNS Record Lookup tool.

The following is a sample of how this process works:
  1. You enter 'google.com' into your browser.

  2. Your computer cannot find the IP address for this domain in a local cache, and hence connects to the currently configured DNS servers (possibly those of your Internet Service Provider) and requests the IP address of 'google.com'.

  3. The DNS servers will query the root DNS servers, which will redirect the query to the Global Top Level Domain (gTLD) servers for all .com domains, which will then redirect the query to Google's nameservers.

  4. These nameservers will respond with the IP address for this domain (e.g. 74.125.237.80).

  5. The DNS server will then cache this IP address and then forward it to your computer.

  6. Your computer will then connect to the IP address received (74.125.237.80) and ask for the content for 'google.com'.

What is DNS Cache Poisoning?

DNS cache poisoning is where the IP address that is returned from a domains authoritative nameservers is tampered with before being received by the end user. As this information needs to travel through any number of systems before reaching the end user, there are many possible locations where this may occur such as at a compromised router within your Internet Service Provider, at a transparent DNS server located within the path, or even locally on the end user's machine due to a virus or malware.

Let us consider the above example, but with DNS cache poisoning present. The scenario would go as follows:
  1. You enter 'google.com' into your browser.

  2. Your computer cannot find the IP address for this domain in a local cache, and hence connects to the currently configured DNS servers and requests the IP address of 'google.com'.

  3. The DNS servers will query the root DNS servers, which will redirect the query to the Global Top Level Domain (gTLD) servers for all .com domains, which will then redirect the query to Google's nameservers.

  4. These nameservers will respond with the IP address for this domain (e.g. 74.125.237.80).

  5. The DNS server will then cache this IP address and then attempt to forward it to your computer.

  6. Whilst this information is in transit back to your computer, it needs to pass through a number of other systems including servers, routers etc. In this example, one of these servers has been configured to 'poison' all DNS data that matches 'google.com' and hence modify the reply to instead contain a different IP address (e.g. 123.123.123.123).

  7. Your computer will then connect to this IP address (123.123.123.123) and ask for the content for 'google.com'. As the server at this IP address is not the correct server for this domain name, either the site will not load or another site may potentially be loaded instead.
DNS cache poisoning can also have (debatable) legitimate uses such as returning a search page for all invalid domain names that are received by an Internet Service Provider. If you have ever mistyped a domain name and had a search result from your ISP displayed instead of a standard error message, you have seen DNS poisoning in action.

DNS Cache Poisoning in the People's Republic of China

Operated by the Ministry of Public Security, the Great Firewall of China has the capability to manipulate any DNS responses that pass into or out of the country, based on certain keywords. This is possible as the Chinese Communist Party has control of all International level routers within China. As soon as a DNS response is identified that matches a given keyword, its contents are modified before being sent back to the end user.

Let's consider a domain name that has been blocked in China for some time - facebook.com. If we perform a DNS Record Lookup for this domain name from within the United States, the following IP addresses are returned:

DNS Record Lookup for facebook.com
Perform a real-time DNS Record Lookup for facebook.com


If we query this same domain from servers within China (using the Chinese Firewall Test tool), we see different IP addresses being returned than what we were expecting:

Chinese Firewall Test results for facebook.com
View real-time Chinese Firewall Test results for facebook.com


Each time this test is run, the result varies.



We can validate that the DNS cache poisoning is being performed based on keywords by attempting to perform a DNS query against an invalid domain name that contains the keyword 'facebook.com'. In order to do this, we simply attempt to lookup the IP address of 'facebook.com.notarealdomain'. The server should return 'NXDOMAIN' in the response to indicate that the domain does not exist. For example:

Failed DNS record lookup for domain containing facebook.com on a US server


If we perform the same query from a server in China, we get the following result:

DNS record lookup for domain containing facebook.com on a Chinese server


Notice how instead of receiving a 'NXDOMAIN' message, we actually receive a valid DNS response, complete with an incorrect 'poisoned' IP address.

By running either of these queries a number of times, it is possible to determine a list of possible 'poisoned' results that may be returned. Looking at this data, the following IP addresses were seen as responses to domains that were blocked in China. We have also included some information about these IP addresses. Click the location or owner name for more real-time detailed information.

IP AddressLocationOwner
8.7.198.45United StatesARIN
37.61.54.158EuropeEuropean Regional Registry
46.82.174.68GermanyDeutsche Telecom
78.16.49.15IrelandEsat Telecommunications Limited
93.46.8.89ItalyFastweb
159.106.121.75United StatesDoD Network Information Center
203.98.7.65New ZealandTelstra Clear
List of IP addresses used by the Great Firewall of China in poisoned DNS responses



What is interesting about these IP addresses is that none appear to be under the control of the Chinese government. Unfortunately at this point we are left with more questions than answers. Why are the IP addresses used by the Great Firewall of China not actually under Chinese control? Why does one IP address belong to the United States Department of Defence (DoD) Network Information Center?

Another interesting view can be obtained by entering these IP addresses into our Reverse IP Lookup tool. For example, entering the IP address 8.7.198.45 yields the following results:

Reverse IP Lookup results for 8.7.198.45
View full Reverse IP Lookup for 8.7.198.45


The same test can be performed for each of the IP addresses identified as being used by the Great Firewall of China: It is obvious from the above results that one of the keywords that is blocked by the Great Firewall of China is 'xxx.com'. Any domain containing this keyword is automatically DNS poisoned. Interestingly enough, testing a domain containing 'xxx.net' does not result in a poisoned response.

Keywords that appear to be blocked include:
  • twitter.com
  • xxx.com
  • 888sf.com
  • pk999.com
Any domain containing the above keywords will have the DNS response poisoned if visited within China. The first keyword makes sense, as Twitter has not been available in China for a long time, but the last two keywords are somewhat of a mystery.

Thanks to the unique views provided by the Chinese Firewall Test, Reverse IP Lookup and DNS Record Lookup tools, we are able to form a detailed picture on some of the inner workings of the Great Firewall of China.

Data for the Reverse IP Lookup tool is constantly updated, whilst the Chinese Firewall and DNS Record Lookup tools are dynamic, and will return real-time data. It may pay to keep an eye on your favourite sites, as quite often the Chinese Government will change its rules (as it did in 2008 for the Olympic Games), and you could be the first to notice!

  

Do you have an idea for other research that can be conducted using tools provided by ViewDNS.info? Please send in your ideas!




All content 2014 ViewDNS.info
Feedback / Suggestions   Advertise on ViewDNS.info   Become an Affiliate