Measurement of Globally Visible DNS Injection

DNS injection mechanics
Figure 1: DNS injection is router-level DNS spoofing. It may occur at any hop on the path to the destination name server.

DNS injection is an Internet censorship to block name resolution of blacklisted domain names. The method is an on-path DNS spoofing attack: do deep packet inspection on all DNS queries that pass a router and inject spoofed responses back to the query sender. The injected response contains an answer IP address (A resource record) that diverts the user application to the wrong server or to an unreachable destination.

Note that DNS injection is different from blocking domain names on recursive resolvers. Recursive resolvers are DNS servers, typically at the ISP premises, which handle the domain name resolution functionality for end hosts. Blocking domain names on recursive resolvers (DNS hijacking) affects only the users of the resolver. It is the most prevalent form of DNS blocking, used e.g. in Bulgaria, Colombia, Denmark, Indonesia, Singapore and Turkey (incomplete list). DNS injection, however, affects users of other resolvers as well and may affect unrelated third-parties whose traffic is routed through the censored network.

For more information please refer to our paper.
Matthäus Wander, Christopher Boelmann, Lorenz Schwittmann, Torben Weis: Measurement of Globally Visible DNS Injection (PDF).

The raw measurement data is available for public download.

DNS Injection in China

DNS injection is part of the Golden Shield Project (Great Firewall of China) in the People's Republic of China. When a DNS query for a blocked domain name traverses an injecting Chinese network, the query is not taken off the network. It is thus common to receive more than one spoofed response, one for each injecting router on the path to the destination. The genuine response is also not suppressed, but the spoofed responses have a head start over the genuine one, as the injecting device is topologically closer to the user than the destination name server is.

DNS injection in China
Figure 2: DNS injection when querying an open resolver in China.

Figure 2 shows an example with a query for facebook.com sent to an open resolver in China. We receive two bogus injected responses and one response from the open resolver. The response from the open resolver is also bogus because the resolver is affected by DNS injection itself and caches an incorrect resource record.

Test for yourself: $ dig facebook.com @123.123.123.123. There is currently no resolver listening on the destination address, you will thus receive only responses for blocked domain names. Observe duplicate responses with Wireshark or tcpdump.

The following is a list of domain names that we found to be blocked by DNS injection. Note that the list is incomplete and also does not include domain names blocked by other methods, e.g. filtering of HTTP content.

▼ List
Link: dnsinjection-cn-domains.json

Detection

Bogus responses contain an A resource record with an IP addresses randomly chosen from a fixed set of bad IP addresses. The list of bad IP addresses can be used to detect whether a bogus response has been received. The list varies, however, depending on the blocked domain name. As we do not know the full blacklist, the list of bad IP addresses is likely to be incomplete as well.

▼ List
Link: dnsinjection-cn-ips.json

Impact on Foreign Networks

Measurement of the query paths between 254,610 open resolvers and 1,144 root and top-level domain name servers outside of China shows that 15,225 (6%) open resolvers world-wide are affected by DNS injection. The vast majority was only affected on the path to one particular TLD server for which an anycast instance is hosted in Beijing, China. There was no evidence for DNS traffic with destinations outside of China to be affected by DNS injection on a larger scale. However, this may be specific to the root and TLD name servers. We suggest to compare the local name resolution against the above list of bad IP addresses to identify occurrence of DNS injection for second-level domains.

DNS Injection in Iran

DNS injection in Iran
Figure 3: DNS injection when querying an open resolver in Iran.

This example in Figure 3 shows a UDP-based DNS query from outside of Iran to an open resolver in Iran. The DNS filter does not only inject a spoofed response but also seems to drop the unwanted DNS query. Despite not sending any TCP packets, we receive two TCP segments with an HTTP 403 error and FIN/ACK bits set and three TCP RST packets.

The list of domain names found to be blocked by DNS injection is short. The DNS blacklist seems to cover only a minor portion of websites which have been reported to be blocked by HTTP-based filters in Iran.

▼ List
Link: dnsinjection-ir-domains.json

During our measurements we observed a decline of spoofed responses from Iranian networks for facebook.com and twitter.com in mid 2013. This coincided with a report from The Guardian in July 2013 about newly elected President of Iran Hassan Rouhani who spoke out to loosen filtering of social media. However, a few weeks later the results were back to the original numbers. The incident can be interpreted as a lack of legal clarity and political uncertainty about the blocking of social media in Iran.

Affected Chinese and Iranian networks
Figure 4: Comparison of affected networks in China and Iran over time.

Detection

The Iranian DNS injection filter returns an A resource record with IP address 10.10.34.34, a private address as per RFC 1918.

Mitigation

For users outside of the censoring regions cryptographic DNS extensions like DNSSEC, DNSCurve or TSIG help to mitigate the effect of DNS injection. When a bogus response is detected, the resolver still has a chance to receive the correct response or to retry with another name server to which the path may be free from DNS filters. DNSSEC is the most frequently used cryptographic DNS protocol, but is not universally deployed.

Users inside a censoring region probably have the additional requirement of accessing websites privately and should rely on TOR or VPNs for that purpose.

Contact

<dns@vs.uni-due.de>
Matthäus Wander, Christopher Boelmann, Lorenz Schwittmann, Torben Weis