Doesn't ICANN have authority over which servers are designated as root servers? Granted, it would be difficult politically to tell China that they could not host root servers, but I think it would technically be possible. Editor's Note: http://www.icann.org/en/general/bylaws.htm#XI-2.3
DNS: When Governments Lie (1)
There’s been sudden interest recently in a Chinese route hijacking incident that occurred way back in April, brought about by a new report to the US Congress that highlighted the event (see pages 236-247). A second Chinese event, also in the report, has received almost no attention despite being much more interesting (technically, anyway). A Chinese DNS censorship incident occurred just one month earlier, in March, and although we already presented an analysis of that event (here and here), today we’ll provide an update on the incident and its scope. But first, let’s step back and get some context on events such as these, and see if the hype is warranted.
Remember What the Internet Is
The Internet is a globally distributed network without a central governing body. In other words, no one is in charge, folks. If you are expecting strict accountability, you’ve come to the wrong place. Furthermore, the Internet is a very complex system. Errors occur with some frequency, and occasionally have global impact. There have been plenty of them over the years (see our past blogs). No evidence has yet surfaced to convincingly suggest that either of these Chinese incidents was anything more than a mistake. The Internet was designed to be trust-based and these vulnerabilities are well-known and long-standing.
So maybe it wasn’t cyber-espionage after all. Let’s review the DNS event — very interesting in its own right — and you can decide for yourself. (And in the next installment of this blog, we’ll consider the general problem of hosting global services in a country known to tamper with Internet traffic.)
The Chinese DNS Problem
There are 13 different root nameserver IP addresses, referred to by the first 13 letters of the alphabet, namely, the A-root, B-root, …, M-root. These are the servers that tell you really basic things, like, ‘where’s dot com?’ At first glance this may seem like a pretty small set for the entire world, but they are replicated at hundreds of locations. The J-root is the most prolific, found worldwide at 70 different sites.And instances of the F-, I- and J-roots are all found in Beijing, China, which lays the seeds for a potential problem. If you live outside of China and by chance query a root nameserver hosted in China, your queries will pass through what is known as the The Great Firewall, potentially subjecting you to the same censorship imposed on Chinese citizens.
With respect to DNS, such censorship typically involves intentionally returning incorrect answers to the blacklisted domains. (See The Great DNS Wall of China for more technical details.) It would seem that the root nameservers in China are typically excepted from this behavior when queried from outside the country, but for unexplained reasons that allowance temporarily disappeared for the I-root back in March. (See our AMS-IX talk for more details.) That is, queries to the I-root from outside of China for popular domains such as Facebook or Twitter suddenly started returning incorrect answers. Due to the vagaries of Internet routing, web surfers around the world found themselves essentially blocked from these sites — exactly as if they lived in China. While the exception for the I-root was eventually reestablished, no reason for the apparent snafu was offered.
But isn’t it unusual for someone outside of China to query a Chinese root server?
No, not at all.
On the Internet, you will often query “nearby” servers, but the concept of “nearby” is not the same in the cyber world as it is in the physical one. Rather, distance is measured in terms of existing business relationships. If your Internet service provider has a relationship with China Telecom, the root nameservers in China may by “closer” to you than identical ones in your own country, and hence preferred.
Renesys collects routing data from hundreds of locations (BGP peers) around the world. From this, we can observe when the IP space (prefixes) for the root nameservers propagate from domestic Chinese providers to non-Chinese ones. When this happens, routes to Chinese root nameservers are visible outside of the country and these servers will end up being queried from non-Chinese hosts. The following graph shows the number of our non-Chinese sources observing and selecting routes to the F-, I- and J-root nameservers via Chinese providers over the course of 2010.
Ok, but that’s just a fraction of your data sources. How many affected people are we talking about here?
More than you might think!
While the total number of providers selecting the Chinese routes is interesting, it’s the size and scope of these providers that determine how many organizations end up using the Chinese servers. For example, if a major global provider (sometimes called a Tier-1) is one of these, many hundreds or thousands of downstream customers can be impacted. And as it turned out, there were a number of major providers represented in this small set.
To capture the breadth of the exposure to Chinese root nameservers in 2010, we considered every provider (Autonomous System) that selected a Chinese route at any point during the year. There were 38 such providers in total. Then we calculated all downstream networks (prefixes) of those 38 providers and ended up with about 57% of all networks on earth. To get a sense of the geographic impact, the following map gives the rough percentage of each country’s networks that could have used a Chinese root nameserver during the year. While the countries bordering on China tend to have the higher percentages, many others do as well. This is not the least bit unusual or alarming; it simply speaks to the global nature of the Internet.
The strong influence in Russia and Southeast Asia is not very surprising, but Chile? It turns out that Mauricio Vergara Ereche in Santiago was the first to report on bad DNS answers coming out of China. And despite making the most noise about the event, the US was only modestly affected.
So can we prevent DNS tampering in the future?
The accepted replacement for DNS is something called DNSSEC (“secure DNS”). Next week, we’ll talk about DNSSEC and look more at Internet censorship. What can you do when other people’s governments force service providers to lie to you? How can you protect yourself from having your DNS responses edited, when your traffic has to transit China or even Germany or Australia?
When I am in China, I don't usually trust the DNS responses I get from supplied DNS servers. I usually use different DNS provided by both verizon and google (such as 220.127.116.11 and 18.104.22.168 from google and 22.214.171.124 and 126.96.36.199 from verizon). However, the Great Firewall of China still may intercept, censor, filter, or even change responses. Sometimes when you're in China the only option is to use a VPN and use the DNS server provided by the VPN. You could try https://www.privateinternetaccess.com/ which is my personal favorite for the speed. This will atleast help to ensure your DNS responses are accurate and that the Chinese firewall is not blocking or censoring access.
Great article, thanks for taking the time to write it. I did have a question though, if I may... Since the Internet by all definitions is meant to cross boarders and provide unfettered access to information, should countries who are known for censoring the Internet even be allowed to host a root server? Editor's Note: The Internet is completely decentralized. There is no organizational body that can make that decision.
China controla de facto el 57% de las peticiones DNS [Eng] Prácticamente el 57% de las peticiones DNS que transitan por la red de redes acaban en los root servers (Servidores raíz) del nuevo gigante tecnológico en el que se esta convirtiendo China. Esto, como ya ha quedado patente por incidentes con los paí...