Suppose a mainland Chinese client trust a DNS server within China. The server behaves good for most queries but bad for some special queries, such as www.facebook.com. Then the client can still use the fault response as a true one because the key is trusted and the signature can be verified. The client may have no idea about the cheat since maybe his/her queries outside the country has been blocked! So there is no late real response for him/her. What you think? Editor's Note: A faulty intermediate server will generally not have access to the correct key for the queried domain.
DNS: When Governments Lie (2)
Last week, we looked at the problem of incorrect DNS answers emanating from China and the potential impact on Internet users outside the country. In this blog, we’ll consider a proposed and partially implemented solution (DNSSEC) and the broader problem of hosting global services in any country known to tamper with Internet traffic. We’ll even suggest a rating system from one to five stars for evaluating countries, and we’ll note that while the US was once a 5 on this scale (highest rating), it is currently a 4 and might be headed to a 3 or 2. In general, the direction for the world seems to be for a less open and more censored Internet, and that is the truly unfortunate part of this story.
So how do we prevent DNS tampering in the future?
You really need a completely new service. The currently accepted replacement for DNS is something called DNSSEC, which provides digitally signed DNS responses that allow the client to validate the origin and the correctness of the answer, preventing any man-in-the-middle-style tampering. In other words, your DNS server can tell the difference between correct and incorrect answers — something it cannot do today — and simply discard fraudulent ones. Unfortunately, while DNSSEC has been in the works for over 10 years, its uptake has been fairly minimal to date. Now that the root zone supports DNSSEC as of July of this year, along with the increasing awareness of the security implications around DNS, we’re starting to see a wider-scale deployment of this technology.
So how would this help me exactly?
Let’s suppose that DNSSEC was widely supported, both by DNS servers and by client operating systems and applications. Today, a mainland Chinese client querying a US DNS server for www.facebook.com received an incorrect answer of 18.104.22.168 at the blindingly fast speed of 7 milliseconds. This forged answer obviously came from a device within China, a component of The Great Firewall. Furthermore, the initial query did eventually make it to the intended US DNS server, producing a correct answer of 22.214.171.124. The Chinese client received this correct answer about 395 ms later, long after it had acted on the incorrect response. And therein lies the problem. With DNS as it is currently implemented, there is no way to determine the validity of received answers, so the client will accept the first one it sees and ignore subsequent ones. (See our AMS-IX talk for more technical details.) In a DNSSEC world, the Chinese client querying an honest DNS server could wait to receive a valid response and be led to the Facebook login page shown below.
That all sounds great, but isn’t there anything I can do right now?
As we know, participation in the Internet is entirely voluntary and can even be selective. However, as individuals we don’t have many options open to us. If you happen to run a router for your organization, nothing requires you to accept routes for IP addresses (prefixes) geo-locating to countries you don’t like. But blocking global services (such as DNS) originating from such places is much more difficult in that the same IP addresses are announced from all locations via a routing methodology known as anycast. If you really wanted, you could reject all routes to important services traversing organizations (Autonomous Systems) you don’t like, including those in particular countries. But this quickly becomes a slippery slope and where do you draw the line? Internet censorship is pervasive and only becoming more so. A lot of countries censor, but to different degrees.
With respect to DNS and the placement and usage of root nameservers, it might be useful to consider a rating system for countries. Here is one such system.
Entirely safe. Providers in this country respect DNS integrity and never rewrite DNS responses. Even if you mistype a domain, you get an obvious non-existent domain (NXDOMAIN) error message and not an advertisement. When asking questions you always receive the intended answers.
Mostly safe. Providers in this country are allowed to rewrite queries to unknown domains to make money, but otherwise they leave DNS alone.
Use caution. In this country, DNS providers may be required to modify the recursive resolver responses in order to enforce local content laws.
Strong caution. In this country, ISPs may be required to modify the recursive resolver responses in flight in order to enforce local content laws. In other words, ISPs listen in on your requests and alter the responses, no matter which server you query.
Danger. In this country, root server responses as well as recursive responses may be modified in flight, without warning, by any infrastructure providers.
So how do countries stack up on this rating system?
That’s difficult to answer for all countries and the playing field is constantly changing, but let’s consider a few examples. Up until a few years ago, the US would have been at 5 stars, but now that providers often serve up ads for mistyped URLs, as shown below, the US is currently at 4 stars. US providers are already “messing with” DNS responses provided to US citizens.
However, it gets worse: an ill-conceived and naive bill (S.3804 — Combating Online Infringement and Counterfeits Act or COICA) was recently introduced into the US Senate and passed the Senate Judiciary Committee by a 19-0 vote. If passed by the full Senate, the bill would require service providers and domain name registrars to block DNS domains to “combat infringement, and for other purposes.” Here “other purposes” is left undefined and could presumably be used to silence the likes of WikiLeaks. Enactment of this bill would lower the ranking of the US to at most 3 stars on our scale or maybe 2 stars depending on the implementation.
At the other end of the spectrum, we have China with a single star. From both inside and outside of China, it is easy to demonstrate that DNS queries are modified in flight. And while queries made to the root servers in China are currently given an exception when queried from outside the country, no such exception exists for queries made from within the country. In light of the exception, which might be fragile, perhaps China rates 1¼ stars.
And there are lots of other countries somewhere in the middle, due to their strict anti-pornography laws. And others with no restrictions at all. So whom do you trust today? How about tomorrow? Until recently, Australia banned Wikileaks. The EU wants to impose pornography bans and Iran restricts pretty much everything. Not a 5-star country in the bunch.
Predictably, much of the media sensationalized two relatively minor Chinese Internet events. One reporter confessed to me that he couldn’t interest his editors in the story seven months ago, when they were actually taking place. Now that these events are mentioned in a Congressional report, they make front page news and are often mischaracterized. There is little evidence that either one resulted from anything more than human error, and with respect to the routing incident, a relatively common one at that. Local governments have every right to enforce local laws and require local providers to comply. The only reason the story is newsworthy at all is because of the politics of the situation.
That being said, politicians need to wake up to the fact that the Internet genie is out of the bottle. Even the most draconian restrictions can often be worked around by average people with appropriate technology. We can either accept that or embark on creating Internet islands and dikes to hold back the sea. Having spent 40 years as a community building the current relatively open system, it would seem a shame to return to 1969.