Forgot your password?
typodupeerror
Censorship The Internet Your Rights Online

Chinese Root Server Shut Down After DNS Problem 91

Posted by timothy
from the need-a-new-source-of-ginseng dept.
itwbennett writes "After a networking error first reported on Wednesday last week caused computers in Chile and the US to come under the control of a system that censors the Internet in China, the 'root DNS server associated with the networking problems has been disconnected from the Internet,' writes Robert McMillan. The server's operator, Netnod, has 'withdrawn route announcements' made by the server, according to company CEO Kurt Lindqvist."
This discussion has been archived. No new comments can be posted.

Chinese Root Server Shut Down After DNS Problem

Comments Filter:
  • For a moment, it stretched around the world. Or, atleast to the Americas.

  • To fully implement dnssec.
    • by rvw (755107)

      Can somebody explain what this all means? What does this root server do, who depends on this, what is the effect of disconnecting it, how will the rest of the world be affected by this?

      • by erroneus (253617)

        I would. But I just finished watching an old Mitch Hedberg special. Now, everything I read, is in, the voice, of, Mitch Hedberg. Damn. Him.

        • by wrencherd (865833)

          I think if you concentrate very hard you could easily substitute Roy Mallard, for higher entertainment value.

      • A root server, serves the DNS querys for a global domain such as .com. how it works is when your computer asks for the addresses for slashdot.org, your ISP probably knows the address because someone else has asked, if not your ISP asks the next higher level which is more likely to know because the answer to more queries. Eventually it get to the root server if the intermediate steps fail. As the answering server gets farther up the longer it takes for you to get the answer. Each query answered has a TTL, t

  • by JackieBrown (987087) <dbroome@gmail.com> on Sunday March 28, 2010 @06:56AM (#31646332)

    It had to happen sooner or later...

    • by SpzToid (869795)

      So... "like a great many voices cried out in terror before being suddenly silenced."

      But who is Alderaan here, exactly? Isn't China supposed to be The Empire, that just wants its Order? I thought GOOG was the eViL global empire awhile ago but now the rebels control the Death Star? This all so very confusing.

      • by genner (694963)

        So... "like a great many voices cried out in terror before being suddenly silenced."

        But who is Alderaan here, exactly? Isn't China supposed to be The Empire, that just wants its Order? I thought GOOG was the eViL global empire awhile ago but now the rebels control the Death Star? This all so very confusing.

        It confusing because you didn't make a car analogy.

  • So... the chinese DNS server was using BGP? Sorry, not much of a BIND geek. Is this a reference to the Anycast protocol?
    • by cjcela (1539859)
      From www.bgp4.as [bgp4.as]: The Border Gateway Protocol (BGP) is the routing protocol used to exchange routing information across the Internet. It makes it possible for ISPs to connect to each other and for end-users to connect to more than one ISP. BGP is the only protocol that is designed to deal with a network of the Internet's size, and the only protocol that can deal well with having multiple connections to unrelated routing domains.
    • by pv2b (231846) on Sunday March 28, 2010 @09:49AM (#31646906)

      Here's a graph of the network structure as seen by BGP. [robtex.com]

      AS29216 at the right is the AS which I.ROOT-SERVERS.NET is located in. As we can see, it is only reachable through AS8674 (NETNOD-IX).

      Which in turn is reachable directly from a few different AS:es, including AS24151 (CNNIC-CRITICAL-AP).

      My guess is that Netnod simply started filtering out the routes to AS29216 via AS8674 on the BGP session to AS24151.

      The DNS server itself might have been using BGP, it might not have. But in the end every system on the Internet is reachable with some kind of BGP route somewhere.

  • The artilce includes a sample of Twitter tweets, all in Chinese. Unfortunately, just entering the Twitter search URL into Google translator doesn't seem to work, as the "Realtime results for Netnod" (http://twitter.com/search?q=Netnod [twitter.com]) are apparently served via JSON or something. Anyone got any ideas?

    • They're in Japanese, and all they're really saying is a summary of the article.

      • by bipbop (1144919)
        As of this moment, the Japanese tweets are after the "More" link, and all the tweets on the first page of results are Chinese.
  • Heads should roll (Score:2, Insightful)

    by bguiz (1627491)

    Who knows, in the few days that the Great Firewall of China crossed the Pacific, the kind of damage that could have been done, or perhaps even already been done?

    This should never have been allowed to happen in the first place, and when it had, it shouldn't have been allowed to persist for a few days before being made public and taking action.

    • by mysticalreaper (93971) on Sunday March 28, 2010 @11:17AM (#31647468)

      This should never have been allowed to happen in the first place, and when it had, it shouldn't have been allowed to persist for a few days before being made public and taking action.

      Well i think this unreasonably harsh. No one had ever seen the great firewall of china affect DNS traffic like this in the past. So no one (not even you) was suggesting that when they set up a root DNS server in Beijing, that it would effectively send out false answers.

      Now, anyone who controls a part of the network you rely on can launch a man-in-the-middle attack, which is what happened here. So to suggest that this should never have been allowed to happen, you would have to be using strong cryptography in some way. DNS has never had that mechanism--but it will soon, cause DNSSEC is coming along.The root servers are deploying it right now, and so are the other Top-level-domains.

      Also, as soon as the I-root server operators realized this problem was occurring, and was outside of their control, they disabled the server. Why do you think that they sat on this problem for a few days, doing nothing about it?

      • by jafiwam (310805)

        The Chinese should simply be cut off from the internet.

        Anchor-drag their shit and pull up a couple hundred miles of fiber.

        Then keep doing it as they repair stuff.

        "Most favored" seems to be ineffective now days as far as holding their crap back. Maybe it's time to cut them off at their short little knees economically before their expansionist military catches up with their ability to make lead-laden rubber dog crap.

        • Re: (Score:1, Insightful)

          by Anonymous Coward

          I really don't understand where this china-hate is coming from. What did they ever do to you? Let's cut 1.3 billion people off the internet because someone IN ANOTHER COUNTRY WHO IS NOT CHINESE misconfigured a server. Yeah that makes total sense.

          You're a fucking retard.

          • I think his point is that if China did not modify the responses in first place, this kind of problem would have had absolutely no negative consequences for users until being fixed (since all the servers should return consistent data). I don't hate China myself, but it isn't incorrect to resent those who are intentionally breaking the DNS rather than those who simply made a mistake (or ill-advised decision).

        • by jon3k (691256)
          I know it's easy to have the "nuke them from space" policy but honestly the Chinese government is just so fucked up they don't have the appropriate law enforcement or policies to police it. Then you've also probably got some level of government that's involved in a lot of the nasty shit going on. Yes, I realize most spam comes from the US. I don't know about you but the several thousand failed login attempts I see a day aren't coming from ARIN address space. It's all APNIC address space. And it's Chine
      • by Plekto (1018050)

        A better solution would be to just block that root server. If China doesn't want to play along nicely, well, they can turn into their own mega-LAN all they want.

        In fact, I'd do one better take ALL of their internet access outside of China offline for them - just flat out cut the connection so that their entire country is in the dark. No news, no information, no business, no nothing. Not even their government and military has any information(aside from maybe a modem or two or satellite new feeds I guess)

        I

  • by Anonymous Coward on Sunday March 28, 2010 @07:40AM (#31646454)

    They got to the "Root" of the problem.

    [ducks]

  • What happened? (Score:3, Interesting)

    by jbb999 (758019) on Sunday March 28, 2010 @08:03AM (#31646518)
    All of the articles I've read about this seem to confuse DNS and BGP. My guess is that the IP of one of the root dns servers was being "hijacked" by the Chinese by announcing a route to it and that route was being picked up externally so some people thinking they were using the real dns root were being diverted a chinese root server giving out different IP addresses for lookups on these domains. Does that make sense?
    • Re: (Score:1, Informative)

      by Anonymous Coward

      No, my understanding is that BGP is used to advertise the IP of the server - they removed the route advertisement to shut the server off from the Internet but BGP wasn't actually causing the problem or compromised.

      It sounds like traffic OUT of the server was being modified in some way, I would doubt the data stored on the server had been modified as that probably flows over a secure connection but actual responses are public communications and the Chinese systems are likely filtering/modifying those so that

    • Something like that .. Netnod apparently claims that the data on their server is accurate, so either China was hijacking the connection generally, or they were filtering the results being returned. This wasn't a problem until the server (and it's hacked data stream) started being accessed by machines outside of China due to a (silly but otherwise benign) routing change.
    • Re:What happened? (Score:5, Informative)

      by mysticalreaper (93971) on Sunday March 28, 2010 @11:25AM (#31647522)

      Your suggestion makes sense, but that's not what happened.

      Something like this

      I.root-servers.net (beijing) -> chinese networks -> Chile networks

      So, the real I root server sent correct answers to the querying computer in Chile. But, as the DNS packet travelled across the Chinese network, it was modified, and so the packet received by the Chilean network was false, returning a fake IP address for some domains, like 'facebook.com'.

      This is called a 'man-in-the-middle attack'. The Chinese network, in the middle, is modifying packets.

      Once the I root server operators realized this was happening, they stopped the BGP route announcement from the I root server node in Beijing, so that queries to i.root-servers.net would not be answered in Beijing, but instead by the other i-root nodes. There are 34 currently, so no problems with load would occur shutting off one node.

      Hopefully that makes sense.

      P.S. www.root-servers.org [root-servers.org]

    • What amazes me about Chinese censorship is that rather than show that the opposite is true, the Chinese government causes those that disagree to not be heard; so much for those in command whose culture values wisdom and patience. Its like watching Sarah Palin [youtube.com] read her notes on her hand on topics that my 14 year old daughter could debate either Pro or Con while trying desperately not to look too bored.
      • by radtea (464814)

        so much for those in command whose culture values wisdom and patience.

        Chinese culture values wisdom and patience the way Canadian culture values lacrosse. If you didn't know anything about what Canadians actually do, but just read the official literature, you'd think lacrosse was a big deal. It's our national sport! Officially.

        If instead you behaved like an scientist, and looked at the empirical reality of what we do, you'd find this other game called hockey... And then there's this "curling" stuff...

        If you look at actual Chinese history, including recent history, you'll

  • by ironicsky (569792) on Sunday March 28, 2010 @10:30AM (#31647108) Journal

    I blame American and Chile ISP's.
    Why on earth would you query the root server on the other side of the world, especially in an ass backwards country like China when there are plenty of good servers here?
    Shouldn't you query the closest available server, not the furthest?

    • by mysticalreaper (93971) on Sunday March 28, 2010 @11:38AM (#31647614)

      Basically, your ideas are right. The idea is to query the closest server, for best performance. DNS data is very small, so there's not much financial concern about transmitting data across the world (which happens all the time on the internet)

      Anyway, the logical routing of the internet doesn't always match the physical world. This is routine, and not a problem until DNS traffic crosses the great firewall of China, and is modified, which is what happened here.

      Since this, route announcements have changed, and the Beijing server is not being queried.

      But you are also correct about ISPs. ISPs can control (if they are good) which root servers are going to be queried from their network.

      My overall point is that everything was operating routinely and correctly, until a new kind of DNS problem, not observed in the wild ever before, started happening. It's hard to expect the ISPs to prevent a problem they never knew would occur.

    • by russotto (537200)

      Shouldn't you query the closest available server, not the furthest?

      A host is a host/From coast to coast/And no one will talk to a host that's close/unless the host (that isn't close)/is busy, hung, or dead!
      (From the .signature file of one David Lesher...)

    • by jon3k (691256)
      I agree completely. It's very simple to go into your DNS server root hints file and remove DNS servers you don't want to query. Pick your favorites, specifically ones near you, using anycast ideally, delete the rest -- problem solved.

Aren't you glad you're not getting all the government you pay for now?

Working...