Chinese DNS Tampering a Real Threat To Outsiders 181
Trailrunner7 writes "China has long used the Internet's Domain Name Service to censor Web sites and information that the ruling Communist Party deems threatening. But now security experts warn that the government's censorship is in danger of spilling over China's borders, suppressing the ability of those living outside of China to find information online. An estimated 57% of all networks on Earth passed DNS requests through a Chinese DNS rootserver at some point in 2010, according to data from security firm Renesys. Tampering by the Communist Party there poses a danger to Internet security and freedom. In fact, DNS tampering may be a bigger threat than techniques like BGP (Border Gateway Protocol) hijacking, which is believed to be responsible for an unexpected shift in Internet routing in April that has recently been the subject of mainstream media reports in the US. There is already evidence that China's efforts to tamper with DNS have bled outside the country's borders. The same report to Congress from the US-China Economic and Security Review Commission that called attention to the BGP hijacking incident from April, 2010 also mentions a March, 2010 incident in which Internet users in the US and Chile attempted to connect to social networking websites banned by the Chinese government. However, their DNS requests were handled by a Beijing-based Domain Name Server, which responded with incorrect DNS information that directed the surfers to incorrect servers, the report says."
So, which is worse? (Score:1, Interesting)
So, is it better to have China fucking around with the internet, or the US?
Quite frankly, I don't think either of them should be able to do it.
Fuck the both of them.
Porn! (Score:2)
I don't want some red china man stealing all my porn!
They might start Blurring it on the fly!!!
Re: (Score:2)
Eh. Many porn sites were unblocked months ago and still are. I don't notice any blurring here.
Re: (Score:3, Funny)
Comparing the US and China as far as the Internet goes kind of indicates who the asshat is here.
Re: (Score:2)
So, I'm kind of dense, are you implying that the irredeemably evil nightmare that is China is worse or better than than the corrupt (government by bribery) and (police state in training) that is the USofA?
In Soviet China... (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
As he was US President for eight years, it's a certainty that he knows a LOT of stuff that we won't ever hear about.
Re: (Score:2)
As he was US President for eight years, it's a certainty that he knows a LOT of stuff that we won't ever hear about.
Wait until the next installment of WikiLeaks. There, fixed that for ya.
Re: (Score:2)
I would guess that the information wikileaks gets compared to what is there is probably trivial.
Re: (Score:2)
Then comes the question about how much of that gets read by those in charge...
Proverbial needle in haystack and all that...
Root servers? (Score:5, Insightful)
I understand the need for mass replication of the DNS root servers and appreciate both the cultural and technical needs to spread them fairly evenly throughout the world but is it really necessary for China to replicate F, I and J at the root level? Would performance and the world perception of a US controlled internet really suffer if China was denied access to the root level? Let them replicate all 13 for their internal use but remove any server's root status if the server is hosted in China... Maybe I'm missing something here but is this not a reasonable stance on preventing this type of collateral damage?
Re: (Score:2)
Re: (Score:3, Insightful)
Because DNS is fundamentally insecure and there is no way to secure it without a re-write from the ground up. DNSSEC is a bandaid with a limited window of effectiveness. Ultimately, a cache receiving root glue has no way to validate that the glue is the legit root glue. And so they will become poisoned.
Re: (Score:2)
DNSSEC *does* prevent against this man-in-the-middle attack, that's in fact its main feature.
You say that a cache receiving the root glue (data about the root servers) has 'no way' to validate that the glue is legitimate. That's totally not true. There are many ways to validate the data, including verifying against an SSL website, well known public servers, etc.
Re: (Score:2)
There are many ways to validate the data, including verifying against an SSL website, well known public servers, etc.
And how do you get the IP address of this SSL web server? You must look up the domain in DNS. SSL certificates are tied to the domain, not the IP address. If you must use a service you don't trust to get the crypto tokens that allow you to trust it, you cannot trust it.
Re: (Score:2)
...has no way to validate that the glue is the legit...glue. And so they will become poisoned.
Well, alcohol is a "poison" too, but I don't see you ranting about non-legit beer (Keystone, Natty, etc.)...
Re: (Score:2)
Because DNS is fundamentally insecure and there is no way to secure it without a re-write from the ground up. DNSSEC is a bandaid with a limited window of effectiveness. Ultimately, a cache receiving root glue has no way to validate that the glue is the legit root glue. And so they will become poisoned.
So, you are saying that DNS ought to mean Do Not Sniff glue?
Re: (Score:2)
That's not the point...the update requests you get from the "selected" ones: how do you know those are right? You don't. You're choosing to trust that select few. In this case, also, F, I, and J.root-servers.net are anycast...meaning that the IP you're trusting actually appears in multiple places at the same time, one of which is in China.
Better question: How do you know that the i.root-servers.net system that you're talking to is not the one in China?
Re: (Score:2)
Have someone that you trust sign the root data - it can be ICANN, it can be some other organization like FSF or ACLU or whomever you like, it can be any random individual that happens to have your trust and is willing to do the signing periodically.
Re: (Score:3, Interesting)
Because your ISP hired a lazy ass admin, that's why. Run your own DNS, remove the Chinese root servers from it. Problem solved.
Re: (Score:2)
Would performance and the world perception of a US controlled internet really suffer if China was denied access to the root level?
I think it would. I wouldn't be surprised if China happens to hold some control over the network (if it exists much) in North Korea, and doing something like that might cause even more tensions in what is already a difficult situation.
Re: (Score:1, Interesting)
Why should you trust the US with anything? China has so far not been tampering with the worldwide independent organization of either DNS or ICANN. Something the US can't really say anymore.
It would be similar to saying, should we give control to Hitler, Stalin or Mussolini.
Re: (Score:1, Offtopic)
Those are pretty weird DNS names - and that's some serious latency. How many hops did it have to go through?
Re: (Score:2)
Looks to m like a bad mod was corrected in 3.5 seconds. I didn't like Bush and I don't care much for Obama, but comparing them to Godwin's Ghosts is indeed flamebait.
Had he omitted that last line, it would have been interesting.
Re: (Score:2)
Let them replicate all 13 for their internal use but remove any server's root status if the server is hosted in China... Maybe I'm missing something here but is this not a reasonable stance on preventing this type of collateral damage?
NOOOOO! We must rebuild the entire interweb! Tiered service plans with CIA backdoors and automatic killswitches for stolen intellectual property!
It's the ONLY WAY to stop the China from routing your traffic!
We have a way to address this (at least, mostly) (Score:4, Insightful)
DNSSEC. Get on it.
Re:We have a way to address this (at least, mostly (Score:5, Informative)
Since Chinese control 3 of the root DNS servers, I bet they are given the root zone KSKs.. and with them, you can spoof any record.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Actually, no, the Root server operators do not need access to the private key used for key-signing. They only get a copy of the root zones, all signed ahead of time.
DNSSEC would solve this from a mis-information stand-point. It doesn't stop it from a DoS attack (just not answering, or even answering with bogus DNSSEC replies, which the DNS resolver will discard, but the end result is that you don't get your query answered).
Re: (Score:3, Informative)
Root servers point to top-level domains. com, net, org, cn, us, uk... these would all have their own keys. China would only have access to one of those. As pointed out by others, the roots are pre-signed and just passed around for mirroring.
This doesn't prevent China from doing various nuisance activities such as replying with unresolvable, bogus unsigned answers, or bogus answers with wrong signers. That said, you'd at least have some level of verification available that a DNSSEC signed answer is appropria
Re: (Score:2)
Since Chinese control 3 of the root DNS servers, I bet they are given the root zone KSKs.. and with them, you can spoof any record.
Let me see...1.5 billion Chinese or the rest of the planet. Who would you not want to piss off?
Re: (Score:2)
The only problem with that is when IPs change. For major sites, it doesn't happen often, but when it does it may toss you through a loop.
You might find it easier (and more efficient) to just build yourself a caching nameserver and set the TTLs high (hell you can do this on the workstation itself). Couple this with your existing method if you wish, there's no reason they can't work together.
Re: (Score:2)
I just don't get what APK's deal is. He is clearly ignorant/misinformed and surely knows better...but I don't think I have ever seen a more dedicated troll than WillyonWheels. I mean..., he has been posting this same shit for years now, slightly customizing it for each story. It must be nice to have that much free time.
Re: (Score:2)
a hosts file in a git distributed repo would be a nice idea for small organizations, provides a way to safely add/update entries.
Re: (Score:2)
Or they could just install a DNS caching server, it's not that hard. And besides the static hosts information, it would also share the DNS cache between all the clients, so if two of them accessed the same sites, it would be faster for the second client.
Debian comes with a few an aptitude install away.
Re: (Score:2)
I use dnsmasq myself often. I thought that people in organizations that fear government censorship are better with a hosts file on each computer than with a number of dns caches. The response can still be spoofed or the servers DoSed. Git can do signed commits and updates over ssh.
Also one could exploit virtual hosting configuration and gave a server that returns normal content if accessed through its normal domain, and special content if accessed through an entry in the hosts file (good against casual surf
Re: (Score:2)
I was thinking of a DNS server in-LAN, not geographically distributed. In that case, I agree that a hosts file is more robust.
Wikileaks... (Score:2)
Re: (Score:2)
Wikileaks is a government operation. China is well aware of that. Just like (if you did read Wikileaks) the US was well aware of China's attack on Google but chose not to tell anyone. China and US are on much better foot that you think, the theater is just for the populace.
And ? (Score:5, Insightful)
'for other purposes'. you can even put 'daydreaming' in it, and legally grap domains that help people daydream.
Re: (Score:2, Interesting)
having a legal fight over who owns abc.com
and
deliberately misleading people and pretending to be/own abc.com
There can be abuses of either system, but rerouting traffic on the sly is potentially more dangerous to users than openly seizing a domain name.
so ? (Score:2)
Re: (Score:2)
This case wasn't about one site pretending to be another. These were domain names allegedly used in copyright infringement activities. Domains used by others for typo-squatting is usually done through the courts system quite successfully.
United States DNS Tampering a Realer Threat (Score:4, Informative)
The United States government has already stolen domain names without due process. They don't even have jurisdiction over some of them.
http://yro.slashdot.org/story/10/11/27/1910232/DHS-Seizes-75-Domain-Names [slashdot.org]
Re: (Score:1)
peter's wolf... (Score:3, Interesting)
At what point are we going to get sick enough of this garbage to just completely segregate China from the rest of the internet?
Re: (Score:1)
You're speaking on behalf of a western nation I assume?
Re: (Score:2)
No, I'm speaking on behalf of everyone that isn't China.
You should read what I wrote, not the words that you assume are between the lines.
Re: (Score:2)
There's a large difference between censoring what goes in or out, and manipulating the system so things that were not intended to go in do so (supposedly for intelligence gathering)
Re: (Score:2)
right now.. (Score:1)
China almost looks free compared to the nazi regime USA is trying to have on the web, randomly yanking dominas(70+ recently) because american business interests were supposedly suffering. ..
DNSSec? (Score:2)
Why do we have it then? AFAIK root zone was signed in May, so just don't send those super secret root zone KSKs to red commies and every validating resolver is safe!
Hooray for advanced protocol beating the red threat back!
Re: (Score:2)
If China has the legitimate* right to host three replicas of the root servers they would need the KSKs, no?
Which in my mind would lead to more potential for abuse as even the technical among us think "It's OK, I'm using DNSSEC!".
* which according TFA they do now...
Definitive/Caching/Chinese (Score:2)
So do we need a new way of describing DNS servers ?
We also probably also need a new way of describing DNS entries so you can tell the difference between an actual DNS for a site and a DNS for an edge caching site.
Re: (Score:2)
How? How many clients will actually work their way up the chain to resolve against the hosted DNS server? That makes any initial engagement with raw (or cache expired) domains much slower. For a web site that is a looking for drive by service, this would be less appealing than say going to a Google derived alternative which is always well buried in cache. If you really want is a way of verifying that the upstream data source isn't tampered with, and I'm sorry but that's not going to happen, at least not on
Re: (Score:2)
DNSSEC. If the root-zone keys are distributed through an independent channel (ie. downloaded from ICANN and loaded into the local resolver/server software configuration), then even running a root DNS server won't let you forge responses for any part of the DNS tree you don't actually control (ie. have the private keys to generate new signatures for).
I am safe... (Score:1)
... I use the fantastic, free OpenDNS, and I have set resolv.conf to ns1.opendns.ch and ns2.opendns.ch years ago... crap! John, tear the wire from the wall, fast!
Re: (Score:2)
No, you are not safe. It is trivial for someone between you and ns*.opendns.ch to intercept the DNS response and modify it.
Only DNSSEC can save you here.
Re: (Score:2)
Re: (Score:2)
DNSCurve [dnscurve.org] looks pretty sweet; especially how it encrypts packets, instead of just signing them (like DNSSEC). Hiding the query and response seems very useful to avoid prying eyes.
US DNS Tampering a Real Threat To Outsiders (Score:3, Interesting)
Re:US DNS Tampering a Real Threat To Outsiders (Score:5, Interesting)
Re: (Score:2)
Okay - then which is worse?
I mean I am not condoning everything the Chinese do but nationalism isn't always a bad thing and there wouldn't BE a cyber conflict without the US. Essentially what you've got is 1 country attacking another country and you've got 1 country attacking it's own citizens. Which is which and which is worse?
Re:US DNS Tampering a Real Threat To Outsiders (Score:5, Insightful)
Re: (Score:2)
And the US is just trying to suppress illegal content, while China is actually trying to censor criticism. The latter is IMO much worse.
Re: (Score:3, Funny)
And the US is just trying to suppress illegal content, while China is actually trying to censor criticism. The latter is IMO much worse.
But, uh, criticisim _is_ 'illegal content' in China.
Re: (Score:2)
Touche.
I think the term "illegal" isn't the right one to use. Which one is more immoral is probably more accurate.
One country is revoking DNS service for a relatively small list of sites when its investigations show these sites violate that nation's (and in some cases international) trade or copyright laws. These sites are shut down without due process or prior notification. There is fear that if unchecked, this power could be extended to remove ideas that are unwelcome to those in control of these mecha
Re: (Score:2)
Re: (Score:2)
Many top Chinese officials have been executed for corruption. Just google for: chinese official executed
In my opinion being executed is about as accountable as it gets. And certainly a lot more scary than being paid off with a golden parachute/handshake, or getting bailed out.
Someone might claim the executions are faked, but they (and their family) must be pretty good actors given their responses to the verdict. And even if s
Re: (Score:2)
"Illegal" is a word whose meaning is quite relative. It also leads to discussion about whether or not a law is just even if the law itself is plain. Enforcing a "whites only" bathroom law might be an easy to appreciate law that is unjust. Many people hold that copyright law in the U.S. is unjust and I certainly support that. (I wouldn't download stuff nearly as much if content from 14 years ago actually went into the public domain -- I'd be busy being all retro in my downloads) But that's not how it is
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
That was as the .com level not at the . level. The US has not redirected .com somewhere else....
Re: (Score:2)
SOMEONE has a fucking clue!?!?
(go figure it's an AC)
Re: (Score:2)
What has being an AC got do do with anything?
Re: (Score:1)
Same thing.
The US disabled domains under US law, the Chinese disable domains under Chinese law.
What is your point exactly?
Or are you somewhat delusional to think that the US is the center of the universe I wonder...
What the US did affects unrelated parties, namely THE REST OF THE WORLD!
Mod server down (Score:4, Interesting)
If only you could mod servers up or down, giving them some sort of reputation history. The your OS could determine a trusted anchor based on a server's "karma" and your requirements*. A system parallel to DNSSEC for apportioning, updating, and validating trust.
* yeah, I'm borrowing Slashdot terminology. But what the heck, it kind of works.
Re: (Score:2)
No. I saw your comment.
Billions and billions... (Score:2)
Doesn't china have like, 1.2 billion people? If all the people in china mod up the Chinese DNS servers, and a the people in the US mod them down, I'm pretty sure they will still have a pretty good score...
Secure BGP (Score:2)
I know of folks working currently on secure BGP. I would imagine that's part of the solution.
Re: (Score:2)
BGP knows filters and communities. It's just that those need to be setup by admins, which often don't feel like doing the work and will tell you it's too complex to deal with such a large dynamic network as their.
Red vs effing Blue (Score:3, Funny)
(tl;dr version)
Big Threat Internet Security
China censor Web sites and information ruling Communist Party threatening security experts warn government's censorship danger spilling China's suppressing China Chinese Tampering Communist Party danger security and freedom tampering bigger threat hijacking unexpected China's tamper bled
U.S.-China Economic and Security Review Commission hijacking incident incident.
(And when I count to three you will awaken and be VERY AFRAID).
WTF happened this weekend? (Score:2)
http://news.cnet.com/8301-1023_3-20023949-93.html [cnet.com]
Because I can damn well tell you that spilled over into other New England area networks, including the SAVVIS and Cogent networks in Boston area. Comcast says their DNS system failed, so how the fuck does a DNS attack knock out all the peering/routing/IP transport up there?
That whole thing smells bad, and I wonder if anyone knows the truth about wtf happened.
Whitelisting (Score:1)
Thanks to Cisco.. (Score:2)
Re: (Score:2)
Thanks to the American people for allowing their government and corporations to participate in these deals. Did you call your ISP and complain about their use of a company that actively participates in subjecting over a billion people to heavy censorship? I didn't think so.
DNS shall not be abridged (Score:2)
Solution: de-root them (Score:2)
Someone's already said this too, but it seems obvious. Don't trust the Politburo. Simple. Don't trust a root server run by the Politburo. Then implement DNSSec. :)
Re: (Score:2)
De-root is a useless measure. You don't trust China, someone else doesn't trust some other country hosting a root. DNSSec is the only acceptable solution currently available.
Also it's a little naive to think that Chinese cyberspace ends at it's physical borders. China's telco's have controlling stakes in many foreign communications companies as well. Not to mention lots of western ISP's are installing Huawai equipment, etc, etc.
Remove the ability of countries to censor the web (Score:2)
There needs to be a system where if the domain record returned from a dns server differs from the ones returned by say 4 others is different, it is discarded and the record returned by the 4 dns servers is used.
Re: (Score:2)
Tell me, why is it still possible for private parties to change things like this on a whim?
Uh, this isn't a 'private party', it's the Chinese government. DNS generally worked fine when it was controlled by 'private parties' and governments weren't meddling with it.
Re: (Score:2)
Nice idea, but this doesn't help one bit if the censorship is done close to home. E.g. on "my" network I intercept DNS and have my name server send the reply. It doesn't matter if the users are talking to Google DNS, OpenDNS or some other service, it's always my DNS server that replies. DNS is extremely easy to intercept and spoof.
This is just about lazy admins. (Score:2)
Since when are you obligated to use the Chinese root servers? And have you heard of DNSSEC? This is really just an issue of lazy admins. Same story with the root SSL certificates browsers ship with that include a lot of questionable organizations and governments. You are free to remove them, and no, it's not hard. The BGP hijack was no different. Carriers that have their shit organized have their filters configured and would not participate in the hijack.
Cut China off (Score:2)
Re: (Score:2)
It wouldn't net a China-cutoff. It would be a net-split.
Re: (Score:2)
married with a Chinese
Yeah, I'm sure she's real proud of the high regard you hold her in, referring to her in such a manner. Do you fondly refer to her in casual conversation as "my slant-eyed sweetie"?
Also, you're French, your whole country hates us, so I'm supposed to listen to you why?
By the way, how are those rapant human rights violations sitting with you, friend? You're living there and married to someone of Chinese ancestry, you might just be as OK with those as you apparently are with every other crappy thing that the Ch
8.8.8.8 (Score:2)
Agreed, I trust Google more than China (Score:2)
I've had so many DNS problems in Asia (not China) and 8.8.8.8 solved them all. It was such a problem while I was there that I'd log into any default password routers in the hotels I stayed at and change their configs to that.
On top of that, since China is responsible for hacking Google earlier this year, Google will be taking special care to make sure their services will be protected from future attacks, and thus will likely fortify their DNS against root hijacking.