Chinese DNS Tampering a Real Threat To Outsiders 181
Trailrunner7 writes "China has long used the Internet's Domain Name Service to censor Web sites and information that the ruling Communist Party deems threatening. But now security experts warn that the government's censorship is in danger of spilling over China's borders, suppressing the ability of those living outside of China to find information online. An estimated 57% of all networks on Earth passed DNS requests through a Chinese DNS rootserver at some point in 2010, according to data from security firm Renesys. Tampering by the Communist Party there poses a danger to Internet security and freedom. In fact, DNS tampering may be a bigger threat than techniques like BGP (Border Gateway Protocol) hijacking, which is believed to be responsible for an unexpected shift in Internet routing in April that has recently been the subject of mainstream media reports in the US. There is already evidence that China's efforts to tamper with DNS have bled outside the country's borders. The same report to Congress from the US-China Economic and Security Review Commission that called attention to the BGP hijacking incident from April, 2010 also mentions a March, 2010 incident in which Internet users in the US and Chile attempted to connect to social networking websites banned by the Chinese government. However, their DNS requests were handled by a Beijing-based Domain Name Server, which responded with incorrect DNS information that directed the surfers to incorrect servers, the report says."
United States DNS Tampering a Realer Threat (Score:4, Informative)
The United States government has already stolen domain names without due process. They don't even have jurisdiction over some of them.
http://yro.slashdot.org/story/10/11/27/1910232/DHS-Seizes-75-Domain-Names [slashdot.org]
Re:We have a way to address this (at least, mostly (Score:5, Informative)
Since Chinese control 3 of the root DNS servers, I bet they are given the root zone KSKs.. and with them, you can spoof any record.
Re:US DNS Tampering a Real Threat To Outsiders (Score:2, Informative)
That was as the .com level not at the . level. The US has not redirected .com somewhere else....
No. (Score:1, Informative)
The root zone is distributed already signed to everybody. It is signed using special hardware in the US. Look up on the key signing cerimony to see the details.
Re:We have a way to address this (at least, mostly (Score:3, Informative)
Root servers point to top-level domains. com, net, org, cn, us, uk... these would all have their own keys. China would only have access to one of those. As pointed out by others, the roots are pre-signed and just passed around for mirroring.
This doesn't prevent China from doing various nuisance activities such as replying with unresolvable, bogus unsigned answers, or bogus answers with wrong signers. That said, you'd at least have some level of verification available that a DNSSEC signed answer is appropriate, and you could ignore anything but.