Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Government Networking Censorship Security The Internet Your Rights Online

Chinese DNS Tampering a Real Threat To Outsiders 181

Trailrunner7 writes "China has long used the Internet's Domain Name Service to censor Web sites and information that the ruling Communist Party deems threatening. But now security experts warn that the government's censorship is in danger of spilling over China's borders, suppressing the ability of those living outside of China to find information online. An estimated 57% of all networks on Earth passed DNS requests through a Chinese DNS rootserver at some point in 2010, according to data from security firm Renesys. Tampering by the Communist Party there poses a danger to Internet security and freedom. In fact, DNS tampering may be a bigger threat than techniques like BGP (Border Gateway Protocol) hijacking, which is believed to be responsible for an unexpected shift in Internet routing in April that has recently been the subject of mainstream media reports in the US. There is already evidence that China's efforts to tamper with DNS have bled outside the country's borders. The same report to Congress from the US-China Economic and Security Review Commission that called attention to the BGP hijacking incident from April, 2010 also mentions a March, 2010 incident in which Internet users in the US and Chile attempted to connect to social networking websites banned by the Chinese government. However, their DNS requests were handled by a Beijing-based Domain Name Server, which responded with incorrect DNS information that directed the surfers to incorrect servers, the report says."
This discussion has been archived. No new comments can be posted.

Chinese DNS Tampering a Real Threat To Outsiders

Comments Filter:
  • So, which is worse? (Score:1, Interesting)

    by Anonymous Coward

    So, is it better to have China fucking around with the internet, or the US?

    Quite frankly, I don't think either of them should be able to do it.

    Fuck the both of them.

    • NOO!!!

      I don't want some red china man stealing all my porn!
      They might start Blurring it on the fly!!!
      • by xnpu ( 963139 )

        Eh. Many porn sites were unblocked months ago and still are. I don't notice any blurring here.

  • ...DNS routes you! Oh, wait...
  • Comment removed based on user account deletion
    • by mcgrew ( 92797 ) *

      As he was US President for eight years, it's a certainty that he knows a LOT of stuff that we won't ever hear about.

      • by slick7 ( 1703596 )

        As he was US President for eight years, it's a certainty that he knows a LOT of stuff that we won't ever hear about.

        Wait until the next installment of WikiLeaks. There, fixed that for ya.

        • by mcgrew ( 92797 ) *

          I would guess that the information wikileaks gets compared to what is there is probably trivial.

          • by hitmark ( 640295 )

            Then comes the question about how much of that gets read by those in charge...

            Proverbial needle in haystack and all that...

  • Root servers? (Score:5, Insightful)

    by just_another_sean ( 919159 ) on Monday November 29, 2010 @01:15PM (#34376808) Journal

    I understand the need for mass replication of the DNS root servers and appreciate both the cultural and technical needs to spread them fairly evenly throughout the world but is it really necessary for China to replicate F, I and J at the root level? Would performance and the world perception of a US controlled internet really suffer if China was denied access to the root level? Let them replicate all 13 for their internal use but remove any server's root status if the server is hosted in China... Maybe I'm missing something here but is this not a reasonable stance on preventing this type of collateral damage?

    • Yeah, why does anyone trust any root server located in China? (They can set up servers that claim to be root servers all they like, but that doesn't mean the rest of the root servers have to trust them, so why do they?)
      • Re: (Score:3, Insightful)

        by kindbud ( 90044 )

        Because DNS is fundamentally insecure and there is no way to secure it without a re-write from the ground up. DNSSEC is a bandaid with a limited window of effectiveness. Ultimately, a cache receiving root glue has no way to validate that the glue is the legit root glue. And so they will become poisoned.

        • DNSSEC *does* prevent against this man-in-the-middle attack, that's in fact its main feature.

          You say that a cache receiving the root glue (data about the root servers) has 'no way' to validate that the glue is legitimate. That's totally not true. There are many ways to validate the data, including verifying against an SSL website, well known public servers, etc.

          • by kindbud ( 90044 )

            There are many ways to validate the data, including verifying against an SSL website, well known public servers, etc.

            And how do you get the IP address of this SSL web server? You must look up the domain in DNS. SSL certificates are tied to the domain, not the IP address. If you must use a service you don't trust to get the crypto tokens that allow you to trust it, you cannot trust it.

        • ...has no way to validate that the glue is the legit...glue. And so they will become poisoned.

          Well, alcohol is a "poison" too, but I don't see you ranting about non-legit beer (Keystone, Natty, etc.)...

        • Because DNS is fundamentally insecure and there is no way to secure it without a re-write from the ground up. DNSSEC is a bandaid with a limited window of effectiveness. Ultimately, a cache receiving root glue has no way to validate that the glue is the legit root glue. And so they will become poisoned.

          So, you are saying that DNS ought to mean Do Not Sniff glue?

      • Re: (Score:3, Interesting)

        by xnpu ( 963139 )

        Because your ISP hired a lazy ass admin, that's why. Run your own DNS, remove the Chinese root servers from it. Problem solved.

    • Would performance and the world perception of a US controlled internet really suffer if China was denied access to the root level?

      I think it would. I wouldn't be surprised if China happens to hold some control over the network (if it exists much) in North Korea, and doing something like that might cause even more tensions in what is already a difficult situation.

    • Re: (Score:1, Interesting)

      by guruevi ( 827432 )

      Why should you trust the US with anything? China has so far not been tampering with the worldwide independent organization of either DNS or ICANN. Something the US can't really say anymore.

      It would be similar to saying, should we give control to Hitler, Stalin or Mussolini.

    • Let them replicate all 13 for their internal use but remove any server's root status if the server is hosted in China... Maybe I'm missing something here but is this not a reasonable stance on preventing this type of collateral damage?

      NOOOOO! We must rebuild the entire interweb! Tiered service plans with CIA backdoors and automatic killswitches for stolen intellectual property!

      It's the ONLY WAY to stop the China from routing your traffic!

    • by Kamamura ( 235695 ) on Monday November 29, 2010 @01:27PM (#34377008)

      Since Chinese control 3 of the root DNS servers, I bet they are given the root zone KSKs.. and with them, you can spoof any record.

      • Not only that, but they intercept requests made to external DNSs as well - altering the results before arriving at your PC in China.
      • Why would they be given the keys? Surely they'd just be given the signed root zone file - it's not like it changes very often.
      • by Anonymous Coward

        Actually, no, the Root server operators do not need access to the private key used for key-signing. They only get a copy of the root zones, all signed ahead of time.

        DNSSEC would solve this from a mis-information stand-point. It doesn't stop it from a DoS attack (just not answering, or even answering with bogus DNSSEC replies, which the DNS resolver will discard, but the end result is that you don't get your query answered).

      • Re: (Score:3, Informative)

        by autocracy ( 192714 )

        Root servers point to top-level domains. com, net, org, cn, us, uk... these would all have their own keys. China would only have access to one of those. As pointed out by others, the roots are pre-signed and just passed around for mirroring.

        This doesn't prevent China from doing various nuisance activities such as replying with unresolvable, bogus unsigned answers, or bogus answers with wrong signers. That said, you'd at least have some level of verification available that a DNSSEC signed answer is appropria

      • by slick7 ( 1703596 )

        Since Chinese control 3 of the root DNS servers, I bet they are given the root zone KSKs.. and with them, you can spoof any record.

        Let me see...1.5 billion Chinese or the rest of the planet. Who would you not want to piss off?

  • Isn't this a more deserving target than the US? Oh wait, they would immediate assassinate you if you leaked any of their information. Better keep going after the guys who don't fight back.
    • by xnpu ( 963139 )

      Wikileaks is a government operation. China is well aware of that. Just like (if you did read Wikileaks) the US was well aware of China's attack on Google but chose not to tell anyone. China and US are on much better foot that you think, the theater is just for the populace.

  • And ? (Score:5, Insightful)

    by unity100 ( 970058 ) on Monday November 29, 2010 @01:16PM (#34376840) Homepage Journal
    u.s. just grabbed 12 domain names, on the whim of some private interests inside usa. not only that they dropped an 'for other purposes' clause, in the bill/whatever that is going to allow them to do more.

    'for other purposes'. you can even put 'daydreaming' in it, and legally grap domains that help people daydream.
    • Re: (Score:2, Interesting)

      by nbossett ( 1835098 )
      There's a difference between:
      having a legal fight over who owns abc.com
      and
      deliberately misleading people and pretending to be/own abc.com

      There can be abuses of either system, but rerouting traffic on the sly is potentially more dangerous to users than openly seizing a domain name.

      • difference ? chinese pretend to be abc com for their own aims, usa 'legally' grabs domains pretending to anyone worldwide, for their own aims. not to mention that, it makes the law that legalizes it.
      • This case wasn't about one site pretending to be another. These were domain names allegedly used in copyright infringement activities. Domains used by others for typo-squatting is usually done through the courts system quite successfully.

  • by Anonymous Coward on Monday November 29, 2010 @01:17PM (#34376854)

    The United States government has already stolen domain names without due process. They don't even have jurisdiction over some of them.

    http://yro.slashdot.org/story/10/11/27/1910232/DHS-Seizes-75-Domain-Names [slashdot.org]

    • They have jurisdiction over all of those, actually. Not necessarily the server/data, but certainly the .com and .net domains.
  • peter's wolf... (Score:3, Interesting)

    by X0563511 ( 793323 ) on Monday November 29, 2010 @01:18PM (#34376870) Homepage Journal

    At what point are we going to get sick enough of this garbage to just completely segregate China from the rest of the internet?

    • Who is "we"?

      You're speaking on behalf of a western nation I assume?
      • No, I'm speaking on behalf of everyone that isn't China.

        You should read what I wrote, not the words that you assume are between the lines.

    • Well that would cetainly deter them from hacking our computers and stealing state and industrial secrets.
  • by Anonymous Coward

    China almost looks free compared to the nazi regime USA is trying to have on the web, randomly yanking dominas(70+ recently) because american business interests were supposedly suffering. ..

  • Why do we have it then? AFAIK root zone was signed in May, so just don't send those super secret root zone KSKs to red commies and every validating resolver is safe!

    Hooray for advanced protocol beating the red threat back!

    • If China has the legitimate* right to host three replicas of the root servers they would need the KSKs, no?

      Which in my mind would lead to more potential for abuse as even the technical among us think "It's OK, I'm using DNSSEC!".

      * which according TFA they do now...

  • So do we need a new way of describing DNS servers ?
    We also probably also need a new way of describing DNS entries so you can tell the difference between an actual DNS for a site and a DNS for an edge caching site.

    • by ADRA ( 37398 )

      How? How many clients will actually work their way up the chain to resolve against the hosted DNS server? That makes any initial engagement with raw (or cache expired) domains much slower. For a web site that is a looking for drive by service, this would be less appealing than say going to a Google derived alternative which is always well buried in cache. If you really want is a way of verifying that the upstream data source isn't tampered with, and I'm sorry but that's not going to happen, at least not on

    • DNSSEC. If the root-zone keys are distributed through an independent channel (ie. downloaded from ICANN and loaded into the local resolver/server software configuration), then even running a root DNS server won't let you forge responses for any part of the DNS tree you don't actually control (ie. have the private keys to generate new signatures for).

  • ... I use the fantastic, free OpenDNS, and I have set resolv.conf to ns1.opendns.ch and ns2.opendns.ch years ago... crap! John, tear the wire from the wall, fast!

    • No, you are not safe. It is trivial for someone between you and ns*.opendns.ch to intercept the DNS response and modify it.

      Only DNSSEC can save you here.

      • by Thinine ( 869482 )
        Actually, OpenDNS is supporting a DNSSEC alternative, DNSCurve, which gives many of the same benefits, including the preventions of MitM attacks.
        • DNSCurve [dnscurve.org] looks pretty sweet; especially how it encrypts packets, instead of just signing them (like DNSSEC). Hiding the query and response seems very useful to avoid prying eyes.

  • Just this past week the US government seized 75+ domains without any notice. Is this any different?
    • by Antisyzygy ( 1495469 ) on Monday November 29, 2010 @01:32PM (#34377064)
      Its quite a bit different. China is attempting to control the internet, most likely for use as propaganda and as leverage in a cyber conflict. The DHS is being used by special interest groups to enforce IP law.
      • Okay - then which is worse?

        I mean I am not condoning everything the Chinese do but nationalism isn't always a bad thing and there wouldn't BE a cyber conflict without the US. Essentially what you've got is 1 country attacking another country and you've got 1 country attacking it's own citizens. Which is which and which is worse?

        • by Antisyzygy ( 1495469 ) on Monday November 29, 2010 @02:01PM (#34377456)
          Both are bad, but neither excuses the other.
          • by yuhong ( 1378501 )

            And the US is just trying to suppress illegal content, while China is actually trying to censor criticism. The latter is IMO much worse.

            • Re: (Score:3, Funny)

              by 0123456 ( 636235 )

              And the US is just trying to suppress illegal content, while China is actually trying to censor criticism. The latter is IMO much worse.

              But, uh, criticisim _is_ 'illegal content' in China.

              • Touche.

                I think the term "illegal" isn't the right one to use. Which one is more immoral is probably more accurate.

                One country is revoking DNS service for a relatively small list of sites when its investigations show these sites violate that nation's (and in some cases international) trade or copyright laws. These sites are shut down without due process or prior notification. There is fear that if unchecked, this power could be extended to remove ideas that are unwelcome to those in control of these mecha

                • I did actually read your whole post. Either way you swing it its the rich/powerful controlling the lesser classes. In China, the higher-ups in the party want to control the workers otherwise they lose their status and benefits. In China, I would bet career politicians have opulent lifestyles far surpassing the average worker. Here in the US you have huge disparities in wealth whereby 10 percent of the population controls 70 percent of the wealth. Furthermore, In the US you have career politicians that get h
                  • by TheLink ( 130905 )
                    Opulent lifestyles maybe, but there seems to be a bit more accountability in China.

                    Many top Chinese officials have been executed for corruption. Just google for: chinese official executed

                    In my opinion being executed is about as accountable as it gets. And certainly a lot more scary than being paid off with a golden parachute/handshake, or getting bailed out.

                    Someone might claim the executions are faked, but they (and their family) must be pretty good actors given their responses to the verdict. And even if s
            • "Illegal" is a word whose meaning is quite relative. It also leads to discussion about whether or not a law is just even if the law itself is plain. Enforcing a "whites only" bathroom law might be an easy to appreciate law that is unjust. Many people hold that copyright law in the U.S. is unjust and I certainly support that. (I wouldn't download stuff nearly as much if content from 14 years ago actually went into the public domain -- I'd be busy being all retro in my downloads) But that's not how it is

      • IMHO a fine example of the difference between communism and fascism.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      That was as the .com level not at the . level. The US has not redirected .com somewhere else....

  • Mod server down (Score:4, Interesting)

    by jbeaupre ( 752124 ) on Monday November 29, 2010 @01:28PM (#34377026)

    If only you could mod servers up or down, giving them some sort of reputation history. The your OS could determine a trusted anchor based on a server's "karma" and your requirements*. A system parallel to DNSSEC for apportioning, updating, and validating trust.

    * yeah, I'm borrowing Slashdot terminology. But what the heck, it kind of works.

    • * yeah, I'm borrowing Slashdot terminology. But what the heck, it kind of works.

      No. I saw your comment.

    • If only you could mod servers up or down, giving them some sort of reputation history. The your OS could determine a trusted anchor based on a server's "karma" and your requirements*. A system parallel to DNSSEC for apportioning, updating, and validating trust.

      Doesn't china have like, 1.2 billion people? If all the people in china mod up the Chinese DNS servers, and a the people in the US mod them down, I'm pretty sure they will still have a pretty good score...
  • I know of folks working currently on secure BGP. I would imagine that's part of the solution.

    • by xnpu ( 963139 )

      BGP knows filters and communities. It's just that those need to be setup by admins, which often don't feel like doing the work and will tell you it's too complex to deal with such a large dynamic network as their.

  • by MRe_nl ( 306212 ) on Monday November 29, 2010 @01:36PM (#34377112)

    (tl;dr version)
    Big Threat Internet Security
    China censor Web sites and information ruling Communist Party threatening security experts warn government's censorship danger spilling China's suppressing China Chinese Tampering Communist Party danger security and freedom tampering bigger threat hijacking unexpected China's tamper bled
    U.S.-China Economic and Security Review Commission hijacking incident incident.

    (And when I count to three you will awaken and be VERY AFRAID).

  • To Comcast?

    http://news.cnet.com/8301-1023_3-20023949-93.html [cnet.com]


    Because I can damn well tell you that spilled over into other New England area networks, including the SAVVIS and Cogent networks in Boston area. Comcast says their DNS system failed, so how the fuck does a DNS attack knock out all the peering/routing/IP transport up there?

    That whole thing smells bad, and I wonder if anyone knows the truth about wtf happened.
  • Wouldn't whitelisting known good IPs of frequent internet destinations within your hosts.conf (or equivalent) file provide at least moderate protection against IP hijacking?
  • ..for providing the technology that makes it possible to censor, track, and imprison.
    • by xnpu ( 963139 )

      Thanks to the American people for allowing their government and corporations to participate in these deals. Did you call your ISP and complain about their use of a company that actively participates in subjecting over a billion people to heavy censorship? I didn't think so.

  • In the USA, DNS needs to be woven into the first amendment as one of those things the government shall not fuck with, but I doubt the Roberts court will see it that way.
  • Someone's already said this too, but it seems obvious. Don't trust the Politburo. Simple. Don't trust a root server run by the Politburo. Then implement DNSSec. :)

    • by xnpu ( 963139 )

      De-root is a useless measure. You don't trust China, someone else doesn't trust some other country hosting a root. DNSSec is the only acceptable solution currently available.

      Also it's a little naive to think that Chinese cyberspace ends at it's physical borders. China's telco's have controlling stakes in many foreign communications companies as well. Not to mention lots of western ISP's are installing Huawai equipment, etc, etc.

  • Tell me, why is it still possible for private parties to change things like this on a whim?
    There needs to be a system where if the domain record returned from a dns server differs from the ones returned by say 4 others is different, it is discarded and the record returned by the 4 dns servers is used.
    • by 0123456 ( 636235 )

      Tell me, why is it still possible for private parties to change things like this on a whim?

      Uh, this isn't a 'private party', it's the Chinese government. DNS generally worked fine when it was controlled by 'private parties' and governments weren't meddling with it.

    • by xnpu ( 963139 )

      Nice idea, but this doesn't help one bit if the censorship is done close to home. E.g. on "my" network I intercept DNS and have my name server send the reply. It doesn't matter if the users are talking to Google DNS, OpenDNS or some other service, it's always my DNS server that replies. DNS is extremely easy to intercept and spoof.

  • Since when are you obligated to use the Chinese root servers? And have you heard of DNSSEC? This is really just an issue of lazy admins. Same story with the root SSL certificates browsers ship with that include a lot of questionable organizations and governments. You are free to remove them, and no, it's not hard. The BGP hijack was no different. Carriers that have their shit organized have their filters configured and would not participate in the hijack.

  • If you were found to be tampering with DNS, at the very least you'd have your internet service cut off, at worst you'd be arrested. The equivalent of "arresting" China would be called "World War III" and that's not going to happen (yet). We can, however, cut them off from the rest of the internet, can't we? Why haven't we? They refuse to behave, they don't own the internet (nobody does and everybody does, really), they don't have the right to do this. Cut them off until they learn to behave. Besides, to hea
    • by xnpu ( 963139 )

      It wouldn't net a China-cutoff. It would be a net-split.

  • Easy to remember
    • I've had so many DNS problems in Asia (not China) and 8.8.8.8 solved them all. It was such a problem while I was there that I'd log into any default password routers in the hotels I stayed at and change their configs to that.

      On top of that, since China is responsible for hacking Google earlier this year, Google will be taking special care to make sure their services will be protected from future attacks, and thus will likely fortify their DNS against root hijacking.

White dwarf seeks red giant for binary relationship.

Working...