Chinese Root Server Shut Down After DNS Problem 91
itwbennett writes "After a networking error first reported on Wednesday last week caused computers in Chile and the US to come under the control of a system that censors the Internet in China, the 'root DNS server associated with the networking problems has been disconnected from the Internet,' writes Robert McMillan. The server's operator, Netnod, has 'withdrawn route announcements' made by the server, according to company CEO Kurt Lindqvist."
The great firewall of China (Score:1)
For a moment, it stretched around the world. Or, atleast to the Americas.
Even more reason (Score:2)
Re: (Score:2)
Can somebody explain what this all means? What does this root server do, who depends on this, what is the effect of disconnecting it, how will the rest of the world be affected by this?
Re: (Score:2)
I would. But I just finished watching an old Mitch Hedberg special. Now, everything I read, is in, the voice, of, Mitch Hedberg. Damn. Him.
Re: (Score:1)
I think if you concentrate very hard you could easily substitute Roy Mallard, for higher entertainment value.
Re: (Score:2)
I have a lower UID than you and I don't know what a root DNS server does. I do probably know way more physics, mathematics, and philosophy than you so can it. Especially if you're not going to explain.
Re: (Score:1)
Simply put, a root DNS server serves one or more root zones such as .com, .org, .cn, etc.
DNS is hierarchical. When you look up a hostname such as "www.google.com", your computer goes to a DNS server. If it happens to know the IP number for that hostname, it returns it. Otherwise, it asks a root server.
The root server, in turn, looks for "google.com" in a giant file (well, I think it's actually a database now) called a root zone and figures out which servers know how to return IP information for that doma
Re:Even more reason (Score:4, Informative)
One small correction:
When you ask the root servers (such as a.root-servers.net) for "what is IP for www.google.com", it will respond "go ask a.gtld-servers.net". (each domain has a different server, for instance www.google.co.uk will send you to ns1.nic.uk). Asking a.gtld-servers.net will respond "go ask ns1.google.com", which will then respond with the IP of the domain, which is your answer. The chain could go further if you had "some.very.long.string.of.dots.google.com" and if each one of those nested subdomains were delegated to another DNS server (and were not contained in the zone file for "google.com").
If the answer is already cached by the DNS server and it is still within the TTL, it will just respond with the IP.
This is how a DNS caching resolver does it, your workstation is going to be configured with one of these caching resolvers. When you ask a caching resolver, it will do all these things in the background on these server, and just return the client the final answer
Re: (Score:2)
Right. Sorry, forgot that they stopped serving COM. That only changed a few years ago.
*does Google search*
Yikes. Ten years ago. I'm suddenly feeling very old. :-D
Re: (Score:2)
Next, your local DNS server (the one your computer asked) recursively asks ns1.google.com for the IP number of "www.google.com".
Please don't misuse "recursively" like this. It makes the rest of your otherwise intelligent post sound stupid. I think you meant "iteratively" rather than "recursively". A recursive DNS quey goes like this: 1) You ask your local DNS, 2) Your local DNS asks another root (or possibly non-root) DNS, 3) the other DNS asks another 4) the "another" asks "another" 5) Finally, somewhere in the chain, it returns an answer "recursively" through the chain of requests from DNS server to another to you. Normally, DNS l
Re: (Score:2)
The request your DNS server sends to "ns1.google.com" may be iterative relative to the request to the root server, but it is still recursive relative to the original request. Thus, my original statement was completely correct. You just misread it.
Re: (Score:2)
Also, maybe in some mega ISPs or some insanely complex intranet environment, you might have a DNS server that queries something other than the root server, but I suspect you could count all such installations worldwide on one hand if you used base 2. In practice, the only servers that support recursion are client-facing servers at ISPs.
And the root servers never recurse. They didn't even recurse back in the mid 1990s when I was first learning this stuff. As best I could determine, the last root server ha
Re: (Score:1)
Re: (Score:2)
Yes, the OP should have RTFA, but your point is what, precisely?
Re: (Score:2)
That would be wonderful if you were on a "Philosophy news" website... /. is (or at least used-to-be) fairly tolerant of noobs with gaps in their knowledge, but if you don't have a decent background in tech, I don't see why you're here.
Re: (Score:2)
A root server, serves the DNS querys for a global domain such as .com. how it works is when your computer asks for the addresses for slashdot.org, your ISP probably knows the address because someone else has asked, if not your ISP asks the next higher level which is more likely to know because the answer to more queries. Eventually it get to the root server if the intermediate steps fail. As the answering server gets farther up the longer it takes for you to get the answer. Each query answered has a TTL, t
Google Fights Back (Score:5, Funny)
It had to happen sooner or later...
Re: (Score:2)
So... "like a great many voices cried out in terror before being suddenly silenced."
But who is Alderaan here, exactly? Isn't China supposed to be The Empire, that just wants its Order? I thought GOOG was the eViL global empire awhile ago but now the rebels control the Death Star? This all so very confusing.
Re: (Score:2)
"doesn't want to export rare earths, but loves to export lead and melamine"
Maybe it's time to try some reverse psychology. If we can somehow convince them that we need lead and melamine for our latest high-tech products, but would prefer they keep all that awful neodymium to themselves, I'm sure we can fix the imbalance.
Re: (Score:2)
So... "like a great many voices cried out in terror before being suddenly silenced."
But who is Alderaan here, exactly? Isn't China supposed to be The Empire, that just wants its Order? I thought GOOG was the eViL global empire awhile ago but now the rebels control the Death Star? This all so very confusing.
It confusing because you didn't make a car analogy.
Re: (Score:2)
Where is BadAnalogyGuy [slashdot.org] when you really need him?
route announcements? (Score:2)
Re: (Score:1)
Re:route announcements? (Score:5, Informative)
Here's a graph of the network structure as seen by BGP. [robtex.com]
AS29216 at the right is the AS which I.ROOT-SERVERS.NET is located in. As we can see, it is only reachable through AS8674 (NETNOD-IX).
Which in turn is reachable directly from a few different AS:es, including AS24151 (CNNIC-CRITICAL-AP).
My guess is that Netnod simply started filtering out the routes to AS29216 via AS8674 on the BGP session to AS24151.
The DNS server itself might have been using BGP, it might not have. But in the end every system on the Internet is reachable with some kind of BGP route somewhere.
Chinese tweets (Score:2)
The artilce includes a sample of Twitter tweets, all in Chinese. Unfortunately, just entering the Twitter search URL into Google translator doesn't seem to work, as the "Realtime results for Netnod" (http://twitter.com/search?q=Netnod [twitter.com]) are apparently served via JSON or something. Anyone got any ideas?
Re: (Score:1)
They're in Japanese, and all they're really saying is a summary of the article.
Re: (Score:2)
Heads should roll (Score:2, Insightful)
Who knows, in the few days that the Great Firewall of China crossed the Pacific, the kind of damage that could have been done, or perhaps even already been done?
This should never have been allowed to happen in the first place, and when it had, it shouldn't have been allowed to persist for a few days before being made public and taking action.
Re: (Score:2)
Lookups for things like 'www.facebook.com' were returning false answers. Youtube.com and others were affected too.
So if you got the bad answer from DNS (because you happend to query the Beijing root server), some of your favourite websites would be unreachable.
Re: (Score:2)
Dude, if your that addicted, just hand edit your Hosts file for slashdot, Youtube and facebook or roll your own bind server.
Re: (Score:1, Funny)
Chillax, it's a firewall, not a deathray.
But it would be COOL if it were a death ray.
Re:Heads should roll (Score:4, Insightful)
This should never have been allowed to happen in the first place, and when it had, it shouldn't have been allowed to persist for a few days before being made public and taking action.
Well i think this unreasonably harsh. No one had ever seen the great firewall of china affect DNS traffic like this in the past. So no one (not even you) was suggesting that when they set up a root DNS server in Beijing, that it would effectively send out false answers.
Now, anyone who controls a part of the network you rely on can launch a man-in-the-middle attack, which is what happened here. So to suggest that this should never have been allowed to happen, you would have to be using strong cryptography in some way. DNS has never had that mechanism--but it will soon, cause DNSSEC is coming along.The root servers are deploying it right now, and so are the other Top-level-domains.
Also, as soon as the I-root server operators realized this problem was occurring, and was outside of their control, they disabled the server. Why do you think that they sat on this problem for a few days, doing nothing about it?
Re: (Score:2)
The Chinese should simply be cut off from the internet.
Anchor-drag their shit and pull up a couple hundred miles of fiber.
Then keep doing it as they repair stuff.
"Most favored" seems to be ineffective now days as far as holding their crap back. Maybe it's time to cut them off at their short little knees economically before their expansionist military catches up with their ability to make lead-laden rubber dog crap.
Re: (Score:1, Insightful)
I really don't understand where this china-hate is coming from. What did they ever do to you? Let's cut 1.3 billion people off the internet because someone IN ANOTHER COUNTRY WHO IS NOT CHINESE misconfigured a server. Yeah that makes total sense.
You're a fucking retard.
Re: (Score:1)
I think his point is that if China did not modify the responses in first place, this kind of problem would have had absolutely no negative consequences for users until being fixed (since all the servers should return consistent data). I don't hate China myself, but it isn't incorrect to resent those who are intentionally breaking the DNS rather than those who simply made a mistake (or ill-advised decision).
Re: (Score:2)
Re: (Score:2)
A better solution would be to just block that root server. If China doesn't want to play along nicely, well, they can turn into their own mega-LAN all they want.
In fact, I'd do one better take ALL of their internet access outside of China offline for them - just flat out cut the connection so that their entire country is in the dark. No news, no information, no business, no nothing. Not even their government and military has any information(aside from maybe a modem or two or satellite new feeds I guess)
I
Re:Calling it now (Score:4, Funny)
Instead of Germany annexing countries to start a world war, we have China firewalling them? That'd just be an odd way to start a war... "Ha ha! Now you must go through our internet filter!"
Re: (Score:2)
I should a lot of people would be very upset by the lack of porn.
So I guess you could say... (Score:5, Funny)
They got to the "Root" of the problem.
[ducks]
Re: (Score:3)
Yes, but they had to...ahem...route around for a solution.
What happened? (Score:3, Interesting)
Re: (Score:1, Informative)
No, my understanding is that BGP is used to advertise the IP of the server - they removed the route advertisement to shut the server off from the Internet but BGP wasn't actually causing the problem or compromised.
It sounds like traffic OUT of the server was being modified in some way, I would doubt the data stored on the server had been modified as that probably flows over a secure connection but actual responses are public communications and the Chinese systems are likely filtering/modifying those so that
Re: (Score:2)
Re:What happened? (Score:5, Informative)
Your suggestion makes sense, but that's not what happened.
Something like this
I.root-servers.net (beijing) -> chinese networks -> Chile networks
So, the real I root server sent correct answers to the querying computer in Chile. But, as the DNS packet travelled across the Chinese network, it was modified, and so the packet received by the Chilean network was false, returning a fake IP address for some domains, like 'facebook.com'.
This is called a 'man-in-the-middle attack'. The Chinese network, in the middle, is modifying packets.
Once the I root server operators realized this was happening, they stopped the BGP route announcement from the I root server node in Beijing, so that queries to i.root-servers.net would not be answered in Beijing, but instead by the other i-root nodes. There are 34 currently, so no problems with load would occur shutting off one node.
Hopefully that makes sense.
P.S. www.root-servers.org [root-servers.org]
Re: (Score:2)
Re: (Score:2)
so much for those in command whose culture values wisdom and patience.
Chinese culture values wisdom and patience the way Canadian culture values lacrosse. If you didn't know anything about what Canadians actually do, but just read the official literature, you'd think lacrosse was a big deal. It's our national sport! Officially.
If instead you behaved like an scientist, and looked at the empirical reality of what we do, you'd find this other game called hockey... And then there's this "curling" stuff...
If you look at actual Chinese history, including recent history, you'll
Re: (Score:2, Informative)
Actually, that does explain a lot of things - all through march I was having issues with Twitter on my Virgin connection yet I could ssh home to my Internode connection and twidge to my hearts content... I complained but they couldn't see a problem (they probably weren't using their own dns servers)
Re: (Score:2)
Thailand affected, too (Score:1)
My Internet connection in Thailand has had hundreds of 404s for well known sites this week. Waiting a few minutes or forcing a refresh seems to work 70% of the time.
Re: (Score:1)
It's the Chinese citizens who apparently don't have any rights. The government is doing whatever it wants.
From Thailand (also censored, though not as badly).
Re: (Score:1, Funny)
I blame American ISP's (Score:4, Insightful)
I blame American and Chile ISP's.
Why on earth would you query the root server on the other side of the world, especially in an ass backwards country like China when there are plenty of good servers here?
Shouldn't you query the closest available server, not the furthest?
Re:I blame American ISP's (Score:4, Insightful)
Basically, your ideas are right. The idea is to query the closest server, for best performance. DNS data is very small, so there's not much financial concern about transmitting data across the world (which happens all the time on the internet)
Anyway, the logical routing of the internet doesn't always match the physical world. This is routine, and not a problem until DNS traffic crosses the great firewall of China, and is modified, which is what happened here.
Since this, route announcements have changed, and the Beijing server is not being queried.
But you are also correct about ISPs. ISPs can control (if they are good) which root servers are going to be queried from their network.
My overall point is that everything was operating routinely and correctly, until a new kind of DNS problem, not observed in the wild ever before, started happening. It's hard to expect the ISPs to prevent a problem they never knew would occur.
Re: (Score:2)
A host is a host/From coast to coast/And no one will talk to a host that's close/unless the host (that isn't close)/is busy, hung, or dead! .signature file of one David Lesher...)
(From the
Re: (Score:2)
Re: (Score:2)