January 22, 2014 - China's DNS hijacking system - an updated report
In 2002, China started to use DNS hijacking technology to block web sites. Dynamic Internet Technology (DIT) released a report on October 2, 2002, to demonstrate how it works. We gain more insight into how China is using this technology throughout the years. On January 21, 2014, there was a large-scale Internet breakdown in China caused by this DNS hijacking system. It is a good time to release some of the additional information we have about the system.
What is DNS
DNS is a service that translates a domain name to an IP address. An IP address is what a computers use to find each other for further communication. DNS service is comparable to phone directory service to translate from human meaningful name to phone number. When a user uses a browser, say FireFox, to visit a web site, say http://www.epochtimes.com, FireFox will communicate with DNS servers to find out where is www.epochtimes.com (the IP address). Then, FireFox will communicate with www.epochtimes.com (the IP found) to display the web page.
What is DNS hijacking
When there is DNS hijacking for the websites that a user in China wants to visit, the user may encounter error messages or threatening messages from Chinese authorities, or the user may see the wrong website.
DNS hijacking happens when a rogue computer monitors the communications between a user and a DNS server, and replies with a wrong IP on behalf of the real DNS server. The process is similar to the movie "Ocean's 11" where thieves controlled the phone system of a Casino. When the Casino called for emergency service, a thief picked up the phone and sent the whole team of thieves into the vault of the Casino.
This kind of attack requires that the attacker be able to monitor all traffic of targeted users and needs the CPU resources to process all the data. This scenario is described in many security books for small company networks. But this kind of attack never happen in ISP level. ISP network is more complicated and does not have a single point to monitor all traffic.
Demonstrating DNS hijacking at home
The impact of China's Internet breakdown on January 21, 2014 is mostly over, but the DNS hijacking system is still in operation. One can still uses the websites it targets to get a taste of what was happening at during the breakdown.
In 2002, DIT listed about a dozen domains that were hijacked. Today, seven of them are still hijacked. They are:
www.renminbao.com
www.bignews.org
www.minghui.org
www.kanzhongguo.com
www.peacehall.com
www.epochtimes.com
www.tibet.net
If you have access to a computer in China. On linux, from a console, type this command:
host -t A epochtimes.com.dwlc 8.8.8.1
One will get reply of an IP like this:
epochtimes.com.dwlc has address 203.98.7.65
This IP has to be wrong because:
1) 8.8.8.1 is not an DNS server. Try the same thing from a U.S. computer, there will be timeout error.
2) epochtimes.com.dwlc is not a valid domain. A DNS server should reply "not found" instead of an IP. This reply has to be from DNS hijacking engine of the Great Firewall.
On Windows, the command to run from cmd.exe is:
nslookup epochtimes.com.dwlc 8.8.8.1
A short list of IPs are used by the engine. Here is what we collected:
159.106.121.75
203.98.7.65
243.185.187.39
37.61.54.158
46.82.174.68
59.24.3.173
78.16.49.15
8.7.198.45
93.46.8.89
This list has been changing slowly, and sometimes varies from ISP to ISP.
The above test also exposed one weakness of the system. It will match for substring "epochtimes.com". Without "epochtimes.com," there won't be such reply. Domain contains epochtimes.com will be hijacked as well, like epochtimes.com.cn.
If this DNS hijacking engine blacklists a blank string, all domains will be hijacked. This is what happened on January 21, 2014.
It is understandable that a blank line at the end of some text is hard to recognize.
Demonstrating DNS hijacking at US home
On a Linux computer in US, try:
host -t A epochtimes.com.dwlc 163.com
163.com is a web site in China. It is not a DNS server. Moreover, epochtimes.com.dwlc does not exist. But the above command will receive DNS reply like:
epochtimes.com.dwlc has address 203.98.7.65
This happens because of another defect of the the DNS hijacking engine. It cannot tell if the DNS query is going out of China or into China. It is monitoring all traffic in and out of China, and replies with the wrong IP when the blacklisted domains are matched. This “feature” makes it possible to research the DNS hijacking engine from location outside of China.
Deployment of the DNS hijacking engine
Since all the targeted domains are located outside of China, the most efficient location to deploy the system is close to an international gateway and to monitor all the traffic going in and out of China.
As of December 2013, CNNIC reported more than 3400Gbps with year growth of 79.3 percent. To monitor this rapidly growing traffic for the purpose of DNS hijacking, they system has to keep upgrading with more servers and newer CPUs.
On January 21, 2014, when all domain names were pointed to a Freegate IP, only this DNS hijacking engine has sufficient resources located at a strategical location to be able to do it. No hacker can possibly deploy and control resources to manipulate 3400Gbps traffic accurately only to target the DNS related communications.
More details about the 21st incident
Lots of information was posted around the Web about that IP used to map all domains. This plethora of information is a result of different level of ownership of IP resources. This IP is used by DIT operating FreeGate related service. It was not running any Web server when the incident happened. We tried to run website on it after we learned of the incident, but we were unable to deliver any webpages since all replies were blocked from entering China.
FAQ about user experience
After the incident is over, why are many users still experience problem when visiting websites?
This is the result of DNS cache. DNS servers in China saved the wrong translation results. Because of the cache, users will be sent to the wrong IP until the cache is cleared.
I use Google's oversea DNS server 8.8.8.8. How come I am affected as well?
DNS hijacking affects all DNS queries going in and out of China. In China, you can always verify DNS hijacking by doing "nslookup epochtimes.com 8.8.8.8" on Windows computer. This reply of wrong IP does not need hacking of Google’s 8.8.8.8 server.
Why were .cn domains not affected?
Because .cn domains are resolved inside China. The process will not hit the DNS hijacking engine located near an international gateway.
Why did no ISP give an official explanation?
The Chinese government put the DNS hijacking engine into each ISP's facility. The Chinese government never acknowledges the existence of its Great Firewall, not to mention the DNS hijacking engine. No ISP dares to confirm the existence of this DNS hijacking engine.