Poisoning the Well: Exploring the Great Firewall's Poisoned DNS Responses

@article{Farnan2016PoisoningTW,
  title={Poisoning the Well: Exploring the Great Firewall's Poisoned DNS Responses},
  author={Oliver Farnan and Alexander Darer and Joss Wright},
  journal={Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society},
  year={2016}
}
One of the primary filtering methods that the Great Firewall of China (GFW) relies on is poisoning DNS responses for certain domains. When a DNS request is poisoned by the GFW, multiple DNS responses are received - both legitimate and poisoned responses. While most prior research into the GFW focuses on the poisoned responses, ours also considers the legitimate responses from the DNS servers themselves. We find that even when we ignored the immediate poisoned responses, the cache from the DNS… Expand
Triplet Censors: Demystifying Great Firewall's DNS Censorship Behavior
TLDR
This work analyzes the DNS injection behavior of the Great Firewall of China over a period of nine months using the Alexa top 1M domains as a test list and observes a sharp decline in public IPs injected by the GFW in November 2019. Expand
Analysing Censorship Circumvention with VPNs Via DNS Cache Snooping
TLDR
This work uses DNS cache snooping to determine what domains people are accessing through VPNs, and provides a technique for discovering the frequency with which domain records are accessed on a DNS server. Expand
How Great is the Great Firewall? Measuring China's DNS Censorship
TLDR
GFWatch is introduced, a large-scale, longitudinal measurement platform capable of testing hundreds of millions of domains daily, enabling continuous monitoring of the GFW’s DNS filtering behavior, and strategies to detect poisoned responses that can sanitize poisoned DNS records from the cache of public DNS resolvers are proposed. Expand
K-resolver: Towards Decentralizing Encrypted DNS Resolution
TLDR
K-resolver is proposed, a DNS resolution mechanism that disperses DNS queries across multiple DoH resolvers, reducing the amount of information about a user's browsing activity exposed to each individual resolver. Expand
SFDS: A Self-Feedback Detection System for DNS Hijacking Based on Multi-Protocol Cross Validation
TLDR
It is shown that in real circumstance for two weeks, SFDS can find almost 1300 correct (Domain, IP) tuples for one domain on average in one day, and SFDS is effective with accuracy approximately 100% by the authors' experiments. Expand
Global Measurement of DNS Manipulation
TLDR
Iris, a scalable, accurate, and ethical method to measure global manipulation of DNS resolutions, is developed, which reveals widespread DNS manipulation of many domain names. Expand
The web is still small after more than a decade
TLDR
An empirical study to revisit web co-location using datasets collected from active DNS measurements shows that the web is still small and centralized to a handful of hosting providers, and analyses of popular block lists indicate that IP-based blocking does not cause severe collateral damage as previously thought. Expand
Methods and Systems for Understanding Large-Scale Internet Threats
Author(s): Pearce, Paul | Advisor(s): Paxson, Vern | Abstract: Large-scale Internet attacks are pervasive. A broad spectrum of actors from organized gangs of criminals to nation-states exploit theExpand
Measuring I2P Censorship at a Global Scale
TLDR
This paper presents an opportunistic censorship measurement infrastructure built on top of a network of distributed VPN servers run by volunteers, which was used to measure the extent to which the I2P anonymity network is blocked around the world. Expand
Automated Discovery of Internet Censorship by Web Crawling
TLDR
A new approach for discovering filtered domains in different target countries is presented, fully automated and requires no human interaction, and a dataset mapping the interlinking nature of blocked content between domains is built to exhibit the tightly networked nature of censored web resources. Expand
...
1
2
3
...

References

SHOWING 1-10 OF 18 REFERENCES
Towards a Comprehensive Picture of the Great Firewall's DNS Censorship
  • Computer Science
  • FOCI
  • 2014
TLDR
This work comprehensively examined the structure of the DNS injector, using queries from both within and outside China, to extract the firewall’s DNS blacklist of approximately 15,000 keywords and estimate the cluster structure and active response rate. Expand
The collateral damage of internet censorship by DNS injection
TLDR
It is found that most collateral damage arises from resolvers querying TLD name servers who’s transit passes through China rather than effects due to root servers (F, I, J) located in China. Expand
Ignoring the Great Firewall of China
TLDR
The so-called “Great Firewall of China” operates, in part, by inspecting TCP packets for keywords that are to be blocked, but if the endpoints completely ignore the firewall's resets, then the connection will proceed unhindered. Expand
Passive DNS Replication
TLDR
This paper presents a technology, called passive DNS replication, to obtain domain name system data from production networks, and store it in a database for later reference. Expand
ConceptDoppler: a weather tracker for internet censorship
TLDR
ConceptDoppler, an architecture for maintaining a censorship “weather report” about what keywords are filtered over time is proposed, and it is shown that LSA can effectively pare down a corpus of text and cluster filtered keywords for efficient probing. Expand
The Great DNS Wall of China
Internet freedom advocacy sites [1] have studied and documented these censorship practices, enumerating the techniques employed by the censoring bodies. For example, censors block the IP addresses ofExpand
Internet Censorship in China: Where Does the Filtering Occur?
TLDR
This work explores the AS-level topology of China's network, and probes the firewall to find the locations of filtering devices, finding that even though most filtering occurs in border ASes, choke points also exist in many provincial networks. Expand
Regional Variation in Chinese Internet Filtering
TLDR
This article investigates variation in filtering across China through direct access to internet services across the country through use of the Domain Name Service, which provides a mapping between human-readable names and machine-routable internet addresses, and is thus a critical component of internet-based communications. Expand
How Censorship in China Allows Government Criticism But Silences Collective Expression
We offer the first large scale, multiple source analysis of the outcome of what may be the most extensive effort to selectively censor human expression ever implemented. To do this, we have devised aExpand
Odd Behaviour on One Node in I root-server, 2010. https://lists.dns-oarc.net/pipermail/dns- operations
  • Odd Behaviour on One Node in I root-server, 2010. https://lists.dns-oarc.net/pipermail/dns- operations
  • 2010
...
1
2
...