Poisoning the Well: Exploring the Great Firewall's Poisoned DNS Responses

  title={Poisoning the Well: Exploring the Great Firewall's Poisoned DNS Responses},
  author={Oliver Farnan and Alexander Darer and Joss Wright},
  journal={Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society},
One of the primary filtering methods that the Great Firewall of China (GFW) relies on is poisoning DNS responses for certain domains. When a DNS request is poisoned by the GFW, multiple DNS responses are received - both legitimate and poisoned responses. While most prior research into the GFW focuses on the poisoned responses, ours also considers the legitimate responses from the DNS servers themselves. We find that even when we ignored the immediate poisoned responses, the cache from the DNS… 

Triplet Censors: Demystifying Great Firewall's DNS Censorship Behavior

This work analyzes the DNS injection behavior of the Great Firewall of China over a period of nine months using the Alexa top 1M domains as a test list and observes a sharp decline in public IPs injected by the GFW in November 2019.

Analysing Censorship Circumvention with VPNs Via DNS Cache Snooping

This work uses DNS cache snooping to determine what domains people are accessing through VPNs, and provides a technique for discovering the frequency with which domain records are accessed on a DNS server.

How Great is the Great Firewall? Measuring China's DNS Censorship

GFWatch is introduced, a large-scale, longitudinal measurement platform capable of testing hundreds of millions of domains daily, enabling continuous monitoring of the GFW’s DNS filtering behavior, and strategies to detect poisoned responses that can sanitize poisoned DNS records from the cache of public DNS resolvers are proposed.

K-resolver: Towards Decentralizing Encrypted DNS Resolution

K-resolver is proposed, a DNS resolution mechanism that disperses DNS queries across multiple DoH resolvers, reducing the amount of information about a user's browsing activity exposed to each individual resolver.

SFDS: A Self-Feedback Detection System for DNS Hijacking Based on Multi-Protocol Cross Validation

It is shown that in real circumstance for two weeks, SFDS can find almost 1300 correct (Domain, IP) tuples for one domain on average in one day, and SFDS is effective with accuracy approximately 100% by the authors' experiments.

Rusty clusters?: dusting an IPv6 research foundation

This paper shows that the existing hitlist is highly impacted by the Great Firewall of China, and it offers a cleaned view on the development of responsive addresses, and evaluates different new address candidate sources, including target generation algorithms to improve the coverage of the current IPv6 Hitlist.

Global Measurement of DNS Manipulation

Iris, a scalable, accurate, and ethical method to measure global manipulation of DNS resolutions, is developed, which reveals widespread DNS manipulation of many domain names.

Many Roads Lead To Rome: How Packet Headers Influence DNS Censorship Measurement

Internet censorship is widespread, impacting citizens of hundreds of countries around the world. Recent work has devel-oped techniques that can perform widespread, longitudinal measurements of global

Assessing the Privacy Benefits of Domain Name Encryption

This paper assesses the privacy benefits of DNS over HTTPS/TLS and Encrypted SNI by considering the relationship between hostnames and IP addresses and quantifies the privacy gain offered by ESNI using two different metrics, the k -anonymity degree due to co-hosting and the dynamics of IP address changes.

Domain name encryption is not enough: privacy leakage via IP-based website fingerprinting

This paper introduces an IP-based website finger-printing technique that allows a network-level observer to identify at scale the website a user visits, and discusses strategies for website owners and hosting providers towards hindering IP- based website fingerprinting and maximizing the privacy benefits offered by DoT/DoH and ECH.



Towards a Comprehensive Picture of the Great Firewall's DNS Censorship

  • Computer Science
  • 2014
This work comprehensively examined the structure of the DNS injector, using queries from both within and outside China, to extract the firewall’s DNS blacklist of approximately 15,000 keywords and estimate the cluster structure and active response rate.

The collateral damage of internet censorship by DNS injection

It is found that most collateral damage arises from resolvers querying TLD name servers who’s transit passes through China rather than effects due to root servers (F, I, J) located in China.

Ignoring the Great Firewall of China

The so-called “Great Firewall of China” operates, in part, by inspecting TCP packets for keywords that are to be blocked, but if the endpoints completely ignore the firewall's resets, then the connection will proceed unhindered.

Passive DNS Replication

This paper presents a technology, called passive DNS replication, to obtain domain name system data from production networks, and store it in a database for later reference.

ConceptDoppler: a weather tracker for internet censorship

ConceptDoppler, an architecture for maintaining a censorship “weather report” about what keywords are filtered over time is proposed, and it is shown that LSA can effectively pare down a corpus of text and cluster filtered keywords for efficient probing.

The Great DNS Wall of China

Internet freedom advocacy sites [1] have studied and documented these censorship practices, enumerating the techniques employed by the censoring bodies. For example, censors block the IP addresses of

Internet Censorship in China: Where Does the Filtering Occur?

This work explores the AS-level topology of China's network, and probes the firewall to find the locations of filtering devices, finding that even though most filtering occurs in border ASes, choke points also exist in many provincial networks.

Regional variation in Chinese internet filtering

This article investigates variation in filtering across China through direct access to internet services across the country through use of the Domain Name Service, which provides a mapping between human-readable names and machine-routable internet addresses, and is thus a critical component of internet-based communications.

How Censorship in China Allows Government Criticism But Silences Collective Expression

We offer the first large scale, multiple source analysis of the outcome of what may be the most extensive effort to selectively censor human expression ever implemented. To do this, we have devised a

Odd Behaviour on One Node in I root-server, 2010. https://lists.dns-oarc.net/pipermail/dns- operations

  • Odd Behaviour on One Node in I root-server, 2010. https://lists.dns-oarc.net/pipermail/dns- operations
  • 2010