Measurement of Globally Visible DNS Injection

Domain Name System (DNS) injection is a censorship method for blocking access toblacklisted domain names. The method uses deep packet inspection on all DNS queries passing through thenetwork and injects spoofed responses. Compared with other blocking mechanisms, DNS injection impactsuninvolved third-parties if their traffic is routed through a censored network. In this paper, we look forlarge deployments of DNS injection, measured from vantage points outside of the censored networks. DNSinjection is known to be used in China since it leaked unintentionally into foreign networks. We find that DNSinjection is also used in Iran and can be observed by sending DNS queries to Iranian networks. In mid 2013,the Iranian DNS filter was temporarily suspended for some names, which correlated with media coverageof political debates in Iran about blocking social media. Spoofed responses from China and Iran can bedetected passively by the IP address returned. We propose an algorithm to obtain these addresses remotely.After testing 255 002 open resolvers outside of China, we determined that 6% are potentially affected byChinese DNS injection when querying top-level domains outside of China. This is essentially the result ofone top-level domain name server for which an anycast instance is hosted in China.


Citation style:
Could not load citation form.


License Holder:

© 2014 IEEE

Use and reproduction:
All rights reserved