Home / Blogs

The Extent of DNS Services Being Blocked in China

Brenden Kuerbis

The most recent episode of The Ask Mr. DNS Podcast offers up some disturbing corroborating evidence as to the extent of DNS filtering and outright blocking occurring in China. VeriSign's Matt Larson and InfoBlox's Cricket Liu, who co-host the geeky yet engaging and extremely informative show, held a roundtable discussion including technical experts from dynamic name service providers (better known as "managed DNS" services) DynDNS, TZO, No-IP, and DotQuad, as well as Google and Comcast.

After recalling the recent episode where queries to Net Nod's instance of the i root were intercepted and tampered with resulting in incorrect responses being returned inside and outside of China for facebook.com and other websites, Larson posed the question whether others were having similar experiences. (NB: Net Nod's i-root server instance in Beijing is still shut down, as their CEO has apparently stated it is not possible to offer authoritative root service in China) Unfortunately, several of the managed DNS services providers answered affirmatively.

Listen to the segment (discussion starts at 21:23)

TZO's CTO, Eric McIntyre, stated how their dynamic DNS service devices they sell in partnership with equipment manufactures like Cisco and HP would not resolve in China due to blocking. Rather than block specific domains that may be hosting objectionable content, blocking is occurring in wholesale manner, making it impossible for TZO to offer DNS resolution services in China. DynDNS and No-IP acknowledged their services were blocked as well. DynDNS CEO Jeremy Hitchcock lamented that any domain should be globally reachable, but that this was not the case in China and that DynDNS had been blocked there for years. Interestingly, both McIntyre and Hitchcock said that other services they offer do work in China, highlighting China's focus on DNS resolution services.

Showing the growing scope and transborder implications of the problem, Google's Thomas Stromberg, developer of the supercool Namebench tool that allows a user to investigate DNS queries and responses, said he has seen spurious DNS query results in numerous locations. He noted that in Malaysia (where, as of 2007, the government has promised Internet companies it would not censor the Internet), he observed a secondary nameserver giving errant DNS responses for popular websites. The nameserver happened to be located in China.

All in all, the discussion provided much needed detail about the arbitrariness with which DNS filtering and blocking is implemented. Such openness and information from the technical community is crucial. Particularly as the pressure mounts in various camps to challenge countries in forums like the WTO for failure to meet their trade obligations.

By Brenden Kuerbis, Fellow in Internet Security Governance, Citizen Lab, Univ of Toronto. Kuerbis is also a contributor to the Internet Governance Project blog.

Related topics: Censorship, DNS, DNS Security, Internet Governance, Policy & Regulation, Security, Web

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Why We Decided to Stop Offering Free Accounts

Internet Business Council for Africa Participates at the EU-Africa 2014 Business Forum, Brussels

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Dyn Acquires Managed DNS Provider Nettica

DotConnectAfrica Statement Regarding NTIA's Intent to Transition Key Internet Domain Name Function

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Afilias Joins Internet Technical Leaders in Welcoming IANA Globalization Progress

Join dotMobi at World Hosting Days 2014, April 1 - 3

Why Managed DNS Means Secure DNS

2013: A Year in Review, End of Year Message from DotConnectAfrica

SPECIAL: Updates from the ICANN Meetings in Buenos Aires

Social Networks Likely to Lose Grip on Brand/Consumer Conversations in Wake of New "Dot Brand" TLDs

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

DotConnectAfrica Attends Transform Africa 2013 Summit in Rwanda

dotMobi and Verio Introduce goMobi Mobile Website Solution in Europe

Motivated to Solve Problems at Verisign

DCA Trust Raises Ethical Questions, Writes to Newly Elected African Union Leaders on .africa Debacle

Sponsored Topics