Home / Blogs

The Extent of DNS Services Being Blocked in China

Brenden Kuerbis

The most recent episode of The Ask Mr. DNS Podcast offers up some disturbing corroborating evidence as to the extent of DNS filtering and outright blocking occurring in China. VeriSign's Matt Larson and InfoBlox's Cricket Liu, who co-host the geeky yet engaging and extremely informative show, held a roundtable discussion including technical experts from dynamic name service providers (better known as "managed DNS" services) DynDNS, TZO, No-IP, and DotQuad, as well as Google and Comcast.

After recalling the recent episode where queries to Net Nod's instance of the i root were intercepted and tampered with resulting in incorrect responses being returned inside and outside of China for facebook.com and other websites, Larson posed the question whether others were having similar experiences. (NB: Net Nod's i-root server instance in Beijing is still shut down, as their CEO has apparently stated it is not possible to offer authoritative root service in China) Unfortunately, several of the managed DNS services providers answered affirmatively.

Listen to the segment (discussion starts at 21:23)

TZO's CTO, Eric McIntyre, stated how their dynamic DNS service devices they sell in partnership with equipment manufactures like Cisco and HP would not resolve in China due to blocking. Rather than block specific domains that may be hosting objectionable content, blocking is occurring in wholesale manner, making it impossible for TZO to offer DNS resolution services in China. DynDNS and No-IP acknowledged their services were blocked as well. DynDNS CEO Jeremy Hitchcock lamented that any domain should be globally reachable, but that this was not the case in China and that DynDNS had been blocked there for years. Interestingly, both McIntyre and Hitchcock said that other services they offer do work in China, highlighting China's focus on DNS resolution services.

Showing the growing scope and transborder implications of the problem, Google's Thomas Stromberg, developer of the supercool Namebench tool that allows a user to investigate DNS queries and responses, said he has seen spurious DNS query results in numerous locations. He noted that in Malaysia (where, as of 2007, the government has promised Internet companies it would not censor the Internet), he observed a secondary nameserver giving errant DNS responses for popular websites. The nameserver happened to be located in China.

All in all, the discussion provided much needed detail about the arbitrariness with which DNS filtering and blocking is implemented. Such openness and information from the technical community is crucial. Particularly as the pressure mounts in various camps to challenge countries in forums like the WTO for failure to meet their trade obligations.

By Brenden Kuerbis, Fellow in Internet Security Governance, Citizen Lab, Univ of Toronto. Kuerbis is also a contributor to the Internet Governance Project blog.

Related topics: Censorship, DNS, DNS Security, Internet Governance, Policy & Regulation, Security, Web

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

News.Markets: A Rising Star in the World of Financial Trading and New TLDs

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic

Domain Management Handbook from MarkMonitor

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

What Holds Firms Back from Choosing Cloud-Based External DNS?

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

DeviceAtlas Brings Device Awareness to HAProxy

Dyn Weighs In On Whois

Season's Greetings - 2015 End of Year Message from DotConnectAfrica

Data Volumes and Network Stress to Be Top IoT Concerns

Sponsored Topics

Verisign

Security

Sponsored by
Verisign
Port25

Email

Sponsored by
Port25
Afilias

DNS Security

Sponsored by
Afilias
Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services