Home / Blogs

The Extent of DNS Services Being Blocked in China

Brenden Kuerbis

The most recent episode of The Ask Mr. DNS Podcast offers up some disturbing corroborating evidence as to the extent of DNS filtering and outright blocking occurring in China. VeriSign's Matt Larson and InfoBlox's Cricket Liu, who co-host the geeky yet engaging and extremely informative show, held a roundtable discussion including technical experts from dynamic name service providers (better known as "managed DNS" services) DynDNS, TZO, No-IP, and DotQuad, as well as Google and Comcast.

After recalling the recent episode where queries to Net Nod's instance of the i root were intercepted and tampered with resulting in incorrect responses being returned inside and outside of China for facebook.com and other websites, Larson posed the question whether others were having similar experiences. (NB: Net Nod's i-root server instance in Beijing is still shut down, as their CEO has apparently stated it is not possible to offer authoritative root service in China) Unfortunately, several of the managed DNS services providers answered affirmatively.

Listen to the segment (discussion starts at 21:23)

TZO's CTO, Eric McIntyre, stated how their dynamic DNS service devices they sell in partnership with equipment manufactures like Cisco and HP would not resolve in China due to blocking. Rather than block specific domains that may be hosting objectionable content, blocking is occurring in wholesale manner, making it impossible for TZO to offer DNS resolution services in China. DynDNS and No-IP acknowledged their services were blocked as well. DynDNS CEO Jeremy Hitchcock lamented that any domain should be globally reachable, but that this was not the case in China and that DynDNS had been blocked there for years. Interestingly, both McIntyre and Hitchcock said that other services they offer do work in China, highlighting China's focus on DNS resolution services.

Showing the growing scope and transborder implications of the problem, Google's Thomas Stromberg, developer of the supercool Namebench tool that allows a user to investigate DNS queries and responses, said he has seen spurious DNS query results in numerous locations. He noted that in Malaysia (where, as of 2007, the government has promised Internet companies it would not censor the Internet), he observed a secondary nameserver giving errant DNS responses for popular websites. The nameserver happened to be located in China.

All in all, the discussion provided much needed detail about the arbitrariness with which DNS filtering and blocking is implemented. Such openness and information from the technical community is crucial. Particularly as the pressure mounts in various camps to challenge countries in forums like the WTO for failure to meet their trade obligations.

By Brenden Kuerbis, Fellow in Internet Security Governance, Citizen Lab, Univ of Toronto. Kuerbis is also a contributor to the Internet Governance Project blog.

Related topics: Censorship, DNS, DNS Security, Internet Governance, Policy & Regulation, Security, Web

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

ICANN London Recap Webinar

Four Reasons to Move from .COM to Your .BRAND Domain

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Neustar to Launch usTLD Stakeholder Council

Dot Brand: Why Your Brand Needs Its Own Top-Level Domain

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Sophia Bekele Weighs in on Obama's August US-Africa Leader Summit at the NYF Africa

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

DotConnectAfrica's Expert Selected to Attend the Hague Institute of Global Justice

DotConnectAfrica Delegates Attend the KHRC Internet & Human Rights Breakfast Roundtable in Nairobi

Smokescreening: Data Theft Makes DDoS More Dangerous

DotConnectAfrica's Executive Director Sophia Bekele Keynote Remarks for the ITU's Girl's ICT Day

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

Why We Decided to Stop Offering Free Accounts

Sponsored Topics