CircleID

The most recent episode of The Ask Mr. DNS Podcast offers up some disturbing corroborating evidence as to the extent of DNS filtering and outright blocking occurring in China. VeriSign's Matt Larson and InfoBlox's Cricket Liu, who co-host the geeky yet engaging and extremely informative show, held a roundtable discussion including technical experts from dynamic name service providers (better known as "managed DNS" services) DynDNS, TZO, No-IP, and DotQuad, as well as Google and Comcast.

After recalling the recent episode where queries to Net Nod's instance of the i root were intercepted and tampered with resulting in incorrect responses being returned inside and outside of China for facebook.com and other websites, Larson posed the question whether others were having similar experiences. (NB: Net Nod's i-root server instance in Beijing is still shut down, as their CEO has apparently stated it is not possible to offer authoritative root service in China) Unfortunately, several of the managed DNS services providers answered affirmatively.

Listen to the segment (discussion starts at 21:23)

TZO's CTO, Eric McIntyre, stated how their dynamic DNS service devices they sell in partnership with equipment manufactures like Cisco and HP would not resolve in China due to blocking. Rather than block specific domains that may be hosting objectionable content, blocking is occurring in wholesale manner, making it impossible for TZO to offer DNS resolution services in China. DynDNS and No-IP acknowledged their services were blocked as well. DynDNS CEO Jeremy Hitchcock lamented that any domain should be globally reachable, but that this was not the case in China and that DynDNS had been blocked there for years. Interestingly, both McIntyre and Hitchcock said that other services they offer do work in China, highlighting China's focus on DNS resolution services.

Showing the growing scope and transborder implications of the problem, Google's Thomas Stromberg, developer of the supercool Namebench tool that allows a user to investigate DNS queries and responses, said he has seen spurious DNS query results in numerous locations. He noted that in Malaysia (where, as of 2007, the government has promised Internet companies it would not censor the Internet), he observed a secondary nameserver giving errant DNS responses for popular websites. The nameserver happened to be located in China.

All in all, the discussion provided much needed detail about the arbitrariness with which DNS filtering and blocking is implemented. Such openness and information from the technical community is crucial. Particularly as the pressure mounts in various camps to challenge countries in forums like the WTO for failure to meet their trade obligations.

By Brenden Kuerbis, Fellow in Internet Security Governance, Citizen Lab, Univ of Toronto. Kuerbis is also a contributor to the Internet Governance Project blog.

Related topics: Censorship, DNS, DNS Security, Internet Governance, Policy & Regulation, Security, Web