Stéphane Bortzmeyer has a very long track record of interesting commentary about the Internet – his blog goes back to 1996. Its a pity that my compatriot doesn’t write in English more often: I believe he would find a big audience for his excellent articles. But as he told me : “Many people write in English already, English readers do not need one more writer”. I object – there is always room for good information to be brought to a greater audience. And since his writings are licensed under the GFDL, I’ll do the translation myself when I feel like it.

Maybe this will be the only of his articles I translate – or maybe there will be others in the future… Meanwhile here is this one. I chose it because DNS hijacking is a subject I am sensitive about – and maybe because of the exoticism of Chinese shenanigans…


Before reading this interesting article, please heed this forewarning : as soon as we talk about China, we should admit our ignorance. Most people who pontificate about the state of the Internet in China do not speak Chinese – their knowledge of the country stops at the doorstep of international hotels in Beijing and Shanghai. The prize for the most ludicrous pro-Chinese utterance goes to the Jacques Myard, representative at the National Assembly and member of the UMP party, for his support for the Chinese dictatorship [translator’s note : he went on the record saying that “the Internet is utterly rotten” and went on to say that it “should be nationalized to give us better control – the Chinese did it”]. When it comes to DNS, one of the least understood Internet services, the bullshit production rate goes up considerably and sentences where both « DNS » and « China » occur are most likely to be false.

I am therefore going to try not emulating Myard, and only talk about what I know, which will make this article quite short and full of conditional. Unlike criminal investigations in US movies, this article will name no culprit and you won’t even know if there was really a crime.

DNS root servers hijacking for the purpose of implementing the policy (notably censorship) of the Chinese dictatorship has been discussed several times – for example at the 2005 IETF meeting in Paris. It is very difficult to know exactly what happens in China because Chinese users, for cultural reasons, but mostly for fear of repression, don’t provide much information. Of course, plenty of people travel to China, but few of them are DNS experts and it is difficult to get them to provide data from mtr or dig correctly executed with the right options. Reports on censorship in China are often poor in technical detail.

However, from time to time, DNS hijacking in China has visible consequences outside of Chinese territory. On the 24th March, the technical manager for the .cl domain noted that root server I, anycast and managed by Netnod, answered bizarrely when queried from Chile :

$ dig @i.root-servers.net www.facebook.com A

; <<>> DiG 9.6.1-P3 <<>> @i.root-servers.net www.facebook.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7448
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com.              IN      A

;; ANSWER SECTION:
www.facebook.com.       86400   IN      A       8.7.198.45

;; Query time: 444 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Wed Mar 24 14:21:54 2010
;; MSG SIZE  rcvd: 66

[translator’s note : sign of the times, the Chilean administrator chose to query facebook.com – google.com and, before that, microsoft.com used to be classic example material Mauricio used facebook.com (or twitter.com) because it is hijacked by the chinese govt, unlike microsoft.com (or even google.com)]

The root servers are not authoritative for facebook.com. The queried server should therefore have answered with a pointer to the .com domain. Instead, we find an unknown IP address. Someone is screwing with the server’s data :

  • The I root server’s administrators as well as its hosts deny any modifications of the data obtained from VeriSign (who manages the DNS root master server).
  • Other root servers (except, oddly, D) are also affected.
  • Only UDP traffic is hijacked – TCP is unaffected. Traceroute sometimes ends up at reliable instances of the I server (for example, in Japan) which seem to suggest that the manipulation only affects port 53 – the one used by the DNS.
  • Affected names are those of services censored in China, such as Facebook or Twitter. They are censored not just for political reasons, but also because they compete with Chinese interests.

If you want to check it yourself, 123.123.123.123 is hosted by China Unicom and will let you resolve a name :

% dig A www.facebook.com @123.123.123.123 

; <<>> DiG 9.5.1-P3 <<>> A www.facebook.com @123.123.123.123
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44684
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com.              IN      A

;; ANSWER SECTION:
www.facebook.com.       86400   IN      A       37.61.54.158

;; Query time: 359 msec
;; SERVER: 123.123.123.123#53(123.123.123.123)
;; WHEN: Fri Mar 26 10:46:52 2010
;; MSG SIZE  rcvd: 66

37.61.54.158 is a currently unassigned address and it does not belong to Facebook. [translator’s note : I get 243.185.187.39 which is also abnormal]

It is therefore very likely that rogue root servers exist in China and that Chinese ISP have hacked their IGP (OSPF for example) to hijack traffic bound toward the root servers. This does not quite explain everything – for example why the known good instances installed in China still see significant traffic. But it won’t be possible to know more without in-depth testing from various locations in China. A leak from this routing hack (similar to what affected YouTube in 2008) certainly explains how the announcement from the rogue server reached Chile.

« The Great DNS Wall of China » and « Report about national DNS spoofing in China » are among the reliable sources of information about manipulated DNS in China.

For more information about the problem described in this article, you may also read « China censorship leaks outside Great Firewall via root server » (a good technical  article), « China’s Great Firewall spreads overseas » or « Web traffic redirected to China in mystery mix-up ».

This article is distributed under the terms of the GFDL. The original article was published on Stéphane Bortzmeyer’s blog on the 26 March 2010 and translated by Jean-Marc Liotier the same day.