Measurement of globally visible DNS injection

Abstract

Domain Name System (DNS) injection is a censorship method for blocking access to blacklisted domain names. The method uses deep packet inspection on all DNS queries passing through the network and injects spoofed responses. Compared with other blocking mechanisms, DNS injection impacts uninvolved third-parties if their traffic is routed through a censored network. In this paper, we look for large deployments of DNS injection, measured from vantage points outside of the censored networks. DNS injection is known to be used in China since it leaked unintentionally into foreign networks. We find that DNS injection is also used in Iran and can be observed by sending DNS queries to Iranian networks. In mid 2013, the Iranian DNS filter was temporarily suspended for some names, which correlated with media coverage of political debates in Iran about blocking social media. Spoofed responses from China and Iran can be detected passively by the IP address returned. We propose an algorithm to obtain these addresses remotely. After testing 255 002 open resolvers outside of China, we determined that 6% are potentially affected by Chinese DNS injection when querying top-level domains outside of China. This is essentially the result of one top-level domain name server for which an anycast instance is hosted in China.