China’s DNS Hijacking System: Technical Details Explained


In this memo, Bill Xia, president of Dynamic Internet Technologies (DIT), explains what his firm has learned about an incident on Jan. 21 in which two-thirds of China’s Internet went offline for about two hours. China’s state-run media has blamed the interruption of service on DIT, but Xia suggests that the outage could only have been produced by the Great Firewall itself.

 

China’s DNS Hijacking System – Updated Report

In 2002, China started to use DNS hijacking technology to block web sites. Dynamic Internet Technology (DIT) released a report on October 2, 2002, to demonstrate how it works. We gain more insight into how China is using this technology throughout the years. On January 21, 2014, there was a large-scale Internet breakdown caused by this DNS hijacking system. It is a good time to release some of the additional information we have about the system.

What is DNS?

DNS is a service that translates a domain name to an IP address. An IP address is what a computer uses to find each other for further communication. DNS service is comparable to phone directory service to translate from human meaningful name to phone number. When a user uses a browser, say FireFox, to visit a web site, say http://www.epochtimes.com, FireFox will communicate with DNS servers to find out where is www.epochtimes.com (the IP address). Then, FireFox will communicate with www.epochtimes.com (the IP found) to display the web page.

What is DNS hijacking?

When there is DNS hijacking for the websites that a user in China wants to visit, the user may encounter error messages or threatening messages from Chinese authorities, or the user may see the wrong website.

DNS hijacking happens when a rogue computer monitors the communications between a user and a DNS server, and replies with a wrong IP on behalf of the real DNS server. The process is similar to the movie “Ocean’s 11″ where thieves controlled the phone system of a Casino. When the Casino called for emergency service, a thief picked up the phone and sent the whole team of thieves into the vault of the Casino.

This kind of attack requires that the attacker be able to monitor all traffic of targeted users and needs the CPU resources to process all the data. This scenario is described in many security books for small company networks. But this kind of attack never happens in ISP level. ISP network is more complicated and does not have a single point to monitor all traffic.

Demonstrating DNS hijacking at home

The impact of China’s Internet breakdown on January 21, 2014 is mostly over, but the DNS hijacking system is still in operation. One can still use the websites it targets to get a taste of what was happening during the breakdown.

In 2002, DIT listed about a dozen domains that were hijacked. Today, seven of them are still hijacked. They are:

www.renminbao.com
www.bignews.org
www.minghui.org
www.kanzhongguo.com
www.peacehall.com
www.epochtimes.com
www.tibet.net

If you have access to a computer in China. On linux, try going to:

host -t A epochtimes.com.dwlc 8.8.8.1

One will get reply of an IP like this

“epochtimes.com.dwlc has address 203.98.7.65″.

This IP has to be wrong because:

1) 8.8.8.1 is not an DNS server. Try the same thing from a U.S. computer, there will be timeout error.

2) epochtimes.com.dwlc is not a valid domain. A DNS server should reply “not found” instead of an IP. This reply has to be from DNS hijacking engine of the Great Firewall.

On Windows, the command is “nslookup epochtimes.com.dwlc 8.8.8.1″.

A short list of IPs are used by the engine. Here is what we collected:

159.106.121.75
203.98.7.65
243.185.187.39
37.61.54.158
46.82.174.68
59.24.3.173
78.16.49.15
8.7.198.45
93.46.8.89

This list has been changing slowly, and sometimes varies from ISP to ISP.

The above test also exposed one weakness of the system. It will match for substring “epochtimes.com”. Without “epochtimes.com,” there won’t be such reply.

If this DNS hijacking engine blacklists a blank string, all domains will be hijacked. This is what happened on January 21, 2014.

It is understandable that a blank line at the end of some text is hard to recognize.

Demonstrating DNS hijacking from the United States

On a Linux computer in U.S., try:

host -t A epochtimes.com.dwlc 163.com

163.com is a web site in China. It is not a DNS server. Moveover, epochtimes.com.dwlc does not exist. But the above command will receive DNS reply like:

“epochtimes.com.dwlc has address 203.98.7.65″.

This happens because of another defect of the the DNS hijacking engine. It cannot tell if the DNS query is going out of China or into China. It is monitoring all traffic in and out of China, and replies with the wrong IP when the blacklisted domains are matched.

Deployment of the DNS hijacking engine

Since all the targeted domains are located outside of China, the most efficient location to deploy the system is close to an international gateway and to monitor all the traffic going in and out of China.

As of December 2013, CNNIC reported more than 3400Gbps with year growth of 79.3 percent. To monitor this rapidly growing traffic for the purpose of DNS hijacking, the system has to keep upgrading with more servers and newer CPUs.

On January 21, 2014, when all domain names were pointed to a Freegate IP, only this DNS hijacking engine has sufficient resources located at a strategic location to be able to do it. No hacker can possibly control resources to manipulate 3400Gbps traffic accurately only to target the DNS related communications.

More details about the Jan. 21st incident

Lots of information was posted around the Web about that IP used to map all domains. This plethora of information is a result of different level of ownership of IP resources. This IP is used by DIT operating FreeGate related service. It was not running any Web server when the incident happened. We tried to run the website on it after we learned of the incident, but we were unable to deliver any webpages since all replies were blocked from entering China.

FAQ about user experience

After the incident is over, why are many users still experiencing problems when visiting websites?

This is the result of DNS cache. DNS servers in China saved the wrong translation results.Because of the cache, users will be sent to the wrong IP until the cache is cleared.

I use Google’s overseas DNS server 8.8.8.8. How come I am affected as well?

DNS hijacking affects all DNS queries going in and out of China. In China, you can always verify DNS hijacking by doing “nslookup epochtimes.com 8.8.8.8″ on Windows computer.

Why were .cn domains not affected?

Because .cn domains are resolved inside China. The process will not hit the DNS hijacking engine located near an international gateway.

Why did no ISP give an official explanation?

The Chinese government put the DNS hijacking engine into each ISP’s facility. The Chinese government never acknowledges the existence of its Great Firewall, not to mention the DNS hijacking engine. No ISP dares to confirm the existence of this DNS hijacking engine.



  • PixelDreamscape .

    DNS hijacking has been happening to me when reading these articles.
    I was using a completely reinstalled stock android 4.1.2 on galaxy note 2.
    I had re flashed it myself and the first test I took it online as the wifi was having problems.
    The wifi was working but when viewing epochtimes website the page was redirected to play.google-android-system.com.
    It was saying that my factory restored phone had 13 viruses.
    The website would then download an apk called mobogenie_1506.apk (android installation file)
    It would try to open play store to download another apk that would clean viruses off android.
    This is fake and the purpose of this app is to search out the mobogenie.apk that was not downloaded from google play
    and install the virus payload inside that apk. Google checks files uploaded to google play for malware and viruses.
    This is a technique used where the attacker tricks the user into initialising the virus.
    It is surprising how many people believe and are fooled by this attack.
    The problem with this trying to attack android specifically means that whoever is doing this is trying to infect phones. I could only guess that they would be trying to achieve the goal of listening to victims phone calls as this would be the reasoning for attacking phones. Futher investigation found that the registrar for the website google-android-system.com is strange -

    Registrant

    GOOGLE ANDROID
    GOOGLE ANDROID SYSTEM
    NONE
    GOOGLE, NY 10000
    UNITED STATES
    Telephone: 10000000000
    Fax: 10000000000
    Email:

    It would be hard to contact this website admin with such fake details listed.

  • Ali Jawad

    A great article on how to overcome DNS hijacking is here http://thevpn.guru/dns-hijacking-exposed-explained/ similarly transparent proxies are also used by ISPs see http://thevpn.guru/transparent-proxy-detect-expose-explain/


Top