China’s DNS Hijacking System: Technical Details Explained
In this memo, Bill Xia, president of Dynamic Internet Technologies (DIT), explains what his firm has learned about an incident on Jan. 21 in which two-thirds of China’s Internet went offline for about two hours. China’s state-run media has blamed the interruption of service on DIT, but Xia suggests that the outage could only have been produced by the Great Firewall itself.
China’s DNS Hijacking System – Updated Report
In 2002, China started to use DNS hijacking technology to block web sites. Dynamic Internet Technology (DIT) released a report on October 2, 2002, to demonstrate how it works. We gain more insight into how China is using this technology throughout the years. On January 21, 2014, there was a large-scale Internet breakdown caused by this DNS hijacking system. It is a good time to release some of the additional information we have about the system.
What is DNS?
DNS is a service that translates a domain name to an IP address. An IP address is what a computer uses to find each other for further communication. DNS service is comparable to phone directory service to translate from human meaningful name to phone number. When a user uses a browser, say FireFox, to visit a web site, say http://www.epochtimes.com, FireFox will communicate with DNS servers to find out where is www.epochtimes.com (the IP address). Then, FireFox will communicate with www.epochtimes.com (the IP found) to display the web page.
What is DNS hijacking?
When there is DNS hijacking for the websites that a user in China wants to visit, the user may encounter error messages or threatening messages from Chinese authorities, or the user may see the wrong website.
DNS hijacking happens when a rogue computer monitors the communications between a user and a DNS server, and replies with a wrong IP on behalf of the real DNS server. The process is similar to the movie “Ocean’s 11” where thieves controlled the phone system of a Casino. When the Casino called for emergency service, a thief picked up the phone and sent the whole team of thieves into the vault of the Casino.
This kind of attack requires that the attacker be able to monitor all traffic of targeted users and needs the CPU resources to process all the data. This scenario is described in many security books for small company networks. But this kind of attack never happens in ISP level. ISP network is more complicated and does not have a single point to monitor all traffic.
Demonstrating DNS hijacking at home
The impact of China’s Internet breakdown on January 21, 2014 is mostly over, but the DNS hijacking system is still in operation. One can still use the websites it targets to get a taste of what was happening during the breakdown.
In 2002, DIT listed about a dozen domains that were hijacked. Today, seven of them are still hijacked. They are:
If you have access to a computer in China. On linux, try going to:
host -t A epochtimes.com.dwlc 126.96.36.199
One will get reply of an IP like this
“epochtimes.com.dwlc has address 188.8.131.52”.
This IP has to be wrong because:
1) 184.108.40.206 is not an DNS server. Try the same thing from a U.S. computer, there will be timeout error.
2) epochtimes.com.dwlc is not a valid domain. A DNS server should reply “not found” instead of an IP. This reply has to be from DNS hijacking engine of the Great Firewall.
On Windows, the command is “nslookup epochtimes.com.dwlc 220.127.116.11”.
A short list of IPs are used by the engine. Here is what we collected:
This list has been changing slowly, and sometimes varies from ISP to ISP.
The above test also exposed one weakness of the system. It will match for substring “epochtimes.com”. Without “epochtimes.com,” there won’t be such reply.
If this DNS hijacking engine blacklists a blank string, all domains will be hijacked. This is what happened on January 21, 2014.
It is understandable that a blank line at the end of some text is hard to recognize.
Demonstrating DNS hijacking from the United States
On a Linux computer in U.S., try:
host -t A epochtimes.com.dwlc 163.com
163.com is a web site in China. It is not a DNS server. Moveover, epochtimes.com.dwlc does not exist. But the above command will receive DNS reply like:
“epochtimes.com.dwlc has address 18.104.22.168”.
This happens because of another defect of the the DNS hijacking engine. It cannot tell if the DNS query is going out of China or into China. It is monitoring all traffic in and out of China, and replies with the wrong IP when the blacklisted domains are matched.
Deployment of the DNS hijacking engine
Since all the targeted domains are located outside of China, the most efficient location to deploy the system is close to an international gateway and to monitor all the traffic going in and out of China.
As of December 2013, CNNIC reported more than 3400Gbps with year growth of 79.3 percent. To monitor this rapidly growing traffic for the purpose of DNS hijacking, the system has to keep upgrading with more servers and newer CPUs.
On January 21, 2014, when all domain names were pointed to a Freegate IP, only this DNS hijacking engine has sufficient resources located at a strategic location to be able to do it. No hacker can possibly control resources to manipulate 3400Gbps traffic accurately only to target the DNS related communications.
More details about the Jan. 21st incident
Lots of information was posted around the Web about that IP used to map all domains. This plethora of information is a result of different level of ownership of IP resources. This IP is used by DIT operating FreeGate related service. It was not running any Web server when the incident happened. We tried to run the website on it after we learned of the incident, but we were unable to deliver any webpages since all replies were blocked from entering China.
FAQ about user experience
After the incident is over, why are many users still experiencing problems when visiting websites?
This is the result of DNS cache. DNS servers in China saved the wrong translation results.Because of the cache, users will be sent to the wrong IP until the cache is cleared.
I use Google’s overseas DNS server 22.214.171.124. How come I am affected as well?
DNS hijacking affects all DNS queries going in and out of China. In China, you can always verify DNS hijacking by doing “nslookup epochtimes.com 126.96.36.199” on Windows computer.
Why were .cn domains not affected?
Because .cn domains are resolved inside China. The process will not hit the DNS hijacking engine located near an international gateway.
Why did no ISP give an official explanation?
The Chinese government put the DNS hijacking engine into each ISP’s facility. The Chinese government never acknowledges the existence of its Great Firewall, not to mention the DNS hijacking engine. No ISP dares to confirm the existence of this DNS hijacking engine.