Triplet Censors: Demystifying Great Firewall's DNS Censorship Behavior

The Great Firewall of China (GFW) has long used DNS packet injection to censor Internet access. In this work, we analyze the DNS injection behavior of the GFW over a period of nine months using the Alexa top 1M domains as a test list. We first focus on understanding the publicly routable IPs used by the GFW and observe groups of IPs used to filter specific sets of domains. We also see a sharp decline in public IPs injected by the GFW in November 2019. We then fingerprint three different injectors that we observe in our measurements. Notably, one of these injectors mirrors the IP TTL value from probe packets in its injected packets which has implications for the use of TTL-limited probes for localizing censors. Finally, we confirm that our observations generally hold across IP prefixes registered in China.

[1]  Minaxi Gupta,et al.  Inferring Mechanics of Web Censorship Around the World , 2012, FOCI.

[2]  Adam Senft,et al.  Characterizing Web Censorship Worldwide: Another Look at the OpenNet Initiative Data , 2015, TWEB.

[3]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[4]  Jacob Appelbaum,et al.  OONI: Open Observatory of Network Interference , 2012, FOCI.

[5]  Michalis Polychronakis,et al.  Measuring I2P Censorship at a Global Scale , 2019, FOCI @ USENIX Security Symposium.

[6]  Zhuoqing Morley Mao,et al.  Internet Censorship in China: Where Does the Filtering Occur? , 2011, PAM.

[7]  Amir Houmansadr,et al.  On the Importance of Encrypted-SNI (ESNI) to Censorship Circumvention , 2019, FOCI @ USENIX Security Symposium.

[8]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[9]  Joss Wright,et al.  Poisoning the Well: Exploring the Great Firewall's Poisoned DNS Responses , 2016, WPES@CCS.

[10]  Towards a Comprehensive Picture of the Great Firewall's DNS Censorship , 2014, FOCI.

[11]  Zachary Weinberg,et al.  ICLab: A Global, Longitudinal Internet Censorship Measurement Platform , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[12]  G. Lowe,et al.  The Great DNS Wall of China , 2007 .

[13]  V. Paxson,et al.  Hold-On : Protecting Against On-Path DNS Poisoning , 2012 .

[14]  Neo,et al.  The collateral damage of internet censorship by DNS injection , 2012, Comput. Commun. Rev..

[15]  Stephane Bortzmeyer,et al.  NXDOMAIN: There Really Is Nothing Underneath , 2016, RFC.

[16]  Emiliano De Cristofaro,et al.  Censorship in the Wild: Analyzing Internet Filtering in Syria , 2014, Internet Measurement Conference.

[17]  Narseo Vallina-Rodriguez,et al.  A Long Way to the Top: Significance, Structure, and Stability of Internet Top Lists , 2018, Internet Measurement Conference.

[18]  Nikita Borisov,et al.  Assessing the Privacy Benefits of Domain Name Encryption , 2020, AsiaCCS.

[19]  Nick Feamster,et al.  Global Measurement of DNS Manipulation , 2017, USENIX Security Symposium.

[20]  Zubair Nabi The Anatomy of Web Censorship in Pakistan , 2013, FOCI.

[21]  J. Alex Halderman,et al.  Internet Censorship in Iran: A First Look , 2013, FOCI.