China has long used the Internet’s Domain Name Service (DNS) to censor Web sites and information that the ruling Communist Party deems threatening. But now security experts warn that the government’s censorship is in danger of spilling over China’s borders: suppressing the ability of those living outside of China to find information online.
An estimated 57% of all networks on earth passed DNS requests through a Chinese DNS rootserver at some point in 2010, according to data from security firm Renesys. Tampering by the Communist Party there poses a danger to Internet security and freedom. In fact, DNS tampering may be a bigger threat than techniques like BGP (Border Gateway Protocol) hijacking, which is believed to be responsible for an unexpected shift in Internet routing in April that has recently been the subject of mainstream media reports in the U.S., according to a post by Earl Zmijewski, Vice President and General Manager at Renesys.
There is already evidence that China’s efforts to tamper with DNS have bled outside the country’s borders. The same report to Congress from the U.S.-China Economic and Security Review Commission that called attention to the BGP hijacking incident from April, 2010, also mentions a March, 2010, incident in which Internet users in the United States and Chile attempted to connect to social networking websites banned by the Chinese government. However, their DNS requests were handled by a Beijing-based Domain Name Server, which responded with incorrect DNS information that directed the surfers to incorrect servers, the report says.
Zmijewski said it is unclear why the root servers – which typically distinguish between DNS requests from within China and those coming from outside the country- responded with the filtered DNS responses in March. But the problem illustrates an essential vulnerability in the Internet’s infrastructure that’s likely to become exacerbated as China’s relative economic importance and domestic Internet use grow.
DNS routing is not based on the physical proximity of the Web surfer to the DNS server, but on the business relationships between the firms hosting the root servers and those providing the Web surfer with Internet access, Zmijewski notes. As the relationships between domestic telecommunications providers like China Telecom and firms outside the country deepen, more and more DNS requests find their way to DNS root servers based in that country. Most of that comes from China’s geographic neighbors, including Russia and countries in Southeast Asia. But countries in the Western Hemisphere, including the U.S. are impacted, as well.
Zmijewski notes that in the March, 2010 DNS route tampering incident, initial reports about the bad DNS answers came first from Santiago, Chile, rather than from one of China’s neighbors.
Security experts have long noted efforts by the Chinese Communist Party to censor Websites using DNS. IN a scholarly article called The Great DNS Wall of China from 2007 (PDF), academics from NYU found evidence of DNS tampering in response to Web requests for a list of domains believed to be the target of censorship by the Chinese government, with searches for hundreds of sensitive domains sinkholed in one of a small list of IP addresses.
Zmijewski isn’t the only one to raise questions about whether the media and officials are missing the point by focusing on the BGP hijacking and overlooking DNS tampering incident.
“I think if I had to choose, I would have chosen the DNS incident as being more technically interesting and more problematic from many vantage points- the difficulty of detection and the implications,” said Craig Labovitz of Arbor Networks. Labovitz has blogged, as well, about the alleged BGP hijacking incident, wondering about the impact and causes of that incident.
Whatever the case, the fix is for a more secure DNS alternative -DNSSEC -to be widely adopted. While adoption of that standard has moved slowly, the infrastructure for doing secure DNS lookups is in place and the various root servers are moving to implement it.
