DNS-based censorship: theory and measurements
As explained in RFC 7754, "Technical Considerations for Internet Service Blocking and Filtering", it is tempting for a censor to attack, not the direct traffic or …
Talk Title | DNS-based censorship: theory and measurements |
Speakers | Stphane Bortzmeyer (AFNIC) |
Conference | NANOG67 |
Conf Tag | |
Location | Chicago, Illinois |
Date | Jun 13 2016 - Jun 15 2016 |
URL | Talk Page |
Slides | Talk Slides |
Video | Talk Video |
As explained in RFC 7754, “Technical Considerations for Internet Service Blocking and Filtering”, it is tempting for a censor to attack, not the direct traffic or servers, but the rendezvous systems, the most obvious one being the DNS. In Europe, but also in other places, several countries implemented a DNS-based censorship system, mandating the ISP to configure their DNS resolvers to lie (providing other answers than what the authoritative name server wanted). I will explain the various choices and possibilities of DNS-based censorship, as well as the workarounds. Of course, switching to a non-lying resolver is easy. But we’ll see it’s not so easy and that it is only the start of a arms race, specially giving the fact that “alternative” resolvers are often not secured, and therefore can be hijacked. I will show examples and statistics on the actual deployment, both of the censorship and of the workarounds. This will mostly be done with RIPE Atlas probes. They allow to perform detailed measurements of DNS data, even in countries where you’ve never been. Note: this will be the continuation of this article: https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes/ and this talk: https://ripe68.ripe.net/presentations/158-bortzmeyer-google-dns-turkey.pdf