December 28, 2019

250 words 2 mins read

DNS-based censorship: theory and measurements

DNS-based censorship: theory and measurements

As explained in RFC 7754, "Technical Considerations for Internet Service Blocking and Filtering", it is tempting for a censor to attack, not the direct traffic or …

Talk Title DNS-based censorship: theory and measurements
Speakers Stphane Bortzmeyer (AFNIC)
Conference NANOG67
Conf Tag
Location Chicago, Illinois
Date Jun 13 2016 - Jun 15 2016
URL Talk Page
Slides Talk Slides
Video Talk Video

As explained in RFC 7754, “Technical Considerations for Internet Service Blocking and Filtering”, it is tempting for a censor to attack, not the direct traffic or servers, but the rendezvous systems, the most obvious one being the DNS. In Europe, but also in other places, several countries implemented a DNS-based censorship system, mandating the ISP to configure their DNS resolvers to lie (providing other answers than what the authoritative name server wanted). I will explain the various choices and possibilities of DNS-based censorship, as well as the workarounds. Of course, switching to a non-lying resolver is easy. But we’ll see it’s not so easy and that it is only the start of a arms race, specially giving the fact that “alternative” resolvers are often not secured, and therefore can be hijacked. I will show examples and statistics on the actual deployment, both of the censorship and of the workarounds. This will mostly be done with RIPE Atlas probes. They allow to perform detailed measurements of DNS data, even in countries where you’ve never been. Note: this will be the continuation of this article: https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes/ and this talk: https://ripe68.ripe.net/presentations/158-bortzmeyer-google-dns-turkey.pdf

comments powered by Disqus