Slashdot Mirror

← Back to Stories (view on slashdot.org)

China's Great Firewall Infects Other Countries

Posted by Soulskill on from the trial-run-successful dept.

angry tapir writes "A networking error has caused computers in Chile and the US to come under the control of the Great Firewall of China, redirecting Facebook, Twitter, and YouTube users to Chinese servers. Security experts are not sure exactly how this happened, but it appears that at least one ISP recently began fetching high-level DNS information, from what's known as a root DNS server, based in China. That server, operated out of China by Swedish service provider Netnod, returned DNS information intended for Chinese users, effectively spreading China's network censorship overseas."

14 of 178 comments (clear)

  1. Nice headline by oldhack · · Score: 5, Informative

    The headlines now tell you absolutely nothing about the actual stories.

    --
    Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
  2. Misleading by ClownPenis · · Score: 5, Insightful

    Misconfiguration of resolv.conf does not put China's firewall in your way. Add yourself to the tool belt.

    1. Re:Misleading by Anonymous Coward · · Score: 4, Informative

      It's more than that. According to the post at https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005266.html someone is actively spoofing DNS replies to DNS request packets bound for entire class A and B net ranges.

  3. Maintaining the Great Firewall by Tetsujin · · Score: 4, Funny

    (Firewall is subverted...)
    Damn you cyber-Mongorians!

    --
    Bow-ties are cool.
  4. Re:Uh Huh by sopssa · · Score: 4, Informative

    Can't say that I'm surprised that it did happen.

    Especially now when Google has decided to pull out. And China does have an urge to control any information that they don't like. Which would be the majority of the internet.

    And still this has nothing to do with the Chinese government. It's the ISP's fault that erroneously configured their servers to use the Chinese root DNS server.

  5. Re:Now... by sopssa · · Score: 4, Interesting

    It's the other way around than what you're suggesting. Chinese didn't try do anything. ISP's elsewhere mistakenly configured their servers to use Chinese DNS servers.

    They are keeping their shit for them. It's just that someone else is fetching it from them to elsewhere.

  6. this gives me an idea.... by datapharmer · · Score: 4, Funny

    So if the entire world's DNS resolved to the Chinese firewall simultaneously would it DOS them to oblivion and end these shenanigans? I'd give up a day of using the internet to see that go down.

    --
    Get a web developer
  7. Re:Now... by JWW · · Score: 5, Insightful

    Which, proves the point that perhaps China should not be allowed to have any DNS root servers.

    I would say that if a DNS server does not return the same information as all other root servers in the world that it should not be allowed to be a root server.

  8. Huh by MrTripps · · Score: 4, Funny

    I was wondering about that fortune cookie that said "All of your root servers are belonging to us."

    --
    "I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
  9. Re:Pfft. by einhverfr · · Score: 4, Insightful

    Also, the internet routes around censorship? Ooops....

    --

    LedgerSMB: Open source Accounting/ERP
  10. Re:Pfft. by _Sprocket_ · · Score: 5, Funny

    Also, the internet routes around censorship? Ooops....

    Seems we were wrong. Apparently, the Internet detects censorship and routes it around.

  11. Re:Pfft. by TheRaven64 · · Score: 5, Insightful

    Not really surprising, because the root DNS servers are not yet all signed with DNSSEC and Verisign is dragging its heels when it comes to implementing DNSSEC in the .com domain. Apparently there isn't much real-world use for DNSSEC. Nice to have a concrete counter-example - thanks China.

    --
    I am TheRaven on Soylent News
  12. Re:Now... by radtea · · Score: 5, Insightful

    China can have all the root servers they want - just don't configure your server to poll them.

    Actually China is demonstrably incapble of having any working root servers at all. A DNS server that returns incorrect information is not a "root" server, if by "root" you mean "authoritative source of DNS information that resolves domain names properly."

    It's really too bad that China is incapable of hosting DNS root servers. Hopefully by the end of the 21st century China will be a little less backward and isolated from the rest of the world, which would benefit greatly from interaction with so many people from such diverse cultural and political backgrounds.

    --
    Blasphemy is a human right. Blasphemophobia kills.
  13. Re:Net views censorship as damage by FliesLikeABrick · · Score: 4, Informative

    As far as I know, NetNod was not operating this i-root instance that was returning the censored answers.

    I was following along with this on the dns-operations mailing list. This pertained to i-root in Asia, and various i-root node operators said "this is not our box". It was a rogue root server (whether installed by the Chinese government or an ISP guided by the government's hand) (as far as netnod/i-root is concerned) announcing the anycast block used by i-root. In doing so they basically advertised themselves as a root node for i-root and it doesn't seem like this was Netnod-affiliated at all. The summary (I didn't re-read the article to see if that said the same) implies that netnod was running this intentionally and serving up Chinese-censored results for affected sites. All this would take is a person with the ability to have their upstreams accept BGP announcements for the anycast block for i-root and run the server. Then any requests to i-root that are topologically "close" will start using this node.

    Before anyone continually says that an ISP must have intentionally configured their servers to use this root, they should read up on IP anycasting and read the thread on the dns-operations mailing list instead of these 2nd/3rd/4th-hand summaries that are beginning to skew the facts.

    https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005260.html