Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese Root Server Shut Down After DNS Problem

Posted by timothy on from the need-a-new-source-of-ginseng dept.

itwbennett writes "After a networking error first reported on Wednesday last week caused computers in Chile and the US to come under the control of a system that censors the Internet in China, the 'root DNS server associated with the networking problems has been disconnected from the Internet,' writes Robert McMillan. The server's operator, Netnod, has 'withdrawn route announcements' made by the server, according to company CEO Kurt Lindqvist."

3 of 91 comments (clear)

  1. I blame American ISP's by ironicsky · · Score: 3, Insightful

    I blame American and Chile ISP's.
    Why on earth would you query the root server on the other side of the world, especially in an ass backwards country like China when there are plenty of good servers here?
    Shouldn't you query the closest available server, not the furthest?

    1. Re:I blame American ISP's by mysticalreaper · · Score: 3, Insightful

      Basically, your ideas are right. The idea is to query the closest server, for best performance. DNS data is very small, so there's not much financial concern about transmitting data across the world (which happens all the time on the internet)

      Anyway, the logical routing of the internet doesn't always match the physical world. This is routine, and not a problem until DNS traffic crosses the great firewall of China, and is modified, which is what happened here.

      Since this, route announcements have changed, and the Beijing server is not being queried.

      But you are also correct about ISPs. ISPs can control (if they are good) which root servers are going to be queried from their network.

      My overall point is that everything was operating routinely and correctly, until a new kind of DNS problem, not observed in the wild ever before, started happening. It's hard to expect the ISPs to prevent a problem they never knew would occur.

  2. Re:Heads should roll by mysticalreaper · · Score: 3, Insightful

    This should never have been allowed to happen in the first place, and when it had, it shouldn't have been allowed to persist for a few days before being made public and taking action.

    Well i think this unreasonably harsh. No one had ever seen the great firewall of china affect DNS traffic like this in the past. So no one (not even you) was suggesting that when they set up a root DNS server in Beijing, that it would effectively send out false answers.

    Now, anyone who controls a part of the network you rely on can launch a man-in-the-middle attack, which is what happened here. So to suggest that this should never have been allowed to happen, you would have to be using strong cryptography in some way. DNS has never had that mechanism--but it will soon, cause DNSSEC is coming along.The root servers are deploying it right now, and so are the other Top-level-domains.

    Also, as soon as the I-root server operators realized this problem was occurring, and was outside of their control, they disabled the server. Why do you think that they sat on this problem for a few days, doing nothing about it?