Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese DNS Tampering a Real Threat To Outsiders

Posted by Soulskill on from the let's-hijack-their-hijack dept.

Trailrunner7 writes "China has long used the Internet's Domain Name Service to censor Web sites and information that the ruling Communist Party deems threatening. But now security experts warn that the government's censorship is in danger of spilling over China's borders, suppressing the ability of those living outside of China to find information online. An estimated 57% of all networks on Earth passed DNS requests through a Chinese DNS rootserver at some point in 2010, according to data from security firm Renesys. Tampering by the Communist Party there poses a danger to Internet security and freedom. In fact, DNS tampering may be a bigger threat than techniques like BGP (Border Gateway Protocol) hijacking, which is believed to be responsible for an unexpected shift in Internet routing in April that has recently been the subject of mainstream media reports in the US. There is already evidence that China's efforts to tamper with DNS have bled outside the country's borders. The same report to Congress from the US-China Economic and Security Review Commission that called attention to the BGP hijacking incident from April, 2010 also mentions a March, 2010 incident in which Internet users in the US and Chile attempted to connect to social networking websites banned by the Chinese government. However, their DNS requests were handled by a Beijing-based Domain Name Server, which responded with incorrect DNS information that directed the surfers to incorrect servers, the report says."

116 of 181 comments (clear)

  1. So, which is worse? by Anonymous Coward · · Score: 1, Interesting

    So, is it better to have China fucking around with the internet, or the US?

    Quite frankly, I don't think either of them should be able to do it.

    Fuck the both of them.

    1. Re:So, which is worse? by MightyMartian · · Score: 2, Funny

      Comparing the US and China as far as the Internet goes kind of indicates who the asshat is here.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:So, which is worse? by Paracelcus · · Score: 1

      So, I'm kind of dense, are you implying that the irredeemably evil nightmare that is China is worse or better than than the corrupt (government by bribery) and (police state in training) that is the USofA?

      --
      I killed da wabbit -Elmer Fudd
  2. In Soviet China... by Marthis · · Score: 2, Funny

    ...DNS routes you! Oh, wait...

  3. GWB the prophet by DigiShaman · · Score: 1

    "I hear there's rumors on the Internets that we're going to have a draft."

    He knows something we don't? Hmmmm

    --
    Life is not for the lazy.
    1. Re:GWB the prophet by mcgrew · · Score: 1

      As he was US President for eight years, it's a certainty that he knows a LOT of stuff that we won't ever hear about.

      --
      Free Martian Whores!
    2. Re:GWB the prophet by slick7 · · Score: 1

      As he was US President for eight years, it's a certainty that he knows a LOT of stuff that we won't ever hear about.

      Wait until the next installment of WikiLeaks. There, fixed that for ya.

      --
      The mind conceives, the body achieves, the spirit manifests.
    3. Re:GWB the prophet by mcgrew · · Score: 1

      I would guess that the information wikileaks gets compared to what is there is probably trivial.

      --
      Free Martian Whores!
    4. Re:GWB the prophet by hitmark · · Score: 1

      Then comes the question about how much of that gets read by those in charge...

      Proverbial needle in haystack and all that...

      --
      comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
  4. Root servers? by just_another_sean · · Score: 4, Insightful

    I understand the need for mass replication of the DNS root servers and appreciate both the cultural and technical needs to spread them fairly evenly throughout the world but is it really necessary for China to replicate F, I and J at the root level? Would performance and the world perception of a US controlled internet really suffer if China was denied access to the root level? Let them replicate all 13 for their internal use but remove any server's root status if the server is hosted in China... Maybe I'm missing something here but is this not a reasonable stance on preventing this type of collateral damage?

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    1. Re:Root servers? by metamatic · · Score: 1

      Yeah, why does anyone trust any root server located in China? (They can set up servers that claim to be root servers all they like, but that doesn't mean the rest of the root servers have to trust them, so why do they?)

      --
      GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
    2. Re:Root servers? by Monkeedude1212 · · Score: 1

      Would performance and the world perception of a US controlled internet really suffer if China was denied access to the root level?

      I think it would. I wouldn't be surprised if China happens to hold some control over the network (if it exists much) in North Korea, and doing something like that might cause even more tensions in what is already a difficult situation.

    3. Re:Root servers? by guruevi · · Score: 1, Interesting

      Why should you trust the US with anything? China has so far not been tampering with the worldwide independent organization of either DNS or ICANN. Something the US can't really say anymore.

      It would be similar to saying, should we give control to Hitler, Stalin or Mussolini.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    4. Re:Root servers? by kindbud · · Score: 2, Insightful

      Because DNS is fundamentally insecure and there is no way to secure it without a re-write from the ground up. DNSSEC is a bandaid with a limited window of effectiveness. Ultimately, a cache receiving root glue has no way to validate that the glue is the legit root glue. And so they will become poisoned.

      --
      Edith Keeler Must Die
    5. Re:Root servers? by AdamThor · · Score: 1

      Let them replicate all 13 for their internal use but remove any server's root status if the server is hosted in China... Maybe I'm missing something here but is this not a reasonable stance on preventing this type of collateral damage?

      NOOOOO! We must rebuild the entire interweb! Tiered service plans with CIA backdoors and automatic killswitches for stolen intellectual property!

      It's the ONLY WAY to stop the China from routing your traffic!

      --
      -- "Oh. This guy again."
    6. Re:Root servers? by mysticalreaper · · Score: 1

      DNSSEC *does* prevent against this man-in-the-middle attack, that's in fact its main feature.

      You say that a cache receiving the root glue (data about the root servers) has 'no way' to validate that the glue is legitimate. That's totally not true. There are many ways to validate the data, including verifying against an SSL website, well known public servers, etc.

    7. Re:Root servers? by gclef · · Score: 1

      That's not the point...the update requests you get from the "selected" ones: how do you know those are right? You don't. You're choosing to trust that select few. In this case, also, F, I, and J.root-servers.net are anycast...meaning that the IP you're trusting actually appears in multiple places at the same time, one of which is in China.

      Better question: How do you know that the i.root-servers.net system that you're talking to is not the one in China?

    8. Re:Root servers? by xnpu · · Score: 2, Interesting

      Because your ISP hired a lazy ass admin, that's why. Run your own DNS, remove the Chinese root servers from it. Problem solved.

    9. Re:Root servers? by by+(1706743) · · Score: 1

      ...has no way to validate that the glue is the legit...glue. And so they will become poisoned.

      Well, alcohol is a "poison" too, but I don't see you ranting about non-legit beer (Keystone, Natty, etc.)...

    10. Re:Root servers? by Jah-Wren+Ryel · · Score: 1

      Because DNS is fundamentally insecure and there is no way to secure it without a re-write from the ground up. DNSSEC is a bandaid with a limited window of effectiveness. Ultimately, a cache receiving root glue has no way to validate that the glue is the legit root glue. And so they will become poisoned.

      So, you are saying that DNS ought to mean Do Not Sniff glue?

      --
      When information is power, privacy is freedom.
    11. Re:Root servers? by Peeteriz · · Score: 1

      Have someone that you trust sign the root data - it can be ICANN, it can be some other organization like FSF or ACLU or whomever you like, it can be any random individual that happens to have your trust and is willing to do the signing periodically.

    12. Re:Root servers? by kindbud · · Score: 1

      There are many ways to validate the data, including verifying against an SSL website, well known public servers, etc.

      And how do you get the IP address of this SSL web server? You must look up the domain in DNS. SSL certificates are tied to the domain, not the IP address. If you must use a service you don't trust to get the crypto tokens that allow you to trust it, you cannot trust it.

      --
      Edith Keeler Must Die
  5. We have a way to address this (at least, mostly) by autocracy · · Score: 3, Insightful

    DNSSEC. Get on it.

    --
    SIG: HUP
  6. Wikileaks... by orphiuchus · · Score: 1

    Isn't this a more deserving target than the US? Oh wait, they would immediate assassinate you if you leaked any of their information. Better keep going after the guys who don't fight back.

    1. Re:Wikileaks... by xnpu · · Score: 1

      Wikileaks is a government operation. China is well aware of that. Just like (if you did read Wikileaks) the US was well aware of China's attack on Google but chose not to tell anyone. China and US are on much better foot that you think, the theater is just for the populace.

  7. And ? by unity100 · · Score: 4, Insightful

    u.s. just grabbed 12 domain names, on the whim of some private interests inside usa. not only that they dropped an 'for other purposes' clause, in the bill/whatever that is going to allow them to do more.

    'for other purposes'. you can even put 'daydreaming' in it, and legally grap domains that help people daydream.

    --
    Read radical news here
    1. Re:And ? by nbossett · · Score: 2, Interesting
      There's a difference between:
      having a legal fight over who owns abc.com
      and
      deliberately misleading people and pretending to be/own abc.com

      There can be abuses of either system, but rerouting traffic on the sly is potentially more dangerous to users than openly seizing a domain name.

    2. Re:And ? by erroneus · · Score: 1

      This case wasn't about one site pretending to be another. These were domain names allegedly used in copyright infringement activities. Domains used by others for typo-squatting is usually done through the courts system quite successfully.

  8. United States DNS Tampering a Realer Threat by Anonymous Coward · · Score: 4, Informative

    The United States government has already stolen domain names without due process. They don't even have jurisdiction over some of them.

    http://yro.slashdot.org/story/10/11/27/1910232/DHS-Seizes-75-Domain-Names

    1. Re:United States DNS Tampering a Realer Threat by jbonomi · · Score: 1

      They have jurisdiction over all of those, actually. Not necessarily the server/data, but certainly the .com and .net domains.

  9. peter's wolf... by X0563511 · · Score: 2, Interesting

    At what point are we going to get sick enough of this garbage to just completely segregate China from the rest of the internet?

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    1. Re:peter's wolf... by mr_lizard13 · · Score: 1

      Who is "we"?

      You're speaking on behalf of a western nation I assume?

      --
      "We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
    2. Re:peter's wolf... by X0563511 · · Score: 1

      No, I'm speaking on behalf of everyone that isn't China.

      You should read what I wrote, not the words that you assume are between the lines.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    3. Re:peter's wolf... by shoehornjob · · Score: 1

      Well that would cetainly deter them from hacking our computers and stealing state and industrial secrets.

      --
      "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
    4. Re:peter's wolf... by mr_lizard13 · · Score: 1

      And you shouldn't assume the rest of the world thinks what you think.

      Last time I checked, China only caused pain and suffering to it's own citizens, not those of other nations.

      There's a ton of other countries that inflict genocide on other countries' citizens without batting an eyelid.

      USA and UK, I'm looking at you. How about "we" segregate those countries from the rest of the world.

      --
      "We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
    5. Re:peter's wolf... by X0563511 · · Score: 1

      There's a large difference between censoring what goes in or out, and manipulating the system so things that were not intended to go in do so (supposedly for intelligence gathering)

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  10. right now.. by Anonymous Coward · · Score: 1

    China almost looks free compared to the nazi regime USA is trying to have on the web, randomly yanking dominas(70+ recently) because american business interests were supposedly suffering. ..

  11. DNSSec? by Kamamura · · Score: 2

    Why do we have it then? AFAIK root zone was signed in May, so just don't send those super secret root zone KSKs to red commies and every validating resolver is safe!

    Hooray for advanced protocol beating the red threat back!

    1. Re:DNSSec? by just_another_sean · · Score: 1

      If China has the legitimate* right to host three replicas of the root servers they would need the KSKs, no?

      Which in my mind would lead to more potential for abuse as even the technical among us think "It's OK, I'm using DNSSEC!".

      * which according TFA they do now...

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  12. Definitive/Caching/Chinese by RichMan · · Score: 1

    So do we need a new way of describing DNS servers ?
    We also probably also need a new way of describing DNS entries so you can tell the difference between an actual DNS for a site and a DNS for an edge caching site.

    1. Re:Definitive/Caching/Chinese by ADRA · · Score: 1

      How? How many clients will actually work their way up the chain to resolve against the hosted DNS server? That makes any initial engagement with raw (or cache expired) domains much slower. For a web site that is a looking for drive by service, this would be less appealing than say going to a Google derived alternative which is always well buried in cache. If you really want is a way of verifying that the upstream data source isn't tampered with, and I'm sorry but that's not going to happen, at least not on a root server level.

      After reading the article, its still entirely unclear. There's a person referred only as Zmijewski who is never given context at all in the story. Their talk points are half the story and you don't even have the wit to say who the person is.

      Going back to the original US document, it seems the Chinese root server was erroneously sending censored responses to non-chinese IP blocks and was for a while pulled of its authority until the problem was resolved. As bad as national censorship can be, I suppose its acceptable to be able to pull the cord on issues of the sort. After all the news of having the US seize domains, is it really worth noting a bug in the great firewall's DNS processing that was fixed months ago?

      --
      Bye!
    2. Re:Definitive/Caching/Chinese by Todd+Knarr · · Score: 1

      DNSSEC. If the root-zone keys are distributed through an independent channel (ie. downloaded from ICANN and loaded into the local resolver/server software configuration), then even running a root DNS server won't let you forge responses for any part of the DNS tree you don't actually control (ie. have the private keys to generate new signatures for).

  13. I am safe... by Kamamura · · Score: 1

    ... I use the fantastic, free OpenDNS, and I have set resolv.conf to ns1.opendns.ch and ns2.opendns.ch years ago... crap! John, tear the wire from the wall, fast!

    1. Re:I am safe... by psyclone · · Score: 1

      No, you are not safe. It is trivial for someone between you and ns*.opendns.ch to intercept the DNS response and modify it.

      Only DNSSEC can save you here.

    2. Re:I am safe... by Thinine · · Score: 1

      Actually, OpenDNS is supporting a DNSSEC alternative, DNSCurve, which gives many of the same benefits, including the preventions of MitM attacks.

    3. Re:I am safe... by psyclone · · Score: 1

      DNSCurve looks pretty sweet; especially how it encrypts packets, instead of just signing them (like DNSSEC). Hiding the query and response seems very useful to avoid prying eyes.

  14. US DNS Tampering a Real Threat To Outsiders by mlawrence · · Score: 3, Interesting

    Just this past week the US government seized 75+ domains without any notice. Is this any different?

    1. Re:US DNS Tampering a Real Threat To Outsiders by Antisyzygy · · Score: 4, Interesting

      Its quite a bit different. China is attempting to control the internet, most likely for use as propaganda and as leverage in a cyber conflict. The DHS is being used by special interest groups to enforce IP law.

      --
      That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
    2. Re:US DNS Tampering a Real Threat To Outsiders by Anonymous Coward · · Score: 2, Informative

      That was as the .com level not at the . level. The US has not redirected .com somewhere else....

    3. Re:US DNS Tampering a Real Threat To Outsiders by Anonymous Coward · · Score: 1

      Same thing.
      The US disabled domains under US law, the Chinese disable domains under Chinese law.
      What is your point exactly?

      Or are you somewhat delusional to think that the US is the center of the universe I wonder...
      What the US did affects unrelated parties, namely THE REST OF THE WORLD!

    4. Re:US DNS Tampering a Real Threat To Outsiders by Monkeedude1212 · · Score: 1

      Okay - then which is worse?

      I mean I am not condoning everything the Chinese do but nationalism isn't always a bad thing and there wouldn't BE a cyber conflict without the US. Essentially what you've got is 1 country attacking another country and you've got 1 country attacking it's own citizens. Which is which and which is worse?

    5. Re:US DNS Tampering a Real Threat To Outsiders by X0563511 · · Score: 1

      SOMEONE has a fucking clue!?!?

      (go figure it's an AC)

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    6. Re:US DNS Tampering a Real Threat To Outsiders by Antisyzygy · · Score: 5, Insightful

      Both are bad, but neither excuses the other.

      --
      That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
    7. Re:US DNS Tampering a Real Threat To Outsiders by metrix007 · · Score: 1

      What has being an AC got do do with anything?

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    8. Re:US DNS Tampering a Real Threat To Outsiders by jbonomi · · Score: 1

      Please explain the difference between makeup and cinnamon rolls.

    9. Re:US DNS Tampering a Real Threat To Outsiders by yuhong · · Score: 1

      And the US is just trying to suppress illegal content, while China is actually trying to censor criticism. The latter is IMO much worse.

    10. Re:US DNS Tampering a Real Threat To Outsiders by 0123456 · · Score: 2, Funny

      And the US is just trying to suppress illegal content, while China is actually trying to censor criticism. The latter is IMO much worse.

      But, uh, criticisim _is_ 'illegal content' in China.

    11. Re:US DNS Tampering a Real Threat To Outsiders by Husgaard · · Score: 1

      IMHO a fine example of the difference between communism and fascism.

    12. Re:US DNS Tampering a Real Threat To Outsiders by erroneus · · Score: 1

      "Illegal" is a word whose meaning is quite relative. It also leads to discussion about whether or not a law is just even if the law itself is plain. Enforcing a "whites only" bathroom law might be an easy to appreciate law that is unjust. Many people hold that copyright law in the U.S. is unjust and I certainly support that. (I wouldn't download stuff nearly as much if content from 14 years ago actually went into the public domain -- I'd be busy being all retro in my downloads) But that's not how it is -- the copyright industry bought the laws that make things that should be legal illegal.

    13. Re:US DNS Tampering a Real Threat To Outsiders by wynterwynd · · Score: 1

      Touche.

      I think the term "illegal" isn't the right one to use. Which one is more immoral is probably more accurate.

      One country is revoking DNS service for a relatively small list of sites when its investigations show these sites violate that nation's (and in some cases international) trade or copyright laws. These sites are shut down without due process or prior notification. There is fear that if unchecked, this power could be extended to remove ideas that are unwelcome to those in control of these mechanisms.

      Evil, yes. But our own brand of evil, evil that benefits our own subtly neo-feudal power structure and shores up the foundations of our capitalist economic structure. It does this by directly preventing the operation of some who seek to circumvent established monetary contribution channels for intellectual and real property holders. Whether you agree with the core concept of monetizing intellectual property or not, the rules guarding it are pretty clearly and publicly defined and this action supports enforcement of those ideals. So I would say there is a potential for evil in this if taken to extremes, but by and large it mainly supports the established tenets of the nation.

      Another country has been caught using the trust extended to them in the form of DNS root servers to change the information provided by these servers to prevent access with the country's political interests and restrictions on tolerated ideals. The country's agencies have been known to intercept and effectively hijack the Internet connection of an uncertain number of global users whose traffic happened to be entrusted to their equipment due to load balancing. It is not known what the intention was, the extent of the data captured was never fully understood, there was no overt manipulation or presentation of purposely deceptive information, all that is truly known is that China has a policy of strict regulation of ideas of its people and that a great potential for harm exists if the country chose to pursue it.

      This is evil, but it is evil defined by ideals that happen to be antithetical to our core belief structure. Looked at (mostly) objectively, this has the ring to me of something that was a toe in the water or groundwork laid towards true purposeful evil, but in and of itself was not deliberately harmful. Everyone can point to how bad it COULD be, but nobody can clearly define how bad it actually was. Policing the exploration of ideas is widely considered to be much more evil than policing the exploitation of others' ideas, however one of the core principles of said nation is enforced unity of ideals and purpose. So I would say there is a large potential for evil in this if taken to extremes, but it mainly supports the established tenets of the nation.

      So I would say when looked at this way that both countries are nearly as morally in the wrong, but that our level of perceived "transparency" in the process is greater in that we are told a version of what is going on and then can vent our frustrations by complaining about it. With China there is a long history of secrecy, double dealings, and heavy spin, so there's the same level of abuse potential combined with MUCH greater levels of mistrust due to the lack of transparency. The actions were essentially the same, only the methods were different. Whether that means we're more honorable or just more subtle than China, I'll let you decide.

      --
      "Not all who wander are lost" -- JRR Tolkien
    14. Re:US DNS Tampering a Real Threat To Outsiders by Antisyzygy · · Score: 1

      I did actually read your whole post. Either way you swing it its the rich/powerful controlling the lesser classes. In China, the higher-ups in the party want to control the workers otherwise they lose their status and benefits. In China, I would bet career politicians have opulent lifestyles far surpassing the average worker. Here in the US you have huge disparities in wealth whereby 10 percent of the population controls 70 percent of the wealth. Furthermore, In the US you have career politicians that get handouts from lobby groups (controlled by the rich) and essentially have a revolving door with executive positions in industry and media. Perhaps in the US we live better than the average Chinese worker, but the sad fact remains, no matter where you are, the wealthy have greater access to government as well as greater influence in government and thus bias 90 percent of the benefits of their society for themselves.

      --
      That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
    15. Re:US DNS Tampering a Real Threat To Outsiders by Antisyzygy · · Score: 1

      I wouldn't call the US fascist. Its more of an Oligarchy.

      --
      That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
    16. Re:US DNS Tampering a Real Threat To Outsiders by TheLink · · Score: 1

      Opulent lifestyles maybe, but there seems to be a bit more accountability in China.

      Many top Chinese officials have been executed for corruption. Just google for: chinese official executed

      In my opinion being executed is about as accountable as it gets. And certainly a lot more scary than being paid off with a golden parachute/handshake, or getting bailed out.

      Someone might claim the executions are faked, but they (and their family) must be pretty good actors given their responses to the verdict. And even if so their lifestyle certainly would be drastically affected - hard to live like a king while resembling an executed official...

      As for the topic, when I checked some years ago, China regularly tampered with DNS as part of censorship (related to national security I suppose).

      The US DHS has tampered with DNS, not as extensively as China did, but since it's the DHS, I guess it's "national security" too?

      --
  15. Re:We have a way to address this (at least, mostly by Kamamura · · Score: 5, Informative

    Since Chinese control 3 of the root DNS servers, I bet they are given the root zone KSKs.. and with them, you can spoof any record.

  16. Mod server down by jbeaupre · · Score: 3, Interesting

    If only you could mod servers up or down, giving them some sort of reputation history. The your OS could determine a trusted anchor based on a server's "karma" and your requirements*. A system parallel to DNSSEC for apportioning, updating, and validating trust.

    * yeah, I'm borrowing Slashdot terminology. But what the heck, it kind of works.

    --
    The world is made by those who show up for the job.
    1. Re:Mod server down by arachnoprobe · · Score: 1

      * yeah, I'm borrowing Slashdot terminology. But what the heck, it kind of works.

      No. I saw your comment.

  17. Secure BGP by Monkius · · Score: 1

    I know of folks working currently on secure BGP. I would imagine that's part of the solution.

    --
    Matt
    1. Re:Secure BGP by xnpu · · Score: 1

      BGP knows filters and communities. It's just that those need to be setup by admins, which often don't feel like doing the work and will tell you it's too complex to deal with such a large dynamic network as their.

  18. Red vs effing Blue by MRe_nl · · Score: 2, Funny

    (tl;dr version)
    Big Threat Internet Security
    China censor Web sites and information ruling Communist Party threatening security experts warn government's censorship danger spilling China's suppressing China Chinese Tampering Communist Party danger security and freedom tampering bigger threat hijacking unexpected China's tamper bled
    U.S.-China Economic and Security Review Commission hijacking incident incident.

    (And when I count to three you will awaken and be VERY AFRAID).

    --
    "Kill 'em all and let Root sort 'em out"
  19. WTF happened this weekend? by GPLDAN · · Score: 1

    To Comcast?

    http://news.cnet.com/8301-1023_3-20023949-93.html


    Because I can damn well tell you that spilled over into other New England area networks, including the SAVVIS and Cogent networks in Boston area. Comcast says their DNS system failed, so how the fuck does a DNS attack knock out all the peering/routing/IP transport up there?

    That whole thing smells bad, and I wonder if anyone knows the truth about wtf happened.

  20. Re:We have a way to address this (at least, mostly by PiSkyHi · · Score: 1

    Not only that, but they intercept requests made to external DNSs as well - altering the results before arriving at your PC in China.

  21. Re:Agreed on DNSSEC, but until then? by X0563511 · · Score: 1

    The only problem with that is when IPs change. For major sites, it doesn't happen often, but when it does it may toss you through a loop.

    You might find it easier (and more efficient) to just build yourself a caching nameserver and set the TTLs high (hell you can do this on the workstation itself). Couple this with your existing method if you wish, there's no reason they can't work together.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  22. Porn! by toastar · · Score: 1

    NOO!!!

    I don't want some red china man stealing all my porn!
    They might start Blurring it on the fly!!!

    1. Re:Porn! by xnpu · · Score: 1

      Eh. Many porn sites were unblocked months ago and still are. I don't notice any blurring here.

  23. Re:Agreed on DNSSEC, but until then? by metrix007 · · Score: 1

    I just don't get what APK's deal is. He is clearly ignorant/misinformed and surely knows better...but I don't think I have ever seen a more dedicated troll than WillyonWheels. I mean..., he has been posting this same shit for years now, slightly customizing it for each story. It must be nice to have that much free time.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  24. Whitelisting by iamsolidsnk · · Score: 1

    Wouldn't whitelisting known good IPs of frequent internet destinations within your hosts.conf (or equivalent) file provide at least moderate protection against IP hijacking?

    --
    Here I am, here I remain.
  25. Thanks to Cisco.. by formfeed · · Score: 1

    ..for providing the technology that makes it possible to censor, track, and imprison.

    1. Re:Thanks to Cisco.. by xnpu · · Score: 1

      Thanks to the American people for allowing their government and corporations to participate in these deals. Did you call your ISP and complain about their use of a company that actively participates in subjecting over a billion people to heavy censorship? I didn't think so.

  26. DNS shall not be abridged by snsh · · Score: 1

    In the USA, DNS needs to be woven into the first amendment as one of those things the government shall not fuck with, but I doubt the Roberts court will see it that way.

  27. Re:We have a way to address this (at least, mostly by TheRaven64 · · Score: 1

    Why would they be given the keys? Surely they'd just be given the signed root zone file - it's not like it changes very often.

    --
    I am TheRaven on Soylent News
  28. Solution: de-root them by theNAM666 · · Score: 1

    Someone's already said this too, but it seems obvious. Don't trust the Politburo. Simple. Don't trust a root server run by the Politburo. Then implement DNSSec. :)

  29. Re:We have a way to address this (at least, mostly by Anonymous Coward · · Score: 1

    Actually, no, the Root server operators do not need access to the private key used for key-signing. They only get a copy of the root zones, all signed ahead of time.

    DNSSEC would solve this from a mis-information stand-point. It doesn't stop it from a DoS attack (just not answering, or even answering with bogus DNSSEC replies, which the DNS resolver will discard, but the end result is that you don't get your query answered).

  30. Re:Wow! by mcgrew · · Score: 1

    Looks to m like a bad mod was corrected in 3.5 seconds. I didn't like Bush and I don't care much for Obama, but comparing them to Godwin's Ghosts is indeed flamebait.

    Had he omitted that last line, it would have been interesting.

    --
    Free Martian Whores!
  31. Remove the ability of countries to censor the web by jack2000 · · Score: 1

    Tell me, why is it still possible for private parties to change things like this on a whim?
    There needs to be a system where if the domain record returned from a dns server differs from the ones returned by say 4 others is different, it is discarded and the record returned by the 4 dns servers is used.

  32. No. by Anonymous Coward · · Score: 1, Informative

    The root zone is distributed already signed to everybody. It is signed using special hardware in the US. Look up on the key signing cerimony to see the details.

  33. Re:Agreed on DNSSEC, but until then? by marcello_dl · · Score: 1

    a hosts file in a git distributed repo would be a nice idea for small organizations, provides a way to safely add/update entries.

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  34. This is just about lazy admins. by xnpu · · Score: 1

    Since when are you obligated to use the Chinese root servers? And have you heard of DNSSEC? This is really just an issue of lazy admins. Same story with the root SSL certificates browsers ship with that include a lot of questionable organizations and governments. You are free to remove them, and no, it's not hard. The BGP hijack was no different. Carriers that have their shit organized have their filters configured and would not participate in the hijack.

  35. so ? by unity100 · · Score: 1

    difference ? chinese pretend to be abc com for their own aims, usa 'legally' grabs domains pretending to anyone worldwide, for their own aims. not to mention that, it makes the law that legalizes it.

    --
    Read radical news here
  36. Re:Remove the ability of countries to censor the w by 0123456 · · Score: 1

    Tell me, why is it still possible for private parties to change things like this on a whim?

    Uh, this isn't a 'private party', it's the Chinese government. DNS generally worked fine when it was controlled by 'private parties' and governments weren't meddling with it.

  37. Re:Solution: de-root them by xnpu · · Score: 1

    De-root is a useless measure. You don't trust China, someone else doesn't trust some other country hosting a root. DNSSec is the only acceptable solution currently available.

    Also it's a little naive to think that Chinese cyberspace ends at it's physical borders. China's telco's have controlling stakes in many foreign communications companies as well. Not to mention lots of western ISP's are installing Huawai equipment, etc, etc.

  38. Re:Remove the ability of countries to censor the w by xnpu · · Score: 1

    Nice idea, but this doesn't help one bit if the censorship is done close to home. E.g. on "my" network I intercept DNS and have my name server send the reply. It doesn't matter if the users are talking to Google DNS, OpenDNS or some other service, it's always my DNS server that replies. DNS is extremely easy to intercept and spoof.

  39. Cut China off by kheldan · · Score: 1

    If you were found to be tampering with DNS, at the very least you'd have your internet service cut off, at worst you'd be arrested. The equivalent of "arresting" China would be called "World War III" and that's not going to happen (yet). We can, however, cut them off from the rest of the internet, can't we? Why haven't we? They refuse to behave, they don't own the internet (nobody does and everybody does, really), they don't have the right to do this. Cut them off until they learn to behave. Besides, to hear them talk, they'd probably prefer being cut off from the rest of the world so they can literally force their citizens to use only the sites the State wants them to.

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    1. Re:Cut China off by xnpu · · Score: 1

      It wouldn't net a China-cutoff. It would be a net-split.

    2. Re:Cut China off by GPLHost-Thomas · · Score: 1

      I'm a French guy living in China, and married with a Chinese, and all what I earn for a living comes from the net. To such a comment, I have only one thing to answer: go to hell, with your "recommendations". How about we do a global embargo on USA (not only on Internet) because you guys think you own the planet and make endless wars? They don't have the right to do this. Let's cut them until they learn how to behave.

    3. Re:Cut China off by kheldan · · Score: 1

      married with a Chinese

      Yeah, I'm sure she's real proud of the high regard you hold her in, referring to her in such a manner. Do you fondly refer to her in casual conversation as "my slant-eyed sweetie"?
      Also, you're French, your whole country hates us, so I'm supposed to listen to you why?
      By the way, how are those rapant human rights violations sitting with you, friend? You're living there and married to someone of Chinese ancestry, you might just be as OK with those as you apparently are with every other crappy thing that the Chinese government and military keeps doing. I may not be as proud to be an American as I once used to be, but I don't see where you have a single leg to stand on so far as defending China against this or any other crimes against the rest of the world they've committed.

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    4. Re:Cut China off by GPLHost-Thomas · · Score: 1

      What a jerk. Not only you are insulting and racist, but you didn't even car reading what I wrote. Where exactly did you see that I was proud of what the Chinese gov. is doing? All what I was thinking is that there's no reason to add more crap to what we have already from the gov. I was also only returning the compliment you had, to see your reaction. Clearly, you don't like reading them, so why people living in China would?
      Lucky, I know a few Americans that aren't like you.

  40. Re:Agreed on DNSSEC, but until then? by icebraining · · Score: 1

    Or they could just install a DNS caching server, it's not that hard. And besides the static hosts information, it would also share the DNS cache between all the clients, so if two of them accessed the same sites, it would be faster for the second client.

    Debian comes with a few an aptitude install away.

    --
    Dilbert RSS feed
  41. Re:We have a way to address this (at least, mostly by autocracy · · Score: 2, Informative

    Root servers point to top-level domains. com, net, org, cn, us, uk... these would all have their own keys. China would only have access to one of those. As pointed out by others, the roots are pre-signed and just passed around for mirroring.

    This doesn't prevent China from doing various nuisance activities such as replying with unresolvable, bogus unsigned answers, or bogus answers with wrong signers. That said, you'd at least have some level of verification available that a DNSSEC signed answer is appropriate, and you could ignore anything but.

    --
    SIG: HUP
  42. Billions and billions... by TiggertheMad · · Score: 1

    If only you could mod servers up or down, giving them some sort of reputation history. The your OS could determine a trusted anchor based on a server's "karma" and your requirements*. A system parallel to DNSSEC for apportioning, updating, and validating trust.

    Doesn't china have like, 1.2 billion people? If all the people in china mod up the Chinese DNS servers, and a the people in the US mod them down, I'm pretty sure they will still have a pretty good score...

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!
  43. Discourse... by WSOGMM · · Score: 1

    Hmmm...

    The general public:

    "What's net neutrality? Meh, I don't care... WAIT, The Communist Party can censor and limit the information I receive?? BLASPHEMY. MAKE THE INTERNET FREE AND UNTAINTED BY CENSORSHIP!! RALLY RALLY RALLY!"

    Ha. Slashdot: 1, Stupids: 0. ;)

  44. Re:Agreed on DNSSEC, but until then? by marcello_dl · · Score: 1

    I use dnsmasq myself often. I thought that people in organizations that fear government censorship are better with a hosts file on each computer than with a number of dns caches. The response can still be spoofed or the servers DoSed. Git can do signed commits and updates over ssh.
    Also one could exploit virtual hosting configuration and gave a server that returns normal content if accessed through its normal domain, and special content if accessed through an entry in the hosts file (good against casual surfers and bots, useless against a determined attack)

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  45. 8.8.8.8 by dargaud · · Score: 1

    Easy to remember

    --
    Non-Linux Penguins ?
  46. Re:We have a way to address this (at least, mostly by slick7 · · Score: 1

    Since Chinese control 3 of the root DNS servers, I bet they are given the root zone KSKs.. and with them, you can spoof any record.

    Let me see...1.5 billion Chinese or the rest of the planet. Who would you not want to piss off?

    --
    The mind conceives, the body achieves, the spirit manifests.
  47. Agreed, I trust Google more than China by lullabud · · Score: 1

    I've had so many DNS problems in Asia (not China) and 8.8.8.8 solved them all. It was such a problem while I was there that I'd log into any default password routers in the hotels I stayed at and change their configs to that.

    On top of that, since China is responsible for hacking Google earlier this year, Google will be taking special care to make sure their services will be protected from future attacks, and thus will likely fortify their DNS against root hijacking.

  48. Re:Agreed on DNSSEC, but until then? by icebraining · · Score: 1

    I was thinking of a DNS server in-LAN, not geographically distributed. In that case, I agree that a hosts file is more robust.

    --
    Dilbert RSS feed
  49. no news here... by hesaigo999ca · · Score: 1

    The fact that for a few minutes all packets were being rerouted to china and then sent back to its final destination means a good packet sniffer will give you lots of info, as well, the government now has some pretty big super computers at their disposal, as well as being the first to show ASH1 was able to be broken....it all adds up.

  50. Switch to the new root servers instead by F.Ultra · · Score: 1

    Simple solution is to switch to 3rd party root servers like the Telecomix ones: http://dns.telecomix.org/

  51. Re:You're off topic & trolling (step inside).. by metrix007 · · Score: 1

    Kid, you have no idea what you're talking about. Stop posting a link to this post behind every post I make...,really, do you have nothing better to do?

    You are strongly misinformed on several points. I can't be bothered to respond to you, (i.e. feed the troll) because I don't think it would be worth my time. You're obsessed, and not interested in rational discussion. Please, stop following me.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  52. Re:Again: What's your specific problem w/ HOSTS fi by metrix007 · · Score: 1

    If you want me to addres you properly, then I want you to answer some questions.

    1. Why do you put certain words in quotes or parentheses? WTF is up with that? E.G. your first line above, why is "go for it" in quotes?
    2. Why do you cite work you allegedly have done, such as articles you wrote in various magazines, if you don't gives us a means to verify that information? Are you really hoping we will just take you at your word?
    3. Likewise, why claim to have degrees or experience or whatever, if you don't give us a means to verify that information
    4. Why do you bother mentioning that stuff at all? As an appeal to authority? If what you are saying has merit (which seems unlikely) it can stand on it's own. Your background is irrelevant to the point you are making.
    5. Why have you been following around my posts insulting me linking back to this thread? It discredits you further, and makes you seem like you are a troll starved fro attention.
    6. Why do you quote people in such a way? You get that it is completely redundant right? The name of the poster, post ID and time are all at the top of each post...adding it manually when you quote someone is just redundant, so why do you do this?
    7. Why do you take 3 points (Kaminksy bug, Secunia hijack and Oliver Day's article) and misconstrue them? Do you not understand what they are actually about? Just because an article is about flaws in DNS, it does not automatically support your point.

    If you have the courtesy to answer these questions, then I will address your main points as you ask.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  53. Re:You try "LOGIC" & U use "AD HOMINEM Attacks by metrix007 · · Score: 1
    1. We can't verify anything you say, as with out an account or given name we have nothing to check it against
    2. No where in my previous post did I use an ad hominem attack. I guess you don't know what that actually is.
    3. You have not answered any of my questions

    Given your trollish behavior, i.e. stalking and insulting, you are clearly a troll. (note, that is also not an ad hominem attack). Given the way you obsessively stalk people, redundantly quote information and your strange use of quotes, I would say you also have some serious issues.

    Computing just isn't your field kiddo, but I do hope you get the help you need. I won't be replying to you further until you answer my original questions in a polite manner.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  54. Re:You try "LOGIC" & U use "AD HOMINEM Attacks by metrix007 · · Score: 1

    Also, let me explain why I believe you misconstrue the 3 things you keep relying on for proof.

    1. Oliver Days article. He talks about using a HOSTS file as a WHITELIST, and even then admits it has problems. You misconstrue him as advocating a HOSTS file as a BLACKLIST, which is false. Furthermore, he states he was using this back in 2004 to stop ads and tracking, something adblock plus is now far more efficient at.
    2. The Kaminsky bug. This is no longer relevant, as ALL versions of DNS servers have been patched. I guess it's possible some idiots are running an unpatched server, but that is unlikely. It is also why there has not been an attack using the Kaminsky bug since 2008 or so.
    3. The Secunia Hijacking. This was the result of someone breaking into the registrars account and modifying the DNS records directly. DNSSEC would not have helped here since they would have had access to the proper cert. If you used Secunia regularly and wanted to add it as a whitelist in your HOSTS file then yes, that would have prevented you having to see the redirected page for a few hours. It certainly isn't an argument to use HOSTS files in the way you advocate.
    --
    If you ignore ACs because they are anonymous - you're an idiot.
  55. Re:More evasions from metrix007? Of course! by metrix007 · · Score: 1

    LMAO, wtf? Look at my initials, & look here then (as to academia, where I was a letter winner for a national champ in lacrosse, & also a graduate with a B.S. degree in the sciences):

    http://lemoynedolphins.com/sports/mlax/history/mlaxletterwinners

    I can not see any name on that list that matches the initials APK. If I don't know your name, then I can not verify anything you say, regardless of who you give me as a reference.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  56. Re:Time to shoot you down even more... apk by metrix007 · · Score: 1

    I give up...you really don't have any idea what you're talking about, and that joke a reply just shows it. I replied in good faith...and get religious shit in response. Best o luck dude. You're an idiot. (note, not an ad hominem, not dismissing you reply because I consider you an idiot, calling you an idiot as a consequence).

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  57. Re:I finished you off with your OWN mistakes 2x by metrix007 · · Score: 1

    OK, Alex Kowalski. Awesome.

    Funny when I search your name of Google, I find absolutely nothing of prominence. Maybe in the next life, kid.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  58. Re:Time to shoot you down even more... apk by metrix007 · · Score: 1

    Actually, digging a bit further, and eliminate all the other people with your name (musicians, reporters, AIDS societies fellows etc), I find you on several forums, where you have been banned. Makes sense that you would come to the last refuge on the internet where you can't get banned. You have helped me cement your status as an ignorant troll who lies about his/her own accomplishments. Good job kiddo.

    --
    If you ignore ACs because they are anonymous - you're an idiot.
  59. Re:Time to shoot you down even more... apk by metrix007 · · Score: 1

    OK, final post and no more googling. For anyone sad enough to be reading this, this post discredits APK basically completely. http://tech.slashdot.org/comments.pl?sid=1300193&cid=28673669

    --
    If you ignore ACs because they are anonymous - you're an idiot.