Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese DNS Tampering a Real Threat To Outsiders

Posted by Soulskill on from the let's-hijack-their-hijack dept.

Trailrunner7 writes "China has long used the Internet's Domain Name Service to censor Web sites and information that the ruling Communist Party deems threatening. But now security experts warn that the government's censorship is in danger of spilling over China's borders, suppressing the ability of those living outside of China to find information online. An estimated 57% of all networks on Earth passed DNS requests through a Chinese DNS rootserver at some point in 2010, according to data from security firm Renesys. Tampering by the Communist Party there poses a danger to Internet security and freedom. In fact, DNS tampering may be a bigger threat than techniques like BGP (Border Gateway Protocol) hijacking, which is believed to be responsible for an unexpected shift in Internet routing in April that has recently been the subject of mainstream media reports in the US. There is already evidence that China's efforts to tamper with DNS have bled outside the country's borders. The same report to Congress from the US-China Economic and Security Review Commission that called attention to the BGP hijacking incident from April, 2010 also mentions a March, 2010 incident in which Internet users in the US and Chile attempted to connect to social networking websites banned by the Chinese government. However, their DNS requests were handled by a Beijing-based Domain Name Server, which responded with incorrect DNS information that directed the surfers to incorrect servers, the report says."

20 of 181 comments (clear)

  1. In Soviet China... by Marthis · · Score: 2, Funny

    ...DNS routes you! Oh, wait...

  2. Root servers? by just_another_sean · · Score: 4, Insightful

    I understand the need for mass replication of the DNS root servers and appreciate both the cultural and technical needs to spread them fairly evenly throughout the world but is it really necessary for China to replicate F, I and J at the root level? Would performance and the world perception of a US controlled internet really suffer if China was denied access to the root level? Let them replicate all 13 for their internal use but remove any server's root status if the server is hosted in China... Maybe I'm missing something here but is this not a reasonable stance on preventing this type of collateral damage?

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    1. Re:Root servers? by kindbud · · Score: 2, Insightful

      Because DNS is fundamentally insecure and there is no way to secure it without a re-write from the ground up. DNSSEC is a bandaid with a limited window of effectiveness. Ultimately, a cache receiving root glue has no way to validate that the glue is the legit root glue. And so they will become poisoned.

      --
      Edith Keeler Must Die
    2. Re:Root servers? by xnpu · · Score: 2, Interesting

      Because your ISP hired a lazy ass admin, that's why. Run your own DNS, remove the Chinese root servers from it. Problem solved.

  3. We have a way to address this (at least, mostly) by autocracy · · Score: 3, Insightful

    DNSSEC. Get on it.

    --
    SIG: HUP
  4. And ? by unity100 · · Score: 4, Insightful

    u.s. just grabbed 12 domain names, on the whim of some private interests inside usa. not only that they dropped an 'for other purposes' clause, in the bill/whatever that is going to allow them to do more.

    'for other purposes'. you can even put 'daydreaming' in it, and legally grap domains that help people daydream.

    --
    Read radical news here
    1. Re:And ? by nbossett · · Score: 2, Interesting
      There's a difference between:
      having a legal fight over who owns abc.com
      and
      deliberately misleading people and pretending to be/own abc.com

      There can be abuses of either system, but rerouting traffic on the sly is potentially more dangerous to users than openly seizing a domain name.

  5. United States DNS Tampering a Realer Threat by Anonymous Coward · · Score: 4, Informative

    The United States government has already stolen domain names without due process. They don't even have jurisdiction over some of them.

    http://yro.slashdot.org/story/10/11/27/1910232/DHS-Seizes-75-Domain-Names

  6. peter's wolf... by X0563511 · · Score: 2, Interesting

    At what point are we going to get sick enough of this garbage to just completely segregate China from the rest of the internet?

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  7. DNSSec? by Kamamura · · Score: 2

    Why do we have it then? AFAIK root zone was signed in May, so just don't send those super secret root zone KSKs to red commies and every validating resolver is safe!

    Hooray for advanced protocol beating the red threat back!

  8. US DNS Tampering a Real Threat To Outsiders by mlawrence · · Score: 3, Interesting

    Just this past week the US government seized 75+ domains without any notice. Is this any different?

    1. Re:US DNS Tampering a Real Threat To Outsiders by Antisyzygy · · Score: 4, Interesting

      Its quite a bit different. China is attempting to control the internet, most likely for use as propaganda and as leverage in a cyber conflict. The DHS is being used by special interest groups to enforce IP law.

      --
      That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
    2. Re:US DNS Tampering a Real Threat To Outsiders by Anonymous Coward · · Score: 2, Informative

      That was as the .com level not at the . level. The US has not redirected .com somewhere else....

    3. Re:US DNS Tampering a Real Threat To Outsiders by Antisyzygy · · Score: 5, Insightful

      Both are bad, but neither excuses the other.

      --
      That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
    4. Re:US DNS Tampering a Real Threat To Outsiders by 0123456 · · Score: 2, Funny

      And the US is just trying to suppress illegal content, while China is actually trying to censor criticism. The latter is IMO much worse.

      But, uh, criticisim _is_ 'illegal content' in China.

  9. Re:We have a way to address this (at least, mostly by Kamamura · · Score: 5, Informative

    Since Chinese control 3 of the root DNS servers, I bet they are given the root zone KSKs.. and with them, you can spoof any record.

  10. Mod server down by jbeaupre · · Score: 3, Interesting

    If only you could mod servers up or down, giving them some sort of reputation history. The your OS could determine a trusted anchor based on a server's "karma" and your requirements*. A system parallel to DNSSEC for apportioning, updating, and validating trust.

    * yeah, I'm borrowing Slashdot terminology. But what the heck, it kind of works.

    --
    The world is made by those who show up for the job.
  11. Red vs effing Blue by MRe_nl · · Score: 2, Funny

    (tl;dr version)
    Big Threat Internet Security
    China censor Web sites and information ruling Communist Party threatening security experts warn government's censorship danger spilling China's suppressing China Chinese Tampering Communist Party danger security and freedom tampering bigger threat hijacking unexpected China's tamper bled
    U.S.-China Economic and Security Review Commission hijacking incident incident.

    (And when I count to three you will awaken and be VERY AFRAID).

    --
    "Kill 'em all and let Root sort 'em out"
  12. Re:So, which is worse? by MightyMartian · · Score: 2, Funny

    Comparing the US and China as far as the Internet goes kind of indicates who the asshat is here.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  13. Re:We have a way to address this (at least, mostly by autocracy · · Score: 2, Informative

    Root servers point to top-level domains. com, net, org, cn, us, uk... these would all have their own keys. China would only have access to one of those. As pointed out by others, the roots are pre-signed and just passed around for mirroring.

    This doesn't prevent China from doing various nuisance activities such as replying with unresolvable, bogus unsigned answers, or bogus answers with wrong signers. That said, you'd at least have some level of verification available that a DNSSEC signed answer is appropriate, and you could ignore anything but.

    --
    SIG: HUP