On Wednesday, someone from the Chilean domain registry .cl noticed that one of the DNS root servers was responding in a very strange way to queries for domain names like facebook.com, youtube.com, and twitter.com. Normally, root servers only provide a pointer to the correct set of Top Level Domain servers—in this case, the .com servers operated by Verisign. But here, the "I" root server responded with (apparently fake) addresses.
It turns out that these queries were answered by a root server residing in China, and China has been applying this type of creativity to DNS queries since at least 2002. So this is just your basic Internet censoring, nothing to see here, move along. (Can we interest you in some DNS security?)
In this case, however, the ways in which the network of root servers is operated and the DNS protocol works interact in a way that can create problems outside China. The problem with the root servers is that they're "anycasted." The number of root servers is limited to not much more than the current 13 (A through M) because more wouldn't fit into a single DNS packet without additional measures. So rather than add more root servers with their own addresses, most root server addresses are actually used by multiple servers around the world. The routing system delivers queries to the nearest server so answers come back quickly, and attackers only get to send packets to root servers in their own region, limiting the scope of any attacks. This means that if the routing system considers an instance of a root server in China close by, routers will send the request to China. Regular users have very little control over these routing decisions.
To add insult to injury, the queries to root servers contain the full DNS name that the user is looking for, even though root servers by their nature only respond to the .com, .net, .fr, or .cl part of a DNS name. It's a bit like putting your income on the outside of the envelope containing your tax return and trusting the postal service to ignore it.
Very likely, ISPs will soon start blocking routing updates announcing reachability to anycasted root servers coming from China, so DNS requests will be forwarded to non-Chinese instances of root servers. Note however, that these spoofed results are unlikely to create much trouble, even for users who consistently receive them. And this is unlikely for anyone outside China, because only a few root server instances are deployed in the People's Republic. In any event, normally, the pointers to the .com servers will already be cached by a local DNS server, so the query is sent directly to a .com server rather than to a root server first.
reader comments
23