So, I was doing some searching in google and baidu and noticed two sites (that appeared to be the same) voanews.cn and voanews.com.cn. Upon visiting voanews.com.cn I was surprised to find myself end up at google. voanews.com.cn, like voanews.cn should resolve to 188.8.131.52, not google.
The other thing that stood out was that these sites did not appear to be the Voice of America. And they are not. You can lookup the registrar here. The Registrant Name is 慢速英语 which babel translates as “Slow English” which gave me a chuckle.
I did some more tweaking and voanews.com.cn is being subjected to a form of DNS tampering because it has “voanews.com” in it. It looks like China is bringing back an improved version of their old DNS spoofing. Rather than messing around with individual DNS servers, China has implemented a system which appears to operate like the RST/Keyword filtering system (see this paper for technical details).
DNS lookups for voanews.com (or voanews.com.cn) will return one or more of the following 4 IP’s:
voanews.com has address 184.108.40.206
voanews.com has address 220.127.116.11
voanews.com has address 18.104.22.168
voanews.com has address 22.214.171.124
The last two by the way are google IP addresses. Weird.
But if you sniff the connection you’ll see that what happens is after the request is made 4 spoofed results are received although eventually the correct result is received. But by the time the true result is received applications relying on a dns lookup (e.g. a web browser) have already accepted the initial spoofed result.
ME -> CN DNS Standard query ANY voanews.com CN -> ME DNS Standard query response A 126.96.36.199 ... CN -> ME DNS Standard query response SOA auth00.ns.uu.net MX 20 ibb2.ibb.gov MX 30 ibb1.ibb.gov MX 10 voa2.voa.gov A 188.8.131.52 NS auth00.ns.uu.net NS auth100.ns.uu.net Domain Name System (response) voanews.com: type SOA, class IN, mname auth00.ns.uu.net voanews.com: type MX, class IN, preference 20, mx ibb2.ibb.gov voanews.com: type MX, class IN, preference 30, mx ibb1.ibb.gov voanews.com: type MX, class IN, preference 10, mx voa2.voa.gov voanews.com: type A, class IN, addr 184.108.40.206 voanews.com: type NS, class IN, ns auth00.ns.uu.net voanews.com: type NS, class IN, ns auth100.ns.uu.net ME -> CN ICMP Destination unreachable (Port unreachable)
A variety of other domain names are affected, not just voanews.com.