Nart Villeneuve

My hotel uses OpenDNS to block access to the Tor website. Google Translate is also blocked. They are categorized as “Proxy/anonymizer”. This is one of the most annoying things about filtering. I just wanted to quickly translate some text from Russia to English and then read the Tor blog and ….

Yes, in order to block the Tor Blog, which uses HTTPS, they are MITM’ing SSL. (If you accept the bad certificate, the Tor Blog is blocked.) It doesn’t look like they are MITM’ing *all* SSL but just connections to selected IP addresses.

It’s funny, because I often recommend OpenDNS to people in order to avoid filtering, but OpenDNS also has a filtering service.

There have been some reports suggesting that Facebook may be blocked in China, however, Facebook is not blocked in China. In fact, I experienced Facebook outages myself — from Canada — on July 1 too. At therecent Global Voices Summit I gave a presentation on detecting Internet filtering. While it is sometimes easy to detect, sometimes it is not — often there are alternative explanations.

www.facebook.com (and zh-cn.facebook.com) resolves to a variety of IP addresses, 69.63.176.140, 69.63.184.11 and 69.63.178.12 and a few of them. DNS servers in China and resolving www.facebook.com properly and these IP addresses are accessible when directly accessed from China.

However, while facebook is loading you have probably seen a domain like this, static.ak.fbcdn.net or like this static.ak.facebook.com, flash by in your browser’s status bar. Domains such as these resolve to IP addresses assigned to Akamai. Akamai is a mirroring service that has servers all over the world so depending on where you are you’ll be accessing the same content but from a different server.

One scenario is that there was some temporary issue with Akamai.

Another is that Chia may have blocked one of Akamai’s IP addresses. (Pakistan, for example, once disrupted access to numerous sites because they blocked portions of the Akamai network. Apparently, they did not realize that in trying to a few sites on Akamai they ended up blocking thousands of the world’s most popular sites.)

I tested a variety of Akamai IP addresses that Chinese DNS servers resolved the “static” facebook domains too and all were acessible from multiple points in the country.

Wikileaks, the transparency web site that allows anyone to upload leaked materials, was shut down after a California Judge ordered its domain registrar to:

immediately clear and remove all DNS hosting records for the wikileaks.org domain name and prevent the domain name from resolving to the wikileaks.org website or any other website or server other than a blank park page, until further order of this Court.

The site is still available here: http://88.80.13.160/

The Citizen Media Law Project has the case documents and analysis and the story has now been picked up by the mass media. But what’s caught my attention is who is not talking about it. Glad to see the usual suspects raising the issue.

So, I was doing some searching in google and baidu and noticed two sites (that appeared to be the same) voanews.cn and voanews.com.cn. Upon visiting voanews.com.cn I was surprised to find myself end up at google. voanews.com.cn, like voanews.cn should resolve to 218.25.59.214, not google.

The other thing that stood out was that these sites did not appear to be the Voice of America. And they are not. You can lookup the registrar here. The Registrant Name is 慢速英语 which babel translates as “Slow English” which gave me a chuckle.

I did some more tweaking and voanews.com.cn is being subjected to a form of DNS tampering because it has “voanews.com” in it. It looks like China is bringing back an improved version of their old DNS spoofing. Rather than messing around with individual DNS servers, China has implemented a system which appears to operate like the RST/Keyword filtering system (see this paper for technical details).

DNS lookups for voanews.com (or voanews.com.cn) will return one or more of the following 4 IP’s:

voanews.com has address 213.169.251.35
voanews.com has address 209.36.73.33
voanews.com has address 72.14.205.99
voanews.com has address 72.14.205.104

The last two by the way are google IP addresses. Weird.

But if you sniff the connection you’ll see that what happens is after the request is made 4 spoofed results are received although eventually the correct result is received. But by the time the true result is received applications relying on a dns lookup (e.g. a web browser) have already accepted the initial spoofed result.

ME	->	CN	DNS	Standard query ANY voanews.com
CN	->	ME	DNS	Standard query response A 72.14.205.99
...
CN	->	ME	DNS	Standard query response SOA auth00.ns.uu.net MX 20 ibb2.ibb.gov MX 30 ibb1.ibb.gov MX 10 voa2.voa.gov A 128.11.143.113 NS auth00.ns.uu.net NS auth100.ns.uu.net

Domain Name System (response)
        voanews.com: type SOA, class IN, mname auth00.ns.uu.net
        voanews.com: type MX, class IN, preference 20, mx ibb2.ibb.gov
        voanews.com: type MX, class IN, preference 30, mx ibb1.ibb.gov
        voanews.com: type MX, class IN, preference 10, mx voa2.voa.gov
        voanews.com: type A, class IN, addr 128.11.143.113
        voanews.com: type NS, class IN, ns auth00.ns.uu.net
        voanews.com: type NS, class IN, ns auth100.ns.uu.net

ME	->	CN	ICMP	Destination unreachable (Port unreachable)

A variety of other domain names are affected, not just voanews.com.

India is not new to Internet filtering. Back in 2004 India’s Ministry of Communications & Information Technologyordered ISP’s to start blocking web sites. The target was a particular Yahoo! Group, but the ISP’s blocked access to the IP address (see Why Block by IP?) of the groups.yahoo.com domain causing all Yahoo! Groups to be blocked illustrating one of Internet filtering’s unintended consequences. India subsequently ordered the extremist HinduUnity site to be blocked as well (which caused additional “over-blocking”). There were variations in compliance but large ISPs such as VSNL did comply.

So India’s new filtering is not surprising. Once again the Ministry ordered sites to be blocked, some of which are blogs hosted on Blogspot and Typepad. The ISP’s blocked the IP addresses of the sites causing all the blogs hosted on them to be blocked.
More… »

Joe Volpe, a candidate in the Liberal leadership race accepted campaign donations from children as young as eleven in an apparent effort to stretch the campaign rules which limit contributions to $5400 per person. In one case, an entire family — mom, dad, and four kids — with connections to Canada’s largest generic drug manufacturer each donated $5400.

A spoof website — youthforvolpe.ca — was setup in response. The spoof site encouraged children to contribute to Volpe’s campaign using mommy and daddy’s credit card.

The website was quickly shut down. The domain name was cancelled after the registrar (Canadian Domain Name Services Inc.) was alerted by a Globe and Mail reporter that the contact phone number for the domain registrant was not valid. The Canadian Internet Registration Authority (CIRA) required valid information for domain registrations and after reviewing the information for youthforvolpe.ca the registrar concluded that the information was fabricated and canceled the domain name.

The domain and website now appear to be restored.

I just found this blog post concerning the .kz domain. The Government of Kazakhstan wants to restrict the geographic location of the .kz domain. The new rules would require that two DNS servers servicing the .kz domain as well as the webserver hosting the .kz domain be physically located in Kazakhstan. (An FAQ on nic.kz says one can regsiter a domain and not be located in Kazakhstan, it doesn’t mention hosting though.) As the blog entry suggests this could have consequences for sites that the government does not approve of.

Kazakhstan is the only country I’ve seen that filters (or has filtered) websites with its own ccTLD. (See http://www.blokada.org/en.php and as well as RSF) Starting back in 1999 Kazakh ISP began filtering websites, explaining that the websites were inaccessible for permanent “technical reasons“.

KazNIC currently operates the ccTLD and has specific rules and a dispute policy for revoking domains. In one case, KazNIC revoked the domain names of an opposition group after a court ruling. It appears to be a case about copyright infringement. (Interestingly, it seems that the domain was temorarily transfered to a new owner, but the domain is not (at least in WHOIS) back to its original owner. )