Posts tagged “DNS”

GoDaddy, .CN, Malware & Freedom of Expression



The domain registrar GoDaddy testified before the U.S. Congressional-Executive Commission on China and stated that they would “discontinue offering new .CN domain names” citing concerns over an “increase in China’s surveillance and monitoring of the Internet activities of its citizens” and the “chilling effect” that the retroactive application of new requirements on .CN domain names would have.

CNNIC, which regulates the .CN ccTLD, introduced new requirements in December 2009 on registrations which many in the security community welcomed. .CN domain names are often used for malicious purposes. McAfee has listed .CN as one of the riskiest ccTLD’s. MalwareURL.com and MalwareDomainList.com (two amazing malware/security resources) have collected numerous .CN domain names used to distribute malware. The AV company Kaspersky noted:

Over the last 3–4 years, China has become the leading source of malware. Chinese cybercriminals have shown themselves to be capable of creating such huge volumes of malware that over the last two years, antivirus companies have, without exception, put most of their effort into combating Chinese malware.

However, a lot of the malware activity coming from China is because Eastern European criminal networks moved and are now abusing Chinese infrastructure, .CN domains as well as IP addresses.

Sophos noted that the regulations were having an effect. There was a decrease in spam and Sophos attributed this to the new CNNIC regulations. Symantec noted that .CN registrations used for spam were down and .RU registrations had taken their place.

Others were unsure. StopBadWare noted that since there was a 5 day grace period that would be enough time for the malicious use of .CN domain names. Many, including Isaac Mao, also raised privacy and freedom expression issues arguing that this was a crackdown on freedom of expression.

GoDaddy is now framing their decision to “discontinue offering new .CN domain names” as a freedom of expression issue. Back in 2004 I wrote about GoDaddy’s practice of denying access to its services form certain countries. Others have also had issues with GoDaddy regarding freedom of expression. In other cases, GoDaddy (among other registrars) have been criticized for being too slow to act.

So in trying to get an understanding of what’s going on, I found portions of GoDaddy’s testimony quite interesting. In particular, I’m interested in the emphasis on “Chinese nationals.”

On February 3, 2010, CNNIC announced that it would reopen .CN domain name registrations to overseas registrars. However, the stringent new identification and documentation procedures would remain in effect. CNNIC also announced an audit of all .CN domain name registrations currently held by Chinese nationals. Domain name registrars, including Go Daddy, were then instructed to obtain photo identification, business identification, and physical signed registration forms from all existing .CN domain name registrants who are Chinese nationals, and to provide copies of those documents to CNNIC. We were advised that domain names of registrants who did not register as required would no longer resolve. In other words, their domain names would no longer work.

Now, what I am unclear on is how the requirements affects non-Chinese national who a registering malware domains, pushing rogue antivirus, sending spam and all sorts ofnasty things. These regulation seems to largely target Chinese nationals — not the nationals of other countries who may be using .CN domains for malicious purposes. GoDaddy concluded:

The intent of the new procedures appeared, to us, to be based on a desire by the Chinese authorities to exercise increased control over the subject matter of domain name registrations by Chinese nationals.

We believe that many of the current abuses of the Internet originating in China are due to a lack of enforcement against criminal activities by the Chinese government. Our experience has been that China is focused on using the Internet to monitor and control the legitimate activities of its citizens, rather than penalizing those who commit Internet-related crimes.

I’m having trouble evaluating GoDaddy’s new found (to me anyway) commitment to freedom of expression. I do welcome it and I hope they are serious about it and demonstrate their commitment by joining the Global Network Initiative. But I’m hoping that they don’t confine their interest in freedom of expression solely to China but rather evaluate and assess freedom of expression and privacy across their business operations.

UPDATE:

WP: In response to new rules, GoDaddy to stop registering domain names in China
Dancho Danchev: “With CN/RU requirement for scanned IDs in order to register a domain,underground services are already monetizing the Photoshop-ing process.”

Tor Website blocked at My Hotel



picture-2

My hotel uses OpenDNS to block access to the Tor website. Google Translate is also blocked. They are categorized as “Proxy/anonymizer”. This is one of the most annoying things about filtering. I just wanted to quickly translate some text from Russia to English and then read the Tor blog and ….

picture-1

Yes, in order to block the Tor Blog, which uses HTTPS, they are MITM’ing SSL. (If you accept the bad certificate, the Tor Blog is blocked.) It doesn’t look like they are MITM’ing *all* SSL but just connections to selected IP addresses.

It’s funny, because I often recommend OpenDNS to people in order to avoid filtering, but OpenDNS also has a filtering service.

Facebook and China



There have been some reports suggesting that Facebook may be blocked in China, however, Facebook is not blocked in China. In fact, I experienced Facebook outages myself — from Canada — on July 1 too. At therecent Global Voices Summit I gave a presentation on detecting Internet filtering. While it is sometimes easy to detect, sometimes it is not — often there are alternative explanations.

www.facebook.com (and zh-cn.facebook.com) resolves to a variety of IP addresses, 69.63.176.140, 69.63.184.11 and 69.63.178.12 and a few of them. DNS servers in China and resolving www.facebook.com properly and these IP addresses are accessible when directly accessed from China.

However, while facebook is loading you have probably seen a domain like this, static.ak.fbcdn.net or like this static.ak.facebook.com, flash by in your browser’s status bar. Domains such as these resolve to IP addresses assigned to Akamai. Akamai is a mirroring service that has servers all over the world so depending on where you are you’ll be accessing the same content but from a different server.

One scenario is that there was some temporary issue with Akamai.

Another is that Chia may have blocked one of Akamai’s IP addresses. (Pakistan, for example, once disrupted access to numerous sites because they blocked portions of the Akamai network. Apparently, they did not realize that in trying to a few sites on Akamai they ended up blocking thousands of the world’s most popular sites.)

I tested a variety of Akamai IP addresses that Chinese DNS servers resolved the “static” facebook domains too and all were acessible from multiple points in the country.

Wikileaks



Wikileaks, the transparency web site that allows anyone to upload leaked materials, was shut down after a California Judge ordered its domain registrar to:

immediately clear and remove all DNS hosting records for the wikileaks.org domain name and prevent the domain name from resolving to the wikileaks.org website or any other website or server other than a blank park page, until further order of this Court.

The site is still available here: http://88.80.13.160/

The Citizen Media Law Project has the case documents and analysis and the story has now been picked up by the mass media. But what’s caught my attention is who is not talking about it. Glad to see the usual suspects raising the issue.

DNS tampering in China



So, I was doing some searching in google and baidu and noticed two sites (that appeared to be the same) voanews.cn and voanews.com.cn. Upon visiting voanews.com.cn I was surprised to find myself end up at google. voanews.com.cn, like voanews.cn should resolve to 218.25.59.214, not google.

The other thing that stood out was that these sites did not appear to be the Voice of America. And they are not. You can lookup the registrar here. The Registrant Name is 慢速英语 which babel translates as “Slow English” which gave me a chuckle.

I did some more tweaking and voanews.com.cn is being subjected to a form of DNS tampering because it has “voanews.com” in it. It looks like China is bringing back an improved version of their old DNS spoofing. Rather than messing around with individual DNS servers, China has implemented a system which appears to operate like the RST/Keyword filtering system (see this paper for technical details).

DNS lookups for voanews.com (or voanews.com.cn) will return one or more of the following 4 IP’s:

voanews.com has address 213.169.251.35
voanews.com has address 209.36.73.33
voanews.com has address 72.14.205.99
voanews.com has address 72.14.205.104

The last two by the way are google IP addresses. Weird.

But if you sniff the connection you’ll see that what happens is after the request is made 4 spoofed results are received although eventually the correct result is received. But by the time the true result is received applications relying on a dns lookup (e.g. a web browser) have already accepted the initial spoofed result.

ME	->	CN	DNS	Standard query ANY voanews.com
CN	->	ME	DNS	Standard query response A 72.14.205.99
...
CN	->	ME	DNS	Standard query response SOA auth00.ns.uu.net MX 20 ibb2.ibb.gov MX 30 ibb1.ibb.gov MX 10 voa2.voa.gov A 128.11.143.113 NS auth00.ns.uu.net NS auth100.ns.uu.net

Domain Name System (response)
        voanews.com: type SOA, class IN, mname auth00.ns.uu.net
        voanews.com: type MX, class IN, preference 20, mx ibb2.ibb.gov
        voanews.com: type MX, class IN, preference 30, mx ibb1.ibb.gov
        voanews.com: type MX, class IN, preference 10, mx voa2.voa.gov
        voanews.com: type A, class IN, addr 128.11.143.113
        voanews.com: type NS, class IN, ns auth00.ns.uu.net
        voanews.com: type NS, class IN, ns auth100.ns.uu.net

ME	->	CN	ICMP	Destination unreachable (Port unreachable)

A variety of other domain names are affected, not just voanews.com.

Internet Filtering in India



India is not new to Internet filtering. Back in 2004 India’s Ministry of Communications & Information Technologyordered ISP’s to start blocking web sites. The target was a particular Yahoo! Group, but the ISP’s blocked access to the IP address (see Why Block by IP?) of the groups.yahoo.com domain causing all Yahoo! Groups to be blocked illustrating one of Internet filtering’s unintended consequences. India subsequently ordered the extremist HinduUnity site to be blocked as well (which caused additional “over-blocking”). There were variations in compliance but large ISPs such as VSNL did comply.

So India’s new filtering is not surprising. Once again the Ministry ordered sites to be blocked, some of which are blogs hosted on Blogspot and Typepad. The ISP’s blocked the IP addresses of the sites causing all the blogs hosted on them to be blocked.
More… »

Spoof site shut down in Canada



Joe Volpe, a candidate in the Liberal leadership race accepted campaign donations from children as young as eleven in an apparent effort to stretch the campaign rules which limit contributions to $5400 per person. In one case, an entire family — mom, dad, and four kids — with connections to Canada’s largest generic drug manufacturer each donated $5400.

A spoof websiteyouthforvolpe.ca — was setup in response. The spoof site encouraged children to contribute to Volpe’s campaign using mommy and daddy’s credit card.

The website was quickly shut down. The domain name was cancelled after the registrar (Canadian Domain Name Services Inc.) was alerted by a Globe and Mail reporter that the contact phone number for the domain registrant was not valid. The Canadian Internet Registration Authority (CIRA) required valid information for domain registrations and after reviewing the information for youthforvolpe.ca the registrar concluded that the information was fabricated and canceled the domain name.

The domain and website now appear to be restored.

.kz domain



I just found this blog post concerning the .kz domain. The Government of Kazakhstan wants to restrict the geographic location of the .kz domain. The new rules would require that two DNS servers servicing the .kz domain as well as the webserver hosting the .kz domain be physically located in Kazakhstan. (An FAQ on nic.kz says one can regsiter a domain and not be located in Kazakhstan, it doesn’t mention hosting though.) As the blog entry suggests this could have consequences for sites that the government does not approve of.

Kazakhstan is the only country I’ve seen that filters (or has filtered) websites with its own ccTLD. (See http://www.blokada.org/en.php and as well as RSF) Starting back in 1999 Kazakh ISP began filtering websites, explaining that the websites were inaccessible for permanent “technical reasons“.

KazNIC currently operates the ccTLD and has specific rules and a dispute policy for revoking domains. In one case, KazNIC revoked the domain names of an opposition group after a court ruling. It appears to be a case about copyright infringement. (Interestingly, it seems that the domain was temorarily transfered to a new owner, but the domain is not (at least in WHOIS) back to its original owner. )