DNS tampering in China

So, I was doing some searching in google and baidu and noticed two sites (that appeared to be the same) voanews.cn and voanews.com.cn. Upon visiting voanews.com.cn I was surprised to find myself end up at google. voanews.com.cn, like voanews.cn should resolve to, not google.

The other thing that stood out was that these sites did not appear to be the Voice of America. And they are not. You can lookup the registrar here. The Registrant Name is 慢速英语 which babel translates as “Slow English” which gave me a chuckle.

I did some more tweaking and voanews.com.cn is being subjected to a form of DNS tampering because it has “voanews.com” in it. It looks like China is bringing back an improved version of their old DNS spoofing. Rather than messing around with individual DNS servers, China has implemented a system which appears to operate like the RST/Keyword filtering system (see this paper for technical details).

DNS lookups for voanews.com (or voanews.com.cn) will return one or more of the following 4 IP’s:

voanews.com has address
voanews.com has address
voanews.com has address
voanews.com has address

The last two by the way are google IP addresses. Weird.

But if you sniff the connection you’ll see that what happens is after the request is made 4 spoofed results are received although eventually the correct result is received. But by the time the true result is received applications relying on a dns lookup (e.g. a web browser) have already accepted the initial spoofed result.

ME	->	CN	DNS	Standard query ANY voanews.com
CN	->	ME	DNS	Standard query response A
CN	->	ME	DNS	Standard query response SOA auth00.ns.uu.net MX 20 ibb2.ibb.gov MX 30 ibb1.ibb.gov MX 10 voa2.voa.gov A NS auth00.ns.uu.net NS auth100.ns.uu.net

Domain Name System (response)
        voanews.com: type SOA, class IN, mname auth00.ns.uu.net
        voanews.com: type MX, class IN, preference 20, mx ibb2.ibb.gov
        voanews.com: type MX, class IN, preference 30, mx ibb1.ibb.gov
        voanews.com: type MX, class IN, preference 10, mx voa2.voa.gov
        voanews.com: type A, class IN, addr
        voanews.com: type NS, class IN, ns auth00.ns.uu.net
        voanews.com: type NS, class IN, ns auth100.ns.uu.net

ME	->	CN	ICMP	Destination unreachable (Port unreachable)

A variety of other domain names are affected, not just voanews.com.


  1. Free economies depend upon the freedom of expression, the ability of people to exchange ideas and test out new theories. The Soviet Union weakened itself for years by restricting the flow of information, by outlawing devices crucial to modern communications, such as computers and copying machines.

    And when you restricted free movement — even tourist travel — you prevented your own people from making the most of their talent. You cannot innovate if you cannot communicate.

    All Communist regimes to date have striven to maintain a complete monopoly on information. So is it any wonder why China exploits it’s own people, for cheap labor, censors, filters, blocks and monitors (police) the Internet?

    Clearly, the all-pervading aim of the Chinese regime is not the conversion of the PRC into a pluralistic political system with a free market economy modeled after, and integrated with, Western institutions. Rather, its purpose is to perpetuate the Communist Party’s rule.

  2. In order to perpetuate the Party’s rule China is moving towards a Western-oriented, free market economy. “Communist” China is an anachronism. Free communications and free markets do not inherently go hand in hand.

  3. فیلتر شکن بفرست متشکرم

  4. اين آدرسي كه فرستاديد سايت شما را باز نميكند و مخابرات نكبت بار جمهوري اسلامي ميگويد كه دسترسي به اين سايت امكانپذير نميباشد

  5. […] Meanwhile another more concrete piece of evidence has just emerged to link the Internet filtering initiative, or the Great Fire Wall of China, directly to a type of cyber-crime known as DNS (Domain Name System) hijacking.  DNS hijacking involves converting legitimate domain names of websites into IP addresses of malicious websites using a rogue DNS server.  So when a user of an infected computer visits a  certain legitimate domain name, he is sent to a bogus website instead.  An expatriate in Shanghai published a blog post a couple of weeks ago about how he accidentally discovered this criminal practice of the GFW.  Since then, another blogger has also come forward to share his findings. […]

Post a comment.