search

net4people / bbs

Forum for discussing Internet censorship circumvention
3.19k stars 75 forks source link

Some IP addresses used for DNS censorship in India #361

Open wkrp opened 1 month ago

wkrp commented 1 month ago

The CensorWatch paper measured DNS censorship, in part, by checking DNS responses from ISP resolvers against known-bad IP addresses. §4.3.1:

To rule out these false positives, we compiled the most common IP address received in response to the DNS queries. This heuristic helps to identify the IP addresses which censorious DNS servers give to users. This approach is similar to Singh, et al [22], and we mark all measurements that encountered that IP address as symptomatic of censorship. We were able to confirm 89% of the suspected blocks in this way.

I wrote the authors to ask about the list of bad IP addresses, and they pointed me to confirm_DNS_blocks.R in the censorwatch repository, which has this list:

203.109.71.154
123.176.40.68
106.51.113.17
123.176.40.69
49.207.46.38
123.176.40.67
49.207.46.62
202.83.21.15
49.205.75.6
202.83.24.75
202.83.21.14
218.248.112.60
UjuiUjuMandan commented 1 month ago

What is the purpose of injecting real Indian IPs instead of reserved IP like 0.0.0.0 ? It doesn't seem these IPs would return a block page, port 80 and 443 all closed.

mmmray commented 1 month ago

@UjuiUjuMandan I cannot find the research paper right now, but i remember one that studied DNS poisoning done by the chinese GFW, and found that it also returns valid IPs (even foreign ones) while blocking. The authors speculated that it is done to make research of DNS poisoning harder, because in practice putting random IPs into the response achieves the same blocking effect. I can't remember if there was solid evidence of that being the underlying motivation though.

0x391F commented 1 month ago

@UjuiUjuMandan I cannot find the research paper right now, but i remember one that studied DNS poisoning done by the chinese GFW, and found that it also returns valid IPs (even foreign ones) while blocking. The authors speculated that it is done to make research of DNS poisoning harder, because in practice putting random IPs into the response achieves the same blocking effect. I can't remember if there was solid evidence of that being the underlying motivation though.

I think it's "Great Cannon" https://en.wikipedia.org/wiki/Great_Cannon in China