Open wkrp opened 2 years ago
There was an apparent temporary block of Google and Cloudflare DNS servers on 2021-09-08 from 18:00 to 19:00 (21:00 to 22:00 Moscow Time) in some Russian ISPs.
https://vc.ru/tech/291648-it-specialisty-zayavili-o-testirovanii-roskomnadzorom-massovoy-blokirovki-publichnyh-dns-servisov-google-i-cloudflare (archive)
ИТ-специалист команды Алексея Навального Артём Ионов рассказал, что блокировка производилась 8 сентября с 21:00 до 22:00 на нескольких крупных провайдерах с использованием технических средств противодействия угрозам (ТСПУ) — их операторы должны устанавливать по закону об «суверенном рунете».
О частичной блокировке DNS-сервисов Google и Cloudflare также сообщил своём Telegram-канале эксперт «Общества защиты интернета» Михаил Климарёв. Он отметил, что полностью был заблокирован и VPN-протокол WireGuard.
Artyom Ionov, an IT specialist for Alexei Navalny's team, said that the blocking was carried out on September 8 from 9:00 to 10:00 p.m. on several major providers using technical means of countering threats (TSPU) - operators must install them under the law on "sovereign runet".
The partial blocking of Google and Cloudflare DNS services was also reported on his Telegram channel by Mikhail Klimarev, an expert of the Internet Defense Society Mikhail Klimarev. He noted that the WireGuard VPN protocol was also completely blocked.
From what I can gather, the immediate cause of these blocks and threatened blocks of DNS may be a specific Smart Voting (Умное голосование) app and the legislative elections that will happen this weekend. According to discussion on NTC, the app hardcoded Google, Cloudflare, and OpenDNS DNS resolvers, which would explain why those specific resolvers are targeted, and not others. It is reported by TASS that Roskomnadzor wrote letters to foreign technology companies and DNS providers, naming Google, Cloudflare, and Cisco specifically, and warning not to permit access to the Smart Voting app and web site.
https://tass.ru/obschestvo/12345663 (archive)
"Роскомнадзор и Центр мониторинга управления сетями связи общего пользования РФ (ЦМУ ССОП РФ) на основании требований Центральной избирательной комиссии и Генеральной прокуратуры России направили в адрес ряда иностранных компаний, в том числе провайдерам DNS- и CDN-сервисов, письма с требованиями прекратить предоставление возможностей для обхода ограничения доступа к приложению и сайту "Умное голосование" на территории Российской Федерации", - сказали в пресс-службе.
...
Кроме того, Роскомнадзором и ЦМУ ССОП РФ установлено, что средства обхода блокировок предоставляют более 10 иностранных провайдеров, расположенных на территории США, Украины, Германии, Франции, Японии, Великобритании и других государств. Законные требования о недопустимости предоставления технических средств для обхода ограничения доступа игнорируются магазинами приложений компаний Apple и Google, DNS- и CDN-сервисами Google, Cisco, Cloudflare и ряда других компаний. Для пресечения распространения средств незаконной агитации, а также исключения возможности иностранного вмешательства в любых формах в избирательную кампанию доступ к упомянутым ресурсам должен быть ограничен, подчеркнули в РКН.
"Roskomnadzor and the Public Communications Network Management Monitoring Center of the Russian Federation (CMU SSOP RF) have sent letters to a number of foreign companies, including providers of DNS and CDN services, with demands to stop providing opportunities to circumvent access restrictions to the "Smart Voting" app and website in the Russian Federation," the press-service said.
...
In addition, Roskomnadzor and the CMU SSOP RF found that more than 10 foreign providers located in the United States, Ukraine, Germany, France, Japan, the United Kingdom and other countries provide blocking circumvention tools. Legal requirements regarding the inadmissibility of providing technical means to bypass access restrictions are ignored by Apple and Google app stores, DNS and CDN services of Google, Cisco, Cloudflare and a number of other companies. In order to prevent the spread of means of illegal campaigning, as well as to exclude the possibility of foreign interference in any form in the election campaign, access to the above-mentioned resources should be limited, the RKN stressed.
NTC users have posted a letter from Roskomnadzor (dated 2021-09-08) that prohibits configuring Google, Cloudflare, and OpenDNS resolvers for subscribers, and a news post from the ISP SkyNet (dated 2021-09-13) telling customers that if they have Internet problems, the first thing they should do is configure their DNS to a resolver other than 8.8.8.8 or 1.1.1.1.
The Roskomnadzor letter, and the earlier email screenshot, recommend the use of National Domain Name System resolvers:
Anyone who does DNS measurements, this could be an opportunity to test these resolvers and see what queries they resolve incorrectly.
The Roskomnadzor letter, and the earlier email screenshot, recommend the use of National Domain Name System resolvers:
195.208.6.1 195.208.7.1 2a0c:a9c7:a::1 2a0c:a9c7:b::1
Anyone who does DNS measurements, this could be an opportunity to test these resolvers and see what queries they resolve incorrectly.
We sent DNS queries to 195.208.6.1
and 195.208.7.1
from the outside of Russia. We haven't been able to observe any "incorrect" answers yet. Actually the resolvers responded no answer RR as they are non-recursive. The responses indeed include authority RRs and additional RRs though, which appears to be correct.
This is an example DNS query to 195.208.6.1
:
dig +recurse @195.208.7.1 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24020
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30
b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30
c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30
d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30
e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30
f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30
g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30
h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30
i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30
j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30
k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30
l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30
m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30
;; SERVER: 195.208.7.1#53(195.208.7.1)
;; MSG SIZE rcvd: 839
@gfw-report
We sent DNS queries to 195.208.6.1 and 195.208.7.1 from the outside of Russia. We haven't been able to observe any "incorrect" answers yet. Actually the resolvers responded no answer RR as they are non-recursive.
The resolvers actually used to work in the beginning of September, both from and outside of Russia. I don't know what has happened with them, and why.
We sent DNS queries to
195.208.6.1
and195.208.7.1
from the outside of Russia. We haven't been able to observe any "incorrect" answers yet. Actually the resolvers responded no answer RR as they are non-recursive. The responses indeed include authority RRs and additional RRs though, which appears to be correct.
Although it's not what we usually see, I suppose a non-recursive DNS resolver could equally be used for censorship. For a censored query, the resolver could return an empty or incorrect list of NS records. It could even be a deliberate design choice to reduce load and complexity at the censoring resolver, pushing the DNS traffic for non-censored queries onto third-party resolvers.
However, such an approach to censorship would not work if the downstream resolver practices QNAME minimization: in that case, of a query for www.example.com
, the resolver would only see the com
part and would not know whether to apply its censorship rules. But I'm guessing that clients do not minimize their queries when a resolver is configured as the immediate upstream recursive resolver (e.g. in /etc/resolv.conf).
This is a summary of information from an NTC thread, which was originally about the reported blocking of https://dns.google/, but which grew in scope as additional information became available.
Блокировка DoH сервера dns.google / Block of the dns.google DoH server
As far as I can tell, the email screenshots come from a post on Telegram: https://t.me/usher2/2106 https://t.me/usher2/2106?comment=9195. I don't really know how to use Telegram (it would be helpful if someone more adept can explore the channel and see if there is more information there), but I found an online viewer (archive) that shows the text of the main post:
Here are the screenshots themselves, followed by transcriptions and translations into English. Note that there must be more than one version of this email, since the overlapping parts of these pictures do not match exactly.