Open gfw-report opened 3 years ago
Thanks for doing this analysis. Good catch on the private IP addresses documented by Liu et al.
法轮功网站部分地区被私有地址重定向的概率会大大增加,有时候是ISP有时候是gfw
Some areas of the Falun Gong website are much more likely to be redirected to private addresses, sometimes by ISPs and sometimes by gfw
On September 4, 2021, @shell12345 reported that "the China Telecom will send '127.0.0.1' if request a sensitive domain name". In particular,
cp.cloudflare.com
was resolved to127.0.0.1
.Our investigation shows that this specific censorship event was likely to be implemented by the ISP (China Telecom), rather than the GFW of China.
This interesting censorship incident reveals an interesting phenomena: in addition to the censorship by the GFW, the Chinese users can also suffer from the censorship by the ISP. While the GFW of China exclusively used public IP addresses as answers in forged DNS responses (See Section 5.1 of Hoang et al. and Section 3.2 of Anonymous et al.), the Chinese ISPs may inject private IP addresses in forged DNS responses (See Table 8 of Liu et al.).
Indirect evidence
The following three pieces of evidence (indirectly) support our conjecture that this specific censorship event was implemented by the ISP (China Telecom), rather than the GFW of China.
First, we have been monitoring the DNS censorship of Alexa Top 1 million domains on a bi-hourly basis since May 2019.
127.0.0.1
was not in any forged responses among the six million queries we sent in the last 24 hours.Second, it appears that
cp.cloudflare.com
is not even on the DNS blacklist of the GFW. We randomly selected an IP address14.121.1.0
which belongs to the China Telecom (AS4134). We then made the following two queries from the outside of China to the IP address:Third, as shown in Table 8 of Liu et al., since as early as 2018,
AS4134, ChinaTelecom
had been observed to inject DNS responses with private IP addresses192.168.32.1
and10.231.240.77
as answers.Direct evidence (You can help!)
The three pieces of evidence above indirectly support the conjecture that the censorship was implemented by the ISP, not the GFW of China. Unfortunately, we couldn't take advantage of the bi-directional censorship of the GFW to test from the outside of China. To get direct and concrete evidence, we encourage @shell12345 or any other China Telecom users to try the following testing and to post their findings below:
First, choose an IP address outside of China, eg.
216.58.195.0
.Second, open
wireshark
or runtcpdump
to capture the traffic:Third, open another terminal and run the following command to make sure that no DNS service is running on this IP address:
Forth, send the sensitive query to the IP:
Fifth, open the captured
dns.pcap
withwireshark
ortshark
, to observe the traffic:Acknowledgement
We thank David Fifield for sharing this user report with us.