search

ooni / probe

OONI Probe network measurement tool for detecting internet censorship
https://ooni.org/install
BSD 3-Clause "New" or "Revised" License
760 stars 142 forks source link

Reduce DNS false positives with dns.google.com #1523

Open fortuna opened 6 years ago

fortuna commented 6 years ago

The OONI web_connectivity dns_consistency data has lots of false positives for geographically disperse sites.

The big issue there is that the control is queried from a completely different place in the world, so you get the result for a different region.

In order to counter that, we should talk directly to the recursive resolver, so the server can see the IP address of the client and return the right response. It should also be a resolver that can actually get regional results from the authoritatives.

Moreover, we need a safe way to talk to the server that is not visible by the censor and is not proxied (which changes the client IP).

I'd suggest using https://dns.google.com because:

I expect that will fix many of the DNS false positives, and will remove the extra complexity of tunneling DNS requests.

The API is described here: https://developers.google.com/speed/public-dns/docs/dns-over-https

As a middle ground, you could start using the EDNS Client Subnet parameter and request DNSSEC validation for whatever server you are using now.

fortuna commented 6 years ago

@willscott That idea may be useful to you as well.

fortuna commented 6 years ago

As a proof of concept, I used dns.google.com to lookup www.match.com (one of OONI's false positive) in different countries.

From the US and Brazil I got:

{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": false,
  "CD": false,
  "Question": [
    {
      "name": "www.match.com.",
      "type": 1
    }
  ],
  "Answer": [
    {
      "name": "www.match.com.",
      "type": 5,
      "TTL": 794,
      "data": "www.match.com.akadns.net."
    },
    {
      "name": "www.match.com.akadns.net.",
      "type": 5,
      "TTL": 29,
      "data": "us.match.com.akadns.net."
    },
    {
      "name": "us.match.com.akadns.net.",
      "type": 1,
      "TTL": 29,
      "data": "208.83.240.23"
    }
  ]
}

From the UK and Germany I got:

{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": false,
  "CD": false,
  "Question": [
    {
      "name": "www.match.com.",
      "type": 1
    }
  ],
  "Answer": [
    {
      "name": "www.match.com.",
      "type": 5,
      "TTL": 417,
      "data": "www.match.com.akadns.net."
    },
    {
      "name": "www.match.com.akadns.net.",
      "type": 5,
      "TTL": 29,
      "data": "be.match.com."
    },
    {
      "name": "be.match.com.",
      "type": 5,
      "TTL": 539,
      "data": "be.europe.match.com."
    },
    {
      "name": "be.europe.match.com.",
      "type": 5,
      "TTL": 259,
      "data": "be-v6.meetic.com.akadns.net."
    },
    {
      "name": "be-v6.meetic.com.akadns.net.",
      "type": 1,
      "TTL": 29,
      "data": "62.23.26.24"
    }
  ]
}
willscott commented 6 years ago

My understanding is that google remains pretty much the only major geographically distributed property that honors the EDNS client subnet when used in that way.

Our control is doing an authoritative recursive lookup, which should be as good at the lying / safety / dnssec points.

The control is made by OONI bouncers, rather than the client directly, and the control request can already be made over tor / domain fronted to address the domain-front / censorship worry.

fortuna commented 6 years ago

Are you referring to you work, or OONI web_connectivity?

The problem with using the OONI bouncers is that the authoritative will think the probe is where the bouncer is, giving you geographical inconsistencies.

hellais commented 4 years ago

cc @bassosimone