DNS Interference

From wiki.measurementlab.net
Jump to: navigation, search

Interference Methods

  • False answers through deep packet inspection or man-in-the-middle of DNS:
  • Drop DNS requests for some domains,
  • DNS takedown
  • Inject a “not found” response for a DNS request (NX DOMAIN)
  • Blocking through incorrect DNS reply
    • bogons/non-routable
    • valid + ACL’ed IPs etc.
  • Configure a recursive resolver to return a “wrong” address
  • Create imposter service & degrade service for clients who connect
  • DNS force proxy
  • DHCP race condition to inject rogue default DNS resolver
  • DNS seizure

Detection

  • DNS Consistency: Comparison of responses from a good reputation DNS resolver on a random high port to the dns resolver of interest,
  • PTR Indications: PTR of the IP returned for local DNS and comparison of the results,
  • Injection Test: Take a foreign IP that does not have a resolver listening and compare results for spoofed responses by middle boxes;
  • Wait and See: Check for delayed or additional DNS replies that could have been triggered by in-path middleboxes;
  • Aggregated assessment helps,
  • GRC Approach: look up one domain that is not cached and tester is authoritative for to see where the request for subdomain comes from;
  • Is there some way of chaining these two experiments together -- simple to do dns injection test in cases of bad domains.

Problems

  • Relies on having a resolver in country AND on ISP if possible in order to control for geolocated results,
  • How do you know its a client or ISP dns -- can we be confident?

Implementations

OONI, DNSInjection Detects the presence of a censor that injects forged DNS replies when it detects an blacklisted domain name

References