Poisoning the Well – Exploring the Great Firewall’s Poisoned DNS Responses
One of the primary fltering methods that the Great Firewall of China (GFW) relies on is poisoning DNS responses for certain domains. When a DNS request is poisoned by the GFW, multiple DNS responses are received - both legitimate and poisoned responses. While most prior research into the GFW focuses...
| Main Authors: | , , |
|---|---|
| Format: | Conference item |
| Published: |
Association for Computing Machinery
2016
|
| Summary: | One of the primary fltering methods that the Great Firewall of China (GFW) relies on is poisoning DNS responses for certain domains. When a DNS request is poisoned by the GFW, multiple DNS responses are received - both legitimate and poisoned responses. While most prior research into the GFW focuses on the poisoned responses, ours also considers the legitimate responses from the DNS servers themselves. We fnd that even when we ignored the immediate poisoned responses, the cache from the DNS servers themselves are also poisoned.We also fnd and discuss the IP addresses within the DNS responses we get; in particular 9 IP addresses that are returned as a result for many diferent poisoned domains. We present the argument that this type of attack may not be primarily targeted directly at users, but at the underlying DNS infrastructure within China. |
|---|