One of the biggest problems experienced by companies doing business with countries with filtering mechanisms as strong as China's is knowing whether or not their website is affected by censorship. That is why in this article, we will explore the operation and behavior of DNS censorship used by the Great Firewall of China (GFW).
How DNS censorship works
Before going into the technical aspects of this article, it is important to define the term censorship. According to the Oxford reference, censorship is "a regulatory system for vetting, editing, and prohibiting particular forms of public expression, presided over by a censor: an official given a mandate by a governmental, legislative, or commercial body to review specific kinds of material according to pre-defined criteria."
According to this definition, there are three key concepts that will be repeated throughout this article.
- Regulatory system. In our case, special servers constantly monitor DNS requests so that they can "prohibit particular forms of public expression." In this regard, the most famous system is the Great Firewall of China (GFW).
- Pre-defined criteria. It consists of sophisticated algorithms designed to identify specific keywords or certain patterns in web traffic.
- Censor. As the definition explains, the regulatory body establishes the criteria that will be applied to create the search algorithms. In the case of DNS censorship, they are usually government agencies.
According to the above, the general scheme of how DNS censorship works would be something like the following:
Censor -→ pre-defined criteria -→ regulatory system (firewall)
It is important to clarify that today all governments, without exception, apply in one way or another censorship to content circulating on the Internet. For the purpose of this article, the motivation for censorship is irrelevant, as we will focus on the mechanism used to carry it out. That said, given that the GFW is the most advanced system in the world, the explanations of how DNS censorship works will revolve around it.
Clarified that it is censorship, it is time to talk about how DNS filtering works. In general terms, a simplified version of the GFW behavior would be as follows:
- The GFW kicks in as soon as the user starts a search or enters a URL in the browser since a DNS query is started in both cases.
- At this point, the GFW decides what action to take based on the pre-defined criteria set by the regulatory body (keywords, blocklists, patterns, etc.)
- If the request is inappropriate content, forged IPs are injected, preventing the user from being directed to the desired page.
In the following sections, we will detail each of the mechanisms used by the GFW.
How to identify censored DNS response
Identifying the censored DNS response is not an easy task. Fortunately, the current understanding of how the GFW behaves (more on this shortly) allows us to employ different techniques to identify certain types of packets. Specifically, one can monitor the percentage of dropped packets, IP TTL injection, and DF flags when DNS queries for a given domain are sent from servers outside of China and compared to a similar server doing the same within China.
This type of measurement allows us to infer whether a specific website has been affected by censorship and act accordingly.
How GFW enforces, and how it behaves
Most countries use different forms of DNS injection as a mechanism to enforce censorship. However, unlike the rest of the world, the GFW does not redirect offenders to a page with a warning, nor does it use an NXDOMAIN or reserved IP address space. Given the unique way in which the GFW does its work, it is worth studying its behavior in detail, especially since it would not be surprising if other countries copy its model in the future.
DNS injection behavior of the GFW
As mentioned before, when content is flagged as inappropriate, the DNS resolver returns a "false response" to the user, which prevents access to the desired content. This false response is known as DNS injection and will be what we will explain next.
One of the unique aspects of GFW behavior is the injection of forged IP addresses in response to certain DNS requests. To this end, it is estimated that GFW uses more than 3.6K unique forged IPv4 and IPv6 addresses to block censored domains.
Moreover, it is believed that GFW divides the blocked domains into three groups: search engines, proxy avoidance, and a group that includes personal websites, pornography, gambling and IT. This strategy allows it to use specific public IP groups to filter out certain types of requests. The advantage of this method is that the GFW can manage the load according to the content to be censored. Currently, measurements indicate that most of the IP groups are dedicated to proxy avoidance, followed by search engines (basically Google) and the rest for other censored sites.
Three distinct injectors
Another unique aspect of GFW is the use of three different types of responses to DNS requests. In fact, one DNS query can result in multiple DNS replies. In this sense, the DNS injectors used by GFW are the following:
DNS authoritative answer. It has been found that this injector filters mostly search engines and works in conjunction with the IP TTL injector in most cases. In simple terms, an authoritative DNS is injected in combination with an IP TTL packet which progressively decreases the number of IP routers needed to discard the IP packet. In other words, it is a combined attack that seeks to bring down most of the packets.
Do-not-Fragment (DF) flag IP. This injector is based on a very specific networking principle called packet fragmentation. Usually, when a packet is larger than the network can handle, it is fragmented so that it can pass smoothly through the respective interface. This is very useful in complex networks such as the Internet, where different interfaces with different capacities come into play. That said, a node can prevent packets from being fragmented by injecting the DF flag into them. The result of this flag is that packets that "must" be fragmented to pass through a given interface are discarded. Leveraging this principle, the GFW can inject a DF flag to cause certain DNS queries to fail.
IP TTL. Unlike the two previous injectors, this injector does not act alone. Its objective is to generate a TTL expiry attack that consists of causing certain packets to expire on the routing platform because their TTL reaches 0. It has been proven that this injector is used in conjunction with the two previous injectors for a more efficient result.
TTL echoing in injected packets
A curious aspect of GFW behavior is that injector three echoes or replicates the TTL of the probe packet. As mentioned in a previous section, this allows the use of a technique that consists of using TTL-limited probe packets to locate network censors.
The GFW’s bidirectional DNS filtering behavior
In addition to GFW's strong content filtering inside China, its particular censorship methods cause problems outside China as well. This is due to the bidirectional nature of GFW's DNS filtering, which causes poisoned DNS to be cached on public DNS resolvers outside of China. This phenomenon occurs when the resolution of an IP address must be made on an authoritative name server located inside China. In these cases, poisoned DNS records can spread around the world. For this reason, constant sanitization of public DNS revolvers' cache is required.
This post has explored in detail how the Great Firewall of China uses DNS packet injection to censor Internet access. It has also explained methods to detect if a site has been affected (intentionally or unintentionally) by this censorship. At GoClick China, we specialize in comprehensive solutions that help your website be seen normally inside China. To learn more about succeeding in China, check out our other articles.
For a complete overview of the GFW, we suggest you read, The complete guide to the Great Firewall of China (GFoC)