Poisoning the Well – Exploring the Great Firewall’s Poisoned DNS Responses

Conference item

One of the primary fltering methods that the Great Firewall of China (GFW) relies on is poisoning DNS responses for certain domains. When a DNS request is poisoned by the GFW, multiple DNS responses are received - both legitimate and poisoned responses. While most prior research into the GFW focuses on the poisoned responses, ours also considers the legitimate responses from the DNS servers themselves. We fnd that even when we ignored the immediate poisoned responses, the cache from the DNS servers themselves are also poisoned.We also fnd and discuss the IP addresses within the DNS responses we get; in particular 9 IP addresses that are returned as a result for many diferent poisoned domains. We present the argument that this type of attack may not be primarily targeted directly at users, but at the underlying DNS infrastructure within China.

Authors: Farnan, O; Darer, A; Wright, J

• Publication status: Published
• Peer review status: Peer reviewed
• Publisher: Association for Computing Machinery
• Host title: WPES '16: 2016 ACM on Workshop on Privacy in the Electronic Society
• Journal: WPES '16: 2016 ACM on Workshop on Privacy in the Electronic Society
• Publication date: 2016-10-24
• Acceptance date: 2016-09-06
• DOI: 10.1145/2994620.2994636
• ISBN: 9781450345699
• Keywords: DNS Poisoning; China; Great Firewall; Censorship; Internet Security