Total Pageviews

Thursday, 30 September 2021

如何有效避免 GFW 的 DNS poisoning

 看到有趣的 Paper How Great is the Great Firewall? Measuring China’s DNS Censorship ,透過在美國及中國的實驗找出 censored domains,進而實作出可以有效避免 GFW DNS poisoning 的方式。

GFW 如何運作?

GFW 是 on-path injector,並且不會丟棄或修改由 resolver 或是 authoritative name server 的回覆。因此只有在路徑上會經過 GFW 時才會觀察到此行為,例如日本客戶端透過中國 resolver 查詢 www.google.com 。

// 中國聯通的 DNS resolver 
// 解析 Google 網站回傳的 IP 地址卻指向 Microsoft 的網站
$ dig www.google.com @202.102.224.68 +short 173.244.217.42

如何知道一個域名可能被污染?

比較 client — resolver — authoritative name server 路徑經過與不經過 GFW 的回覆,例如:

// suspicious$ dig mentorproject.org @202.102.224.68 +short
203.161.230.171
// looks fine$ dig mentorproject.org @1.1.1.1 +short
23.236.62.147
$ dig mentorproject.org @8.8.8.8 +short
23.236.62.147
$ dig mentorproject.org @168.95.1.1 +short
23.236.62.147

所以,如何預防?

因為 GFW 不會丟棄或修改由 resolver 或是 authoritative name server 的回覆,我們只要 讓客戶端等待足夠長的時間 ,確保所有的回覆都收到再採用即可。

實驗時間

中國聯通跟 Cloudflare resolver 給了不同的答案:

$ dig mentorproject.org @202.102.224.68 +short
64.33.88.161
$ dig mentorproject.org @1.1.1.1 +short
23.236.62.147
$ sudo tshark -i any -f 'port 53' -n// 中國聯通  1 0.000000000 172.31.37.101 -> 202.102.224.68 DNS 90 Standard query 0x89c6  A mentorproject.org
2 0.154465529 202.102.224.68 -> 172.31.37.101 DNS 95 Standard query response 0x89c6 A 64.33.88.161
3 0.154511590 202.102.224.68 -> 172.31.37.101 DNS 95 Standard query response 0x89c6 A 203.161.230.171
// Cloudflare 4 12.710885026 172.31.37.101 -> 1.1.1.1 DNS 90 Standard query 0x9e3d A mentorproject.org
5 12.886210394 1.1.1.1 -> 172.31.37.101 DNS 106 Standard query response 0x9e3d A 23.236.62.147

How Great is the Great Firewall? Measuring China's DNS Censorship


The DNS filtering apparatus of China's Great Firewall (GFW) has evolved considerably over the past two decades. However, most prior studies of China's DNS filtering were performed over short time periods, leading to unnoticed changes in the GFW's behavior. In this study, we introduce GFWatch, a large-scale, longitudinal measurement platform capable of testing hundreds of millions of domains daily, enabling continuous monitoring of the GFW's DNS filtering behavior.
We present the results of running GFWatch over a nine-month period, during which we tested an average of 411M domains per day and detected a total of 311K domains censored by GFW's DNS filter. To the best of our knowledge, this is the largest number of domains tested and censored domains discovered in the literature. We further reverse engineer regular expressions used by the GFW and find 41K innocuous domains that match these filters, resulting in overblocking of their content. We also observe bogus IPv6 and globally routable IPv4 addresses injected by the GFW, including addresses owned by US companies, such as Facebook, Dropbox, and Twitter.
Using data from GFWatch, we studied the impact of GFW blocking on the global DNS system. We found 77K censored domains with DNS resource records polluted in popular public DNS resolvers, such as Google and Cloudflare. Finally, we propose strategies to detect poisoned responses that can (1) sanitize poisoned DNS records from the cache of public DNS resolvers, and (2) assist in the development of circumvention tools to bypass the GFW's DNS censorship.

from https://arxiv.org/abs/2106.02167
(https://github.com/Yangxiamao/GFW_paper_summary/blob/main/sec21-hoang.pdf)
(https://github.com/Yangxiamao/GFW_paper_summary/raw/main/sec21-hoang.pdf)

No comments:

Post a Comment