wiki:doc/OONI/Tests/DNSLookup

DNS Tamper

What it detects

  • Malicious or cache-poisoned DNS servers which return false IP addresses for a domain name.

Inputs

  • The list of domain names to be tested.
  • The list of IP addresses of the DNS servers to be tested
  • The IP address of a DNS server to be used as the control

Experiment

Takes a list of domain names and a list of DNS servers to be tested, and it resolves each domain name for each DNS server.

For example, given the domain name list ['google.com', 'ooni.nu', 'torproject.org'] and the DNS server list ['208.67.222.222', '156.154.70.1'], ooniprobe would try the following DNS resolves:

SourceDestinationProtocolInfo
1.2.3.4208.67.222.222DNSSTANDARD query A google.com
1.2.3.4208.67.222.222DNSSTANDARD query A ooni.nu
1.2.3.4208.67.222.222DNSSTANDARD query A torproject.org
1.2.3.4156.154.70.1DNSSTANDARD query A google.com
1.2.3.4156.154.70.1DNSSTANDARD query A ooni.nu
1.2.3.4156.154.70.1DNSSTANDARD query A torproject.org

Control

Next, the test resolves the same domain name list with a known good server (set to Google's main DNS server, 8.8.8.8, by default), and compares the returned IP addresses with those obtained from the test DNS servers. If there are any IP addresses which match in both results, the test reports that the user's DNS has not been tampered with for that domain name.

Output

  • Whether or not censorship was detected, and, if so, what caused the result to be flagged as censorship.

Questions

Many high usage online services use GeoIP load balancing to reduce resource consumption on servers. This results in a DNS server in one geographic region pointing to one set of IP addresses, and a DNS server in a different region pointing to others. The DNSLookup test mistakenly interprets these conflicting results as an act of DNS tampering. To attempt to decrease false positives resulting from GeoIP load balancing, DNSLookup can try to complete a reverse DNS resolve for the both sets of resultant IP addresses, and then compare the reverse DNS results for matches. This only works sometimes, but enabling it does not diminish the validity of test results that would have otherwise been obtained.

When censors inject faked DNS replies by inspecting the link, the prober can NOT get the right answer from the good DNS resolver. This happens in China, because of Great Firewall of China. This situation should be treated as another test, such as DNS_Injection_Test.

Last modified 5 years ago Last modified on Sep 25, 2012, 8:16:01 AM