[ boxxter @ 25.03.2010. 13:57 ] @
China censorship leaks outside Great Firewall via root server


On Wednesday, someone from the Chilean domain registry .cl noticed that one of the DNS root servers was responding in a very strange way to queries for domain names like facebook.com, youtube.com, and twitter.com. Normally, root servers only provide a pointer to the correct set of Top Level Domain servers—in this case, the .com servers operated by Verisign. But here, the "I" root server responded with (apparently fake) addresses.

It turns out that these queries were answered by a root server residing in China, and China has been applying this type of creativity to DNS queries since at least 2002. So this is just your basic Internet censoring, nothing to see here, move along. (Can we interest you in some DNS security)

In this case, however, the ways in which the network of root servers is operated and the DNS protocol works interact in a way that can create problems outside China. The problem with the root servers is that they're "anycasted." The number of root servers is limited to not much more than the current 13 (A through M) because more wouldn't fit into a single DNS packet without additional measures. So rather than add more root servers with their own addresses, most root server addresses are actually used by multiple servers around the world. The routing system delivers queries to the nearest server so answers come back quickly, and attackers only get to send packets to root servers in their own region, limiting the scope of any attacks. This means that if the routing system considers an instance of a root server in China close by, routers will send the request to China. Regular users have very little control over these routing decisions.

To add insult to injury, the queries to root servers contain the full DNS name that the user is looking for, even though root servers by their nature only respond to the .com, .net, .fr, or .cl part of a DNS name. It's a bit like putting your income on the outside of the envelope containing your tax return and trusting the postal service to ignore it.

http://arstechnica.com/tech-po...t-firewall-via-root-server.ars
[ boxxter @ 25.03.2010. 22:54 ] @
Go Daddy Cuts Off Chinese Domain-Name Registration


Concerned about new Chinese data collection policies, Go Daddy announced Wednesday that it will no longer allow customers to sign up for new .CN domain names.

The domain registrar will continue to manage existing .CN domain names.

"There appears to be a recent increase in China's surveillance and monitoring of the Internet activities of its citizens," Christine Jones, general counsel for Go Daddy, told the Congressional-Executive Commission on China (CECC), a committee comprised of nine senators and nine House members that monitors Chinese human rights.


http://www.pcmag.com/article2/0,2817,2361779,00.asp