DNS Poisoning

dns hijacking
dns cache poisoning

DNS poisoning is also called “DNS cache poisoning”, sometimes it is also called “DNS pollution”.

DNS poisoning play a big role in China’s GFW to block the outer internet that they don’t want you to see, it’s worth a close look on how it works and how to get yourself out of the poisoning.

1. What is DNS

DNS is the acronym of domain name server, domain name server plays a pivotal role in the architecture of worldwide web, it essentially translate a domain name to a set of IP address. For example, when I open my console and type in command “nslookup facebook.com”, I’m getting the following result:

Addresses: 2a03:2880:f10e:83:face:b00c:0:25de //this is facebook.com’s IPv6 address
31.13.80.36 //this is facebook.com’s IPv4 address

You can type into the IP address (the easier one would be the IPv4 address 31.13.80.36) into the browser’s address bar, and you reach facebook.com. It is just not intuitive for human, – you have to remember that number. If you have no problem remembering, how about visiting google.com, or youtube.com, or twitter.com, or … you will be quickly swamped by the immerse amount of numbers you have to keep in mind, which is, practically, impossible.

You can think of DNS as a computer that host a gigantic list of domain names (billions), when you type the name into the browser address bar, the DNS receive your request, translate it into a cold IP address associated with that domain, and your computer will direct you to the computer that host that website.

There are domain name servers connecting with each other, if one server doesn’t have the name in its cache ( a local copy of the partial list), it will send a query to another domain name server, and so on down the chain, until an answer is returned, and pass on to your computer. Only after you get the correct answer, you can access the authentic website you intend to visit.

Most internet users do not realize the existence of domain name servers, as DNS work in the background. They don’t know where they are, how to connect to a DNS they want, how to change to another DNS if they don’t like the existing one. As a default setting, the internet service provider will automatically provide their DNS for you to connect to. ISP actually controls quite a big part of your online surfing, some people dislike it, so they point their DNS to other provides that they like/trust.

Are there any difference between these DNS? The answer is yes. The web is full of surprise and shady things, some DNS provides a special version of DNS, e.g. they do store a gigantic list of websites, but they intentionally block the bad domains, – domains that host malicious software, false information, illegal content, etc. They cast a “clean” version of the domain names, or a “safe” version, or a “fast” version. The provide the value to the users who look for it, some want to protect their computers from malware attack, some want to protect their children from visiting bad sites, some want faster speed…

2. What is DNS poisoning

Now comes to the DNS poisoning. If malicious ISP don’t want you to visit a site, what they would do? Can you guess it?

You guess it right! They will cast a “censorship” version of DNS record, that send the legitimate domain request such as google.com to some deal IP pool of their own, or worse, a phishing website of their own that look very much like the legitimate domain.

Don’t think it is Alice in Wonderland! Between 2011 and 2013 there are multiple reports that China’s GFW is directing gmail.com to a phishing site that looks exactly like gmail.com, collecting gmail account and passwords from millions of users. Who has the power to revise the state level DNS record?

Another black humor kinda incident happens around 2010, when a US DNS provider mistakenly configured its DNS to cache DNS record from a Chinese DNS server, as a result, when requesting to Google, Facebook, Twitter etc., thousands and thousands of American users have the chance to enjoy the “bad request” blank page served by the Chinese state ISP.

The Chinese state level ISP has a huge list of domains (definitely many thousands, if not millions) that they don’t want their users to visit. These include the most informative domains Google, Youtube, Twitter, Facebook, DuckDuckGo… It is the information these domain host or index that the regime make every effort to prevent their citizens from viewing.

3. How to get out of DNS poisoning

Okay, enough revealing of DNS poisoning, what you can do about it? How not to get poisoned?

First of all, if you feel your ISP is shady, you should try not to use the default DNS server assigned to you. Go to your router configuration, find the DNS setting and change it. You can use Google’s DNS

Google DNS IPv4 address:

8.8.8.8
8.8.4.4

Google DNS IPV6 address:

2001:4860:4860::8888
2001:4860:4860::8844

Some device require all 8 fields of the IPv6 address format, in this case you should enter:

2001:4860:4860:0:0:0:0:8888
2001:4860:4860:0:0:0:0:8844

See Google’s detailed instructions. They provide instructions for setting DNS for routers, Windows, Mac OS X, Linux, iOS and Android (for mobile phones).

Second, in case Google DNS is blocked, you can find a DNS from this page.

Remember to set ALL your devices to use trustworthy DNS.

That’s it. You are free of GFW’s number 1 weapon in the arsenal – DNS poisoning.

Be the first to comment

Leave a Reply

Your email address will not be published.


*