3/28/2010

中国DNS污染通过根服务器影响全世界

Ars Technica报道,据IETF DNS operations邮件列表的讨论, 一位来自智利域名注册商的技术人员周三称,他们在DNS根服务器“i.root-servers.net”的一个节点上观察到了奇怪的响应行为,当用户查 询facebook.com、youtube.com和 twitter.com等域名时,返回的是虚假的IP地址,没有转到.com。正常情况下,DNS根服务器只会提供一个正确的顶级域名服务器指示,在此例 中用户查询的.com顶级域名服务器由美国弗吉尼亚州的VeriSign公司运行。他们根据路由追踪发现这个节点位于中国。i.root- servers.net的一位工作人员表示正对此展开调查。很多人指出中国根服务器DNS污染已经发生过多次,而一位自称管理根服务器中国镜像的 ICANN机构的人员声明,ICANN与此事无关。

On Wednesday, someone from the Chilean domain registry .cl noticed that one of the DNS root servers was responding in a very strange way to queries for domain names like facebook.com, youtube.com, and twitter.com. Normally, root servers only provide a pointer to the correct set of Top Level Domain servers—in this case, the .com servers operated by Verisign. But here, the "I" root server responded with (apparently fake) addresses.
It turns out that these queries were answered by a root server residing in China, and China has been applying this type of creativity to DNS queries since at least 2002. So this is just your basic Internet censoring, nothing to see here, move along. (Can we interest you in some DNS security?)
In this case, however, the ways in which the network of root servers is operated and the DNS protocol works interact in a way that can create problems outside China. The problem with the root servers is that they're "anycasted." The number of root servers is limited to not much more than the current 13 (A through M) because more wouldn't fit into a single DNS packet without additional measures. So rather than add more root servers with their own addresses, most root server addresses are actually used by multiple servers around the world. The routing system delivers queries to the nearest server so answers come back quickly, and attackers only get to send packets to root servers in their own region, limiting the scope of any attacks. This means that if the routing system considers an instance of a root server in China close by, routers will send the request to China. Regular users have very little control over these routing decisions.
To add insult to injury, the queries to root servers contain the full DNS name that the user is looking for, even though root servers by their nature only respond to the .com, .net, .fr, or .cl part of a DNS name. It's a bit like putting your income on the outside of the envelope containing your tax return and trusting the postal service to ignore it.
Very likely, ISPs will soon start blocking routing updates announcing reachability to anycasted root servers coming from China, so DNS requests will be forwarded to non-Chinese instances of root servers. Note however, that these spoofed results are unlikely to create much trouble, even for users who consistently receive them. And this is unlikely for anyone outside China, because only a few root server instances are deployed in the People's Republic. In any event, normally, the pointers to the .com servers will already be cached by a local DNS server, so the query is sent directly to a .com server rather than to a root server first.

0 评论:

免责声明

1、本人是文盲,以上内容文字均不认识,也看不懂是什么意思(包括但不限于对所以上之内容的识别、阅读、理解、分析、记忆等);

2、本人过去、现在以及将来都不认识本文中提及当事人,且自古以来与该相对人无利益关系;

3、本人昨天、今天以及明天都没有或者不准备去本文所述地点。本文表述之事与本人无关。

4、本人在此发文(包括但不限于汉字、拼音、拉丁字母、斯拉夫字母、日语假名、阿拉伯字母、单词、句子、图片、影像、录音、以及前述之各种任意组合等等)均为随意敲击键盘所出,用于检验本人电脑键盘录入、屏幕显示的机械、光电性能,并不代表本人局部或全部同意、支持或者反对文中观点。如需要详查请直接与键盘发明者及生产厂商法人代表联系;

5、人生有风险,上网需谨慎。本文不暗示、鼓励、支持或映射读者作出生活方式、工作态度、婚姻交友、股票债券买卖、子女教育的积极或消极判断。未成年人请在监护人陪同下阅读本文。无完全民事行为能力者,请立即关闭网页,并用20%高锰酸钾+75%乙醇对键盘、硬盘、电压插座、显示器、鼠标、cpu进行灌溉消毒;

6、如本人留言违反国家有关法律,请网络管理员及时删除本文,本人保留继续发文的权利;

7、因删贴不及时所产生的任何法律(包括宪法、加法、减法、乘法、除法、剑法、拳法、脚法、指法、民法、刑法、书法、公检法、基本法、劳动法、婚姻法、输入法、没办法、国际法、今日说法、吸星大法及文中涉及或可能涉及以及未涉及之法,各地治安管理条例)纠纷或责任本人概不负责;

8、本人谢绝任何跨省(包括但不限于跨国、跨洲、跨星球、跨星系)追捕行为。确因不抓不足以平民愤,或不抓就领不到薪水养家户口的公职人员,建议携带工作证、身份证、结婚证/离婚证、独生子女证、健康证、暂住证、毕业证、边防证、县以上政府机关出具的介绍信温情操作。抓捕按照以下排序倒序:作者、原作者以及网络管理员以及网络运行商、电信运营商、电力供应商、电脑生产销售商.