Hijacking of public DNS servers in Turkey, through routing
First publication of this article on 29 March 2014
Last update on of 30 March 2014
A new step in the fight between the Turkish government and the Internet occurred recently when the access providers in Turkey started, not only to install lying DNS resolvers, but also to hijack the IP addresses of some popular open DNS resolvers, like Google Public DNS.
The first attempt of censorship by the Turkish government was to
request (around 20 March) the IAP (Internet Access Providers), who typically provide a
recursive DNS service to their users, to configure these recursors to
lie, providing false answers when queried about censored names like
twitter.com. This is a very common censorship
technique, which is used sometimes for business reasons (lying about
non-existing domain names, to direct the user to an advertisement page)
and sometimes for plain censorship (this was done in France, Bulgaria,
Ireland,
etc).
An obvious workaround to this technique is to use other resolvers
than the IAP's ones. Hence the calls on the walls of many Turkish
cities to use a service like Google Public DNS,
with the IP addresses of its resolvers 
Now, the Turkish governement, replying to the reply, went
apparently further. Before discussing what they have done, let's see
the facts. We will use the network of RIPE Atlas probes to query Google
Public DNS from various places, in the world and in Turkey, since the
excellent RIPE Atlas interface allows you to select probes based on
many criteria, including the country. The probe can resolve names
(like twitter.com, the first censored name) with
its local DNS resolver (typically configured by a
DHCP reply when the probe starts) but we won't
use this possibility, we already know the the IAP's DNS resolvers in
Turkey lie. We will instead instruct the Atlas probes to query Google
Public DNS, at its IP address 8.8.4.4 (it is less
known than 8.8.8.8 but Atlas have an automatic rate-limiter
and, since so many people are currently investigating Turkish
censorship, Atlas does not accept queries to
8.8.8.8.)
First, to see the ground truth, let's ask a hundred probes
worldwide to resolve twitter.com. The
measurement ID is #1605067 for those who want to check (most Atlas
measurements are public, anyone can download the results as a big
JSON file and analyze them by
themselves). Since Twitter is implemented by
many machines, the IP addresses vary and it's normal. Here is an
excerpt:
... [199.59.148.10 199.59.149.198 199.59.150.7] : 2 occurrences [199.16.156.38 199.16.156.6 199.16.156.70] : 8 occurrences [199.59.149.230 199.59.150.39 199.59.150.7] : 5 occurrences ...
All IP addresses do belong to Twitter (checked with whois), which makes sense. Now, let's query only Turkish probes. There are ten available Atlas probes in Turkey. This is measurement #1605068. Here is the full result:
10 probes reported, 10 successes [199.16.156.230 199.16.156.6 199.16.156.70] : 1 occurrences [195.175.254.2] : 8 occurrences [199.16.156.198 199.16.156.230 199.16.156.70] : 1 occurrences Test done at 2014-03-29T16:57:38Z
Two probes give normal results, with three IP addresses, all in
Twitter space. The majority of probes, eight, give an IP address at a
Turkish provider (Turk Telekomunikasyon Anonim
Sirketi alias ttnet.com.tr). So, there
is clearly something fishy: even when you request
specifically Google Public DNS, you get a lie.
We can measure with another censored name,
youtube.com and we get similar
results. In Turkey, measurement #1606453 reports:
10 probes reported, 10 successes [173.194.34.160 173.194.34.161 173.194.34.162 173.194.34.163 173.194.34.164 173.194.34.165 173.194.34.166 173.194.34.167 173.194.34.168 173.194.34.169 173.194.34.174] : 1 occurrences [195.175.254.2] : 8 occurrences [195.22.207.20 195.22.207.24 195.22.207.25 195.22.207.29 195.22.207.30 195.22.207.34 195.22.207.35 195.22.207.39 195.22.207.40 195.22.207.44 195.22.207.45 195.22.207.49 195.22.207.50 195.22.207.54 195.22.207.55 195.22.207.59] : 1 occurrences Test done at 2014-03-30T15:16:22Z
The same IP address is obtained, and of course it is not possible that the real Twitter and the real YouTube are hosted at the same place.
[All measurements show that two Atlas probes in Turkey do not see the hijacking. Why are they spared? According to the manager of one of these probes, his entire network was tunneled to a foreign server, to escape filtering, which explains why the probe on the network saw normal DNS replies.]
If you try another well-known DNS resolver, such as OpenDNS, you'll get the same problem: a liar responds instead.
So, someone replies, masquerading as the real Google Public DNS resolver. Is it done by a network equipment on the path, as it is common in China where you get DNS responses even from IP addresses where no name server runs? It seems instead it was a trick with routing: the IAP announced a route to the IP addresses of Google, redirecting the users to an IAP's own impersonation of Google Public DNS, a lying DNS resolver. Many IAP already hijack Google Public DNS in such a way, typically for business reasons (gathering data about the users, spying on them). You can see the routing hijack on erdems' Twitter feed, using Turkish Telecom looking glass: the routes are no normal BGP routes, with a list of AS numbers, they are injected locally, via the IGP (so, you won't see it in remote BGP looking glasses, unless someone in Turkey does the same mistake that Pakistan Telecom did with YouTube in 2008). Test yourself:
u*>? 8.8.4.4/32 100 None 212.156.250.157 None - No As-Path
while a normal route wil look like:
u*>i 74.82.42.0/24 100 1 212.156.100.1 None - 6939 *i 74.82.42.0/24 100 1 212.156.100.1 None - 6939
(6939 being the origin AS of the remote route, here a foreign one,
while 8.8.4.4/32 is local)
Another indication that the hijacking is not done by a man in the middle mangling any DNS reply (as it is done in China) is that, if you try a little-known open DNS resolver, there is no problem, even from Turkey, you get correct results (measurement #1605104).
Also, a traceroute to Google Public DNS shows the user is going to Turkish servers, unrelated to the Californian corporation (see this example). RIPE Atlas probes can do traceroutes, too, but for the probes I used, the traceroute gets lost in the network of TTNET Turk Telekomunikasyon Anonim Sirketi, the lying DNS resolver, unlike the real Google Public DNS, does not reply to UDP traceroutes :
From: 212.58.13.159 8685 DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.,TR Source address: 212.58.13.159 Probe ID: 3506 1 212.58.13.253 8685 DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.,TR [3.98, 3.235, 3.101] 2 82.151.154.193 8685 DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.,TR [3.15, 3.044, 3.11] 3 212.156.133.117 9121 TTNET Turk Telekomunikasyon Anonim Sirketi,TR [4.146, 4.807, 4.157] 4 [u'*', u'*', 'late', u'*'] 5 81.212.204.205 9121 TTNET Turk Telekomunikasyon Anonim Sirketi,TR [11.185, 10.657, 10.67] 6 81.212.204.149 9121 TTNET Turk Telekomunikasyon Anonim Sirketi,TR [10.864, 11.007, 10.685] 7 ['late', u'*', 'late', u'*', u'*'] 8 [u'*', u'*', u'*'] 9 [u'*', u'*', u'*'] 10 [u'*', u'*', u'*'] 11 [u'*', u'*', u'*'] 255 [u'*', u'*', u'*']
But RIPE Atlas probes are able to do traceroute with ICMP and, this time, it works:
From: 212.58.13.159 8685 DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.,TR Source address: 212.58.13.159 Probe ID: 3506 1 212.58.13.253 8685 DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.,TR [3.866, 3.13, 3.132] 2 82.151.154.193 8685 DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.,TR [3.316, 3.012, 3.176] 3 212.156.133.117 9121 TTNET Turk Telekomunikasyon Anonim Sirketi,TR [4.362, 5.976, 4.394] 4 [u'*', u'*', 'late', u'*'] 5 81.212.204.205 9121 TTNET Turk Telekomunikasyon Anonim Sirketi,TR [13.922, 13.574, 13.753] 6 81.212.204.149 9121 TTNET Turk Telekomunikasyon Anonim Sirketi,TR [13.933, 17.873, 13.571] 7 8.8.4.4 15169 GOOGLE - Google Inc.,US [11.689, 11.761, 11.897]
Is the lying resolver a full standalone resolver or does it just
proxy requests to the real servers, after censoring some names? To be
sure, we ask the Atlas probes to query Google Public DNS with the name
whoami.akamai.net, which is delegated to special
Akamai servers in order to reply with the IP
address of their DNS client (thanks to Alexander Neilson for the
idea). Measurement #1606450 shows:
10 probes reported, 10 successes [74.125.18.80] : 2 occurrences [195.175.255.66] : 8 occurrences Test done at 2014-03-30T14:49:39Z
We learn with whois that 74.125.18.80 is Google, 195.175.255.66 Turkish Telecom. So, no, Google
Public DNS is not proxied but replaced by an impostor which is a full
recursor.
There is no other easy way to be sure we talk to the real Google Public DNS or not: Google's servers, unfortunately, do not support the NSID identification system and, anyway, even if they did, it is easy to forge. The only real solution to be sure is the resolver you use, is cryptography. OpenDNS implements DNScrypt but Google DNS has nothing.
Of course, DNSSEC would solve the problem, if and only if validation were done on the user's local machine, something that most users don't do today.
About censoring with DNS, I recommend the comprehensive report of AFNIC Scientific Council. Thanks to Sedat Kapanoğlu for his measurements. Some other articles on this issue:
- My talk at the RIPE meeting in Warsaw in may: the slides (also hosted at RIPE), and the video (Flash unfortunately required),
- At BGPmon,
- At Google,
- At Renesys,
- At RIPE Labs (with a new proof of the hijacking, based on the latency),
- At the Internet Society, with an emphasis on the possible solutions (I disagree with the emphasis they put on BGP security since this hijacking was not done with BGP).
On the political side, see the good statement by Internet Society (the previous one was technical).
Version PDF de cette page (mais vous pouvez aussi imprimer depuis votre navigateur, il y a une feuille de style prévue pour cela)
Source XML de cette page (cette page est distribuée sous les termes de la licence GFDL)