February 27, 2004 - DIT warn about " Verisign's Proposed Deployment of Root DNS Server Will Expand China's Nationwide DNS Hijacking Capability"

Verisign's Proposed Deployment of Root DNS Server Will Expand China's Nationwide DNS Hijacking Capability

WASHINGTON, DC , February 27, 2004 - Dynamic Internet Technology, Inc. (DIT) warned that China will be able to expand its current capability of nationwide DNS hijacking. This warning was issued after VeriSign, Inc. announced it will deploy the proposed "new global Domain Name Service (DNS) Internet constellation site" later in 2004.

China has been hijacking blacklisted domains and returning bogus IP addresses all over China since October 2002. (http://www.dit-inc.us/report/hj.htm) This new root DNS server in China will enhance the performance and extend the capability of China's DNS hijacking system. Moreover, countries close to China will become subject to China's DNS hijacking as well.

DIT has identified 29 blacklisted strings and identify robust algorithm to verify the blacklist from anywhere outside of China. Any websites that have a domain name containing one of these strings in certain way will be hijacked in China and become inaccessible. For example, www.3dweb.com will have trouble with DNS resolution in China since "dweb" is blacklisted.

This blacklist contains the following strings:
Group 1: dtnet, dtwang, dweb, qingzhou, dtw
Group 2: anonymizer.com, bignews.org, democracy.org.hk, epochtimes.com, rfa.org
Group 3: cjb.net, d2g.com, dns2go.com, dyndns.org , homeip.net, hopto.org , mine.nu, myip.org, no-ip.com, no-ip.org

This list can be separated into three categories:
Group 1: String of subdomains that host uncensored information or information leading to access of uncensored information. The first generation of DIT's DynaWeb uses various domains that contains dtw/dtnet/dwang/dweb , like http://dweb.blogspot.com/, and allows Chinese users to access any website freely. The string "qingzhou" is related to http://qingzhou.sytes.net/, a website that provides various uncensored information.

Group 2: Media organizations, human rights organizations and sites that will lead to access of uncensored information.

Group 3: Free domain name providers and various groups/individuals used to host uncensored information.

This short list in effect hijacked more than 2,400 domains. More detailed analysis will be published on www.dit-inc.us in early March.

"We urge VeriSign to evaluate the consequences. Either China should stop the DNS hijacking or the root server shouldn't be deployed in China," said Bill Dong, spokesman for Dynamic Internet Technology, Inc.

Media contact: contact@dit-inc.us


Background:
VeriSign, Inc press release: http://www.verisign.com/corporate/news/2004/pr_20040219.html

1. China's human rights violation related to the Internet:
2. Quick demonstration of China's DNS hijacking
3. About Dynamic Internet Technology Inc. (DIT)

1. China's human rights violation related to the Internet:
According to the recently released annual "Country Reports on Human Rights Practices" by the U.S. Department of State's Bureau of Democracy, "During the year, the Government blocked many websites, increased regulations on Internet cafes, and pressured Internet companies to pledge to censor objectionable content. NGOs reported that 39 journalists were imprisoned at year's end and that 48 persons had been imprisoned by the Government for their Internet writing during China's brief history of Internet use." ( http://www.state.gov/g/drl/rls/hrrpt/2003/27768.htm )

2. Quick demonstration of China's DNS hijacking from computer outside of China

Instead of putting a blacklist of banned websites or domains on all the DNS servers in China, as one might first guess, the DNS hijacking system is deployed around China's national level backbone routers. All Internet traffic that visits foreign websites will pass through some of those routers. Any DNS query from outside of China to any computer inside China will also pass that network. When the traffic does a DNS query of blacklisted websites or domains, a bogus answer will be generated by the DNS hijacking system. This system will make countries nearby China subject to China's DNS hijacking after deployment of the root DNS server.

To make an analogy, a DNS server is like an operator of a phone company. When one visits a web site, the browser needs to ask a DNS sever for the IP address first, and then connect to that IP address, as one ask operator for phone number of some person. If the operator lies or gives a wrong number, one will not be able to call the person he wants to reach. So when the bogus IP address is received, users won't be able to visit the websites they want.

The DNS hijacking can easily be demonstrated like this:

On a Windows 2000? computer, open a DOS command window and issue the command:
"nslookup www.epochtimes.com www.163.com"

You will get one of two bogus IP numbers: 10.1.1.1 or 88.88.88.88 . (You may have to try a few times since the hijacking system does not work well right now. It will work better when China has the root DNS server. This test only works if you are NOT in China.)

Since www.163.com is a web server and does not have DNS service, it shouldn't answer your DNS query. The answer actually comes from the DNS hijacking system located around China's national level backbone routers, and is out of the control of 163.com. The same thing is true for any IP/computer in China, including the proposed root DNS server.

Therefore, after the root DNS server is deployed in China, anybody who happens to pick up this server to query epochtimes.com will get the hijacked result. This will happen mostly to countries around China. If China does further modifications (hacks) of their network, this would affect even more countries.

3 About Dynamic Internet Technology, Inc. (DIT)

DIT, Inc. has been monitoring the development of China's Internet censorship. DIT does research on how China actually implements the censorship, and develops technologies that can defeat the censorship and make DynaWeb immune to the censorship. DynaWeb is DIT's secure proxy network for Chinese users who want to access blocked websites. DIT plans to release a detailed and updated analysis of how China implements DNS hijacking in early March.