Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Chinese Root Server Shut Down After DNS Problem

timothy posted more than 4 years ago | from the need-a-new-source-of-ginseng dept.

Censorship 91

itwbennett writes "After a networking error first reported on Wednesday last week caused computers in Chile and the US to come under the control of a system that censors the Internet in China, the 'root DNS server associated with the networking problems has been disconnected from the Internet,' writes Robert McMillan. The server's operator, Netnod, has 'withdrawn route announcements' made by the server, according to company CEO Kurt Lindqvist."

cancel ×

91 comments

Sorry! There are no comments related to the filter you selected.

The great firewall of China (1)

FishTankX (1539069) | more than 4 years ago | (#31646318)

For a moment, it stretched around the world. Or, atleast to the Americas.

Re:The great firewall of China (0)

Anonymous Coward | more than 4 years ago | (#31649134)

Our firewall is so big everything is behind it!111!!!!LOLZORS!!1!!
We are L33T!!!!

Even more reason (1)

Finallyjoined!!! (1158431) | more than 4 years ago | (#31646320)

To fully implement dnssec.

Re:Even more reason (1)

rvw (755107) | more than 4 years ago | (#31646444)

Can somebody explain what this all means? What does this root server do, who depends on this, what is the effect of disconnecting it, how will the rest of the world be affected by this?

Re:Even more reason (1)

erroneus (253617) | more than 4 years ago | (#31646490)

I would. But I just finished watching an old Mitch Hedberg special. Now, everything I read, is in, the voice, of, Mitch Hedberg. Damn. Him.

Re:Even more reason (1)

wrencherd (865833) | more than 4 years ago | (#31647488)

I think if you concentrate very hard you could easily substitute Roy Mallard, for higher entertainment value.

Re:Even more reason (0)

Anonymous Coward | more than 4 years ago | (#31646670)

Disconnecting it will have no impact really (maybe slightly higher latency to people in China, but still).

There are an awful lot of root servers hiding behind the 12 official hosts.

What is interesting is that the chinese system provides the filtering by redirecting DNS through its own systems, so DNSSEC would definitely help here as it would mean they couldn't 'inject' the responses that redirected you to their servers.

As it stands, injecting their own chain of DNS servers means they control the name resolution (and can therefore make sites simply cease to exist) but can also perform a man in the middle attack and put a proxy in the way of all communications - thereby allowing them to filter individual search queries and urls in addition to entire sites.

What concerns me is that the connectivity between the server in question and the rest of the Internet was subject to this filtering, surely the ISP hosting the server should make sure that there's no way ANYONE can interfere, government or not?

Re:Even more reason (0, Troll)

djdevon3 (947872) | more than 4 years ago | (#31647694)

Seriously? RTFA. You don't know what a root DNS server does? Your posting privileges should be revoked. I'll give you the benefit of the doubt since most young people don't know how the original internet was hosted. There are these boxes called servers see, and they do these routy switchy things, which is how god was created, then light, then the internet, then porn, in that order.

Re:Even more reason (1)

DeadChobi (740395) | more than 4 years ago | (#31647882)

I have a lower UID than you and I don't know what a root DNS server does. I do probably know way more physics, mathematics, and philosophy than you so can it. Especially if you're not going to explain.

Re:Even more reason (0)

dgatwood (11270) | more than 4 years ago | (#31648176)

Simply put, a root DNS server serves one or more root zones such as .com, .org, .cn, etc.

DNS is hierarchical. When you look up a hostname such as "www.google.com", your computer goes to a DNS server. If it happens to know the IP number for that hostname, it returns it. Otherwise, it asks a root server.

The root server, in turn, looks for "google.com" in a giant file (well, I think it's actually a database now) called a root zone and figures out which servers know how to return IP information for that domain. It then returns something along the lines of "ask ns1.google.com". Next, your local DNS server (the one your computer asked) recursively asks ns1.google.com for the IP number of "www.google.com". The ns1.google.com server could theoretically tell you to "ask ns1.www.google.com", but usually it will simply respond with an IP number.

Re:Even more reason (4, Informative)

PhrstBrn (751463) | more than 4 years ago | (#31648338)

One small correction:

When you ask the root servers (such as a.root-servers.net) for "what is IP for www.google.com", it will respond "go ask a.gtld-servers.net". (each domain has a different server, for instance www.google.co.uk will send you to ns1.nic.uk). Asking a.gtld-servers.net will respond "go ask ns1.google.com", which will then respond with the IP of the domain, which is your answer. The chain could go further if you had "some.very.long.string.of.dots.google.com" and if each one of those nested subdomains were delegated to another DNS server (and were not contained in the zone file for "google.com").

If the answer is already cached by the DNS server and it is still within the TTL, it will just respond with the IP.

This is how a DNS caching resolver does it, your workstation is going to be configured with one of these caching resolvers. When you ask a caching resolver, it will do all these things in the background on these server, and just return the client the final answer

Re:Even more reason (1)

dgatwood (11270) | more than 4 years ago | (#31653056)

Right. Sorry, forgot that they stopped serving COM. That only changed a few years ago.

*does Google search*

Yikes. Ten years ago. I'm suddenly feeling very old. :-D

Re:Even more reason (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31648392)

mod parent down for a very poor description of how DNS works.

The root servers haven't served ".com", etc for years. These days they only serve "." - the root zone.

Re:Even more reason (1)

gbutler69 (910166) | more than 4 years ago | (#31649262)

Next, your local DNS server (the one your computer asked) recursively asks ns1.google.com for the IP number of "www.google.com".

Please don't misuse "recursively" like this. It makes the rest of your otherwise intelligent post sound stupid. I think you meant "iteratively" rather than "recursively". A recursive DNS quey goes like this: 1) You ask your local DNS, 2) Your local DNS asks another root (or possibly non-root) DNS, 3) the other DNS asks another 4) the "another" asks "another" 5) Finally, somewhere in the chain, it returns an answer "recursively" through the chain of requests from DNS server to another to you. Normally, DNS looku-up works the way you describe, "iteratively". The "recursive" way is special and requires a DNS server to be configured for "recursive resolution".

Re:Even more reason (1)

dgatwood (11270) | more than 4 years ago | (#31653032)

The request your DNS server sends to "ns1.google.com" may be iterative relative to the request to the root server, but it is still recursive relative to the original request. Thus, my original statement was completely correct. You just misread it.

Re:Even more reason (1)

dgatwood (11270) | more than 4 years ago | (#31653118)

Also, maybe in some mega ISPs or some insanely complex intranet environment, you might have a DNS server that queries something other than the root server, but I suspect you could count all such installations worldwide on one hand if you used base 2. In practice, the only servers that support recursion are client-facing servers at ISPs.

And the root servers never recurse. They didn't even recurse back in the mid 1990s when I was first learning this stuff. As best I could determine, the last root server had its recursion turned off way back in 1995, five years before they moved COM to the GTLD fleet, which AFAIK have never supported recursion.

Re:Even more reason (1)

gbutler69 (910166) | more than 4 years ago | (#31712760)

I never said the root server did answer recursive queries. I just defined what it would be like if they did.

Re:Even more reason (1)

Finallyjoined!!! (1158431) | more than 4 years ago | (#31649422)

I have a higher UID than you, though I do know what a root DNS server is. I also bet that I was using a computer before your Father kissed your Mother for the first time. I also probably know way more physics & maths than you. Philosophy is for girls, so you win on that one.

Yes, the OP should have RTFA, but your point is what, precisely?

Re:Even more reason (0)

Anonymous Coward | more than 4 years ago | (#31650250)

"I'm beginning to feel the caress of time and need to assert my dominance in intellectual matters to resist the notion I underachieved or misspent the years of my life."

Re:Even more reason (1)

evilviper (135110) | more than 4 years ago | (#31650106)

I don't know what a root DNS server does. I do probably know way more physics, mathematics, and philosophy than you

That would be wonderful if you were on a "Philosophy news" website... /. is (or at least used-to-be) fairly tolerant of noobs with gaps in their knowledge, but if you don't have a decent background in tech, I don't see why you're here.

Re:Even more reason (0)

Anonymous Coward | more than 4 years ago | (#31650310)

so we've come to this, 6 digits id bragging about their loweness

sigh. can you please return to digg where you belong?

Maths (0)

Anonymous Coward | more than 4 years ago | (#31652410)

Why is this surprising? There are more 6 digit UIDs than 5-,4-,3-,2-,and 1-digit UIDs combined.

The gap between their UIDs is the same as CmdrTaco telling user #200000 how 1337 he is. You only see a difference between the two situations because you fail at maths.

Re:Even more reason (1)

budgenator (254554) | more than 4 years ago | (#31650354)

A root server, serves the DNS querys for a global domain such as .com. how it works is when your computer asks for the addresses for slashdot.org, your ISP probably knows the address because someone else has asked, if not your ISP asks the next higher level which is more likely to know because the answer to more queries. Eventually it get to the root server if the intermediate steps fail. As the answering server gets farther up the longer it takes for you to get the answer. Each query answered has a TTL, time to live, to it so an answer might be good for 24 hours. When a root server is borked, it means that even when they fix it or use a different root server it can take hours or days for all the bad answers to clear out of the DNS system.

Google Fights Back (4, Funny)

JackieBrown (987087) | more than 4 years ago | (#31646332)

It had to happen sooner or later...

Re:Google Fights Back (1)

SpzToid (869795) | more than 4 years ago | (#31646500)

So... "like a great many voices cried out in terror before being suddenly silenced."

But who is Alderaan here, exactly? Isn't China supposed to be The Empire, that just wants its Order? I thought GOOG was the eViL global empire awhile ago but now the rebels control the Death Star? This all so very confusing.

Re:Google Fights Back (0)

Anonymous Coward | more than 4 years ago | (#31647002)

I think Google is the Ewoks - they act fierce and all, but their fighting is mostly ineffective and proves mainly a distraction. China, of course, is run by the Sith lord who doesn't want to export rare earths, but loves to export lead and melamine. The rebel alliance hasn't really formed up yet as they can't seem to find information on the muster point due to some force blocking their internet connections. The Falun Gong (Jedi knights) haven't been able to find out who the Sith lord is because even Google.hk won't seem to admit that there is such a person. Alderaan was awhile back - see Tiananmen Square (if you aren't in China).

Re:Google Fights Back (1)

NotBornYesterday (1093817) | more than 4 years ago | (#31647140)

"doesn't want to export rare earths, but loves to export lead and melamine"

Maybe it's time to try some reverse psychology. If we can somehow convince them that we need lead and melamine for our latest high-tech products, but would prefer they keep all that awful neodymium to themselves, I'm sure we can fix the imbalance.

Re:Google Fights Back (1)

genner (694963) | more than 4 years ago | (#31650262)

So... "like a great many voices cried out in terror before being suddenly silenced."

But who is Alderaan here, exactly? Isn't China supposed to be The Empire, that just wants its Order? I thought GOOG was the eViL global empire awhile ago but now the rebels control the Death Star? This all so very confusing.

It confusing because you didn't make a car analogy.

Re:Google Fights Back (1)

SpzToid (869795) | more than 4 years ago | (#31650330)

Where is BadAnalogyGuy [slashdot.org] when you really need him?

Re:Google Fights Back (0)

Anonymous Coward | more than 4 years ago | (#31646534)

All they did was to direct every search for "Scarlett Johansson nude" to the Chinese servers.

route announcements? (1)

bl8n8r (649187) | more than 4 years ago | (#31646362)

So... the chinese DNS server was using BGP? Sorry, not much of a BIND geek. Is this a reference to the Anycast protocol?

Re:route announcements? (1)

cjcela (1539859) | more than 4 years ago | (#31646492)

From www.bgp4.as [bgp4.as] : The Border Gateway Protocol (BGP) is the routing protocol used to exchange routing information across the Internet. It makes it possible for ISPs to connect to each other and for end-users to connect to more than one ISP. BGP is the only protocol that is designed to deal with a network of the Internet's size, and the only protocol that can deal well with having multiple connections to unrelated routing domains.

Re:route announcements? (5, Informative)

pv2b (231846) | more than 4 years ago | (#31646906)

Here's a graph of the network structure as seen by BGP. [robtex.com]

AS29216 at the right is the AS which I.ROOT-SERVERS.NET is located in. As we can see, it is only reachable through AS8674 (NETNOD-IX).

Which in turn is reachable directly from a few different AS:es, including AS24151 (CNNIC-CRITICAL-AP).

My guess is that Netnod simply started filtering out the routes to AS29216 via AS8674 on the BGP session to AS24151.

The DNS server itself might have been using BGP, it might not have. But in the end every system on the Internet is reachable with some kind of BGP route somewhere.

Re:route announcements? (0)

Anonymous Coward | more than 4 years ago | (#31659090)

But in the end every system on the Internet is reachable with some kind of BGP route somewhere.

Hooray for trivializing complex things!

I'm wagering you've recently learned about BGP and might even work with it on some paltry level. As a traffic engineer at a major carrier, I am always amused by how quick people are to say BGP in a discussion to make themselves look smarter than they are.

Re:route announcements? (0)

Anonymous Coward | more than 4 years ago | (#31646926)

Please turn in your nerd card at the gate. Myspace or Friendster is more your mark.

Chinese tweets (1)

vrmlguy (120854) | more than 4 years ago | (#31646380)

The artilce includes a sample of Twitter tweets, all in Chinese. Unfortunately, just entering the Twitter search URL into Google translator doesn't seem to work, as the "Realtime results for Netnod" (http://twitter.com/search?q=Netnod [twitter.com] ) are apparently served via JSON or something. Anyone got any ideas?

Re:Chinese tweets (1)

lobsterturd (620980) | more than 4 years ago | (#31646406)

They're in Japanese, and all they're really saying is a summary of the article.

Re:Chinese tweets (1)

bipbop (1144919) | more than 4 years ago | (#31646918)

As of this moment, the Japanese tweets are after the "More" link, and all the tweets on the first page of results are Chinese.

Re:Chinese tweets (0)

Anonymous Coward | more than 4 years ago | (#31646486)

The artilce includes a sample of Twitter tweets, all in Chinese. Unfortunately, just entering the Twitter search URL into Google translator doesn't seem to work, as the "Realtime results for Netnod" (http://twitter.com/search?q=Netnod [twitter.com] ) are apparently served via JSON or something. Anyone got any ideas?

It's called select, copy, and paste.

And you go to Slashdot for news?

Re:Chinese tweets (0)

Anonymous Coward | more than 4 years ago | (#31646524)

It's called select, copy, and paste.

And you go to Slashdot for news?

My browser is showing that he posted at 7:12 am. He probably hasn't had his coffee yet.

BRB. Need . . . caffeine . . . sustenance . . .

Heads should roll (1, Insightful)

bguiz (1627491) | more than 4 years ago | (#31646398)

Who knows, in the few days that the Great Firewall of China crossed the Pacific, the kind of damage that could have been done, or perhaps even already been done?

This should never have been allowed to happen in the first place, and when it had, it shouldn't have been allowed to persist for a few days before being made public and taking action.

Re:Heads should roll (0)

Anonymous Coward | more than 4 years ago | (#31646446)

What kind of damage, exactly...?

Re:Heads should roll (1)

mysticalreaper (93971) | more than 4 years ago | (#31647420)

Lookups for things like 'www.facebook.com' were returning false answers. Youtube.com and others were affected too.

So if you got the bad answer from DNS (because you happend to query the Beijing root server), some of your favourite websites would be unreachable.

Re:Heads should roll (1)

budgenator (254554) | more than 4 years ago | (#31650450)

Dude, if your that addicted, just hand edit your Hosts file for slashdot, Youtube and facebook or roll your own bind server.

Re:Heads should roll (0)

Anonymous Coward | more than 4 years ago | (#31654614)

Ok. I get that. My question was about damage. Inconvenience, yadda yadda, sure. But what damage was there?

Re:Heads should roll (0)

Anonymous Coward | more than 4 years ago | (#31646506)

Chillax, it's a firewall, not a deathray.

Re:Heads should roll (1, Funny)

Anonymous Coward | more than 4 years ago | (#31646558)

Chillax, it's a firewall, not a deathray.

But it would be COOL if it were a death ray.

Re:Heads should roll (0)

Anonymous Coward | more than 4 years ago | (#31646850)

If you can inspect the packets, you can change the packets.

Re:Heads should roll (3, Insightful)

mysticalreaper (93971) | more than 4 years ago | (#31647468)

This should never have been allowed to happen in the first place, and when it had, it shouldn't have been allowed to persist for a few days before being made public and taking action.

Well i think this unreasonably harsh. No one had ever seen the great firewall of china affect DNS traffic like this in the past. So no one (not even you) was suggesting that when they set up a root DNS server in Beijing, that it would effectively send out false answers.

Now, anyone who controls a part of the network you rely on can launch a man-in-the-middle attack, which is what happened here. So to suggest that this should never have been allowed to happen, you would have to be using strong cryptography in some way. DNS has never had that mechanism--but it will soon, cause DNSSEC is coming along.The root servers are deploying it right now, and so are the other Top-level-domains.

Also, as soon as the I-root server operators realized this problem was occurring, and was outside of their control, they disabled the server. Why do you think that they sat on this problem for a few days, doing nothing about it?

Re:Heads should roll (1)

jafiwam (310805) | more than 4 years ago | (#31647598)

The Chinese should simply be cut off from the internet.

Anchor-drag their shit and pull up a couple hundred miles of fiber.

Then keep doing it as they repair stuff.

"Most favored" seems to be ineffective now days as far as holding their crap back. Maybe it's time to cut them off at their short little knees economically before their expansionist military catches up with their ability to make lead-laden rubber dog crap.

Re:Heads should roll (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31648178)

I really don't understand where this china-hate is coming from. What did they ever do to you? Let's cut 1.3 billion people off the internet because someone IN ANOTHER COUNTRY WHO IS NOT CHINESE misconfigured a server. Yeah that makes total sense.

You're a fucking retard.

Re:Heads should roll (1)

Pteraspidomorphi (1651293) | more than 4 years ago | (#31648624)

I think his point is that if China did not modify the responses in first place, this kind of problem would have had absolutely no negative consequences for users until being fixed (since all the servers should return consistent data). I don't hate China myself, but it isn't incorrect to resent those who are intentionally breaking the DNS rather than those who simply made a mistake (or ill-advised decision).

Re:Heads should roll (1)

jon3k (691256) | more than 4 years ago | (#31650868)

I know it's easy to have the "nuke them from space" policy but honestly the Chinese government is just so fucked up they don't have the appropriate law enforcement or policies to police it. Then you've also probably got some level of government that's involved in a lot of the nasty shit going on. Yes, I realize most spam comes from the US. I don't know about you but the several thousand failed login attempts I see a day aren't coming from ARIN address space. It's all APNIC address space. And it's Chinese, specifically, on every single attempt. Now either the Chinese are totally incompetent at managing hackers living there, they turn a blind eye, or it's flat out state sponsored -- but it's largely irrelevant because none of those are acceptable.

Half of me would rather be wrong than naive, just cut them off and say "screw you" but the other half of me considers the probably billion or so Chinese people that use the Internet legitimately just like you and me.

So really, I'm on the fence.

Re:Heads should roll (0)

Anonymous Coward | more than 4 years ago | (#31654682)

I don't know about you but the several thousand failed login attempts I see a day aren't coming from ARIN address space. It's all APNIC address space. And it's Chinese, specifically, on every single attempt

Ya, I noticed a Chinese hacker try to break into my system the other day. I knew he was Chinese because his IP address had almond-shaped eyes and a yellowish hue to its skin, and the packets all had a big red star logo on them, not to mention that all of the "l's" had been replaced by "r's".

ow either the Chinese are totally incompetent at managing hackers living there, they turn a blind eye, or it's flat out state sponsored -- but it's largely irrelevant because none of those are acceptable.

Because everybody knows that if an IP says it comes from a country, that there is no way to spoof it, ever. And that the only person who could possibly be using such an IP HAS to be a citizen of that country, and there is NO possibility at all that the traffic might just be relayed through that box. No, obviously IP's never lie and are never used to hide traffic. Proxy servers, jumpboxes, and compromised PC's don't exist, it's all just a myth perpetuated by those dirty commies!!

Re:Heads should roll (0)

Anonymous Coward | more than 4 years ago | (#31665802)

Its Microsofts fault to be honest.

A few hundred million windows computers in china, pretty much all running in various botnets as infection rates here are in the 40-50% for offices, 90% for homes.
(Figures off top of my head from experience as IT vendor here)

90% run pirated software. If only Microsoft didn't turn a blind eye to ip infringement, so it could get market share, then they'd all be running Linux or Mac for the most part.

I say, we put Bill Gates in jail instead for allowing all that to happen.

Re:Heads should roll (0)

Anonymous Coward | more than 4 years ago | (#31647914)

Did you read the mail group thread? This is an ongoing DNS problem since 2002.

Re:Heads should roll (1)

Plekto (1018050) | more than 4 years ago | (#31648382)

A better solution would be to just block that root server. If China doesn't want to play along nicely, well, they can turn into their own mega-LAN all they want.

In fact, I'd do one better take ALL of their internet access outside of China offline for them - just flat out cut the connection so that their entire country is in the dark. No news, no information, no business, no nothing. Not even their government and military has any information(aside from maybe a modem or two or satellite new feeds I guess)

I'd give them about two months before the people in power weren't any more.

Re:Heads should roll (0)

Anonymous Coward | more than 4 years ago | (#31649716)

You're Ignored!

Calling it now (0)

Anonymous Coward | more than 4 years ago | (#31646408)

WWIII will be a cyberwar stemming from the fallout of the seemingly rising tension between China and Other web-present nations.

Re:Calling it now (4, Funny)

TheDarAve (513675) | more than 4 years ago | (#31646458)

Instead of Germany annexing countries to start a world war, we have China firewalling them? That'd just be an odd way to start a war... "Ha ha! Now you must go through our internet filter!"

Re:Calling it now (1)

Bacon Bits (926911) | more than 4 years ago | (#31646642)

I should a lot of people would be very upset by the lack of porn.

Re:Calling it now (0)

Anonymous Coward | more than 4 years ago | (#31647038)

You're prophecy is as profound as your

A lack of freedom Side Effect ... (0, Redundant)

viraltus (1102365) | more than 4 years ago | (#31646420)

That's why efforts and actions like Google's stand in front of Facist China deserve big Kudos!

So I guess you could say... (5, Funny)

Anonymous Coward | more than 4 years ago | (#31646454)

They got to the "Root" of the problem.

[ducks]

Re:So I guess you could say... (2)

VanessaE (970834) | more than 4 years ago | (#31649920)

Yes, but they had to...ahem...route around for a solution.

tr07l (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31646466)

What happened? (2, Interesting)

jbb999 (758019) | more than 4 years ago | (#31646518)

All of the articles I've read about this seem to confuse DNS and BGP. My guess is that the IP of one of the root dns servers was being "hijacked" by the Chinese by announcing a route to it and that route was being picked up externally so some people thinking they were using the real dns root were being diverted a chinese root server giving out different IP addresses for lookups on these domains. Does that make sense?

Re:What happened? (1, Informative)

Anonymous Coward | more than 4 years ago | (#31646638)

No, my understanding is that BGP is used to advertise the IP of the server - they removed the route advertisement to shut the server off from the Internet but BGP wasn't actually causing the problem or compromised.

It sounds like traffic OUT of the server was being modified in some way, I would doubt the data stored on the server had been modified as that probably flows over a secure connection but actual responses are public communications and the Chinese systems are likely filtering/modifying those so that when you try to visit twitter (or somesuch) it redirects you to a "sorry this page does not exist" site.

Re:What happened? (1)

Stephen Samuel (106962) | more than 4 years ago | (#31647292)

Something like that .. Netnod apparently claims that the data on their server is accurate, so either China was hijacking the connection generally, or they were filtering the results being returned. This wasn't a problem until the server (and it's hacked data stream) started being accessed by machines outside of China due to a (silly but otherwise benign) routing change.

Re:What happened? (5, Informative)

mysticalreaper (93971) | more than 4 years ago | (#31647522)

Your suggestion makes sense, but that's not what happened.

Something like this

I.root-servers.net (beijing) -> chinese networks -> Chile networks

So, the real I root server sent correct answers to the querying computer in Chile. But, as the DNS packet travelled across the Chinese network, it was modified, and so the packet received by the Chilean network was false, returning a fake IP address for some domains, like 'facebook.com'.

This is called a 'man-in-the-middle attack'. The Chinese network, in the middle, is modifying packets.

Once the I root server operators realized this was happening, they stopped the BGP route announcement from the I root server node in Beijing, so that queries to i.root-servers.net would not be answered in Beijing, but instead by the other i-root nodes. There are 34 currently, so no problems with load would occur shutting off one node.

Hopefully that makes sense.

P.S. www.root-servers.org [root-servers.org]

Re:What happened? (1)

LifesABeach (234436) | more than 4 years ago | (#31647834)

What amazes me about Chinese censorship is that rather than show that the opposite is true, the Chinese government causes those that disagree to not be heard; so much for those in command whose culture values wisdom and patience. Its like watching Sarah Palin [youtube.com] read her notes on her hand on topics that my 14 year old daughter could debate either Pro or Con while trying desperately not to look too bored.

Re:What happened? (1)

radtea (464814) | more than 4 years ago | (#31649352)

so much for those in command whose culture values wisdom and patience.

Chinese culture values wisdom and patience the way Canadian culture values lacrosse. If you didn't know anything about what Canadians actually do, but just read the official literature, you'd think lacrosse was a big deal. It's our national sport! Officially.

If instead you behaved like an scientist, and looked at the empirical reality of what we do, you'd find this other game called hockey... And then there's this "curling" stuff...

If you look at actual Chinese history, including recent history, you'll find a culture that values violence, genocide, class hatred, race hatred, torture, imperialism and oppression on a scale that puts it well up with the historical realities of the United States, England and Spain. The difference is that while those other countries have somewhat toned down their bad behaviour in the past fifty years, China is ramping up.

Australia impacted too, not just Chile (0)

Anonymous Coward | more than 4 years ago | (#31646742)

Check out Optus resolving for twitter and facebook as far back as March 11th

Re:Australia impacted too, not just Chile (2, Informative)

fremean (1189177) | more than 4 years ago | (#31646948)

Actually, that does explain a lot of things - all through march I was having issues with Twitter on my Virgin connection yet I could ssh home to my Internode connection and twidge to my hearts content... I complained but they couldn't see a problem (they probably weren't using their own dns servers)

Re:Australia impacted too, not just Chile (1)

datapharmer (1099455) | more than 4 years ago | (#31647148)

Why didn't you just change your dns servers? You can set priority to strict you know.

Thailand affected, too (1)

Daengbo (523424) | more than 4 years ago | (#31647308)

My Internet connection in Thailand has had hundreds of 404s for well known sites this week. Waiting a few minutes or forcing a refresh seems to work 70% of the time.

Denial of DNS service for evil Chinese? (0)

dragisha (788) | more than 4 years ago | (#31646802)

I remember reading od slashdot how problem was not in Chinese root server, but in ISP's who misconfigured...

Now I read about that root server being shut down.

Next posting will be some YRO but of course not about right of biggest Internet nation in the world to operate it's own DNS root server.

Someone, during all this mess, decided - everyone can have some rights, except China.

And slashdot is in concert with that someone.

But, it's nothing new, of course. History repeats. Amplitude varies, period is shorter.

Next week: Commizon's of the world are experiencing unexpected problems on fiber routes to China, all seventeen of them.

Re:Denial of DNS service for evil Chinese? (1)

Daengbo (523424) | more than 4 years ago | (#31647318)

It's the Chinese citizens who apparently don't have any rights. The government is doing whatever it wants.

From Thailand (also censored, though not as badly).

productivity went up! (0)

Anonymous Coward | more than 4 years ago | (#31647104)

for that brief period when the great FW stretched to other places, people were not able to connect to facebook and twitter, and as a result, productivity went up! /s

Re:productivity went up! (1, Funny)

Anonymous Coward | more than 4 years ago | (#31647618)

If you measure productivity in F5 presses, yes.

I blame American ISP's (3, Insightful)

ironicsky (569792) | more than 4 years ago | (#31647108)

I blame American and Chile ISP's.
Why on earth would you query the root server on the other side of the world, especially in an ass backwards country like China when there are plenty of good servers here?
Shouldn't you query the closest available server, not the furthest?

Re:I blame American ISP's (3, Insightful)

mysticalreaper (93971) | more than 4 years ago | (#31647614)

Basically, your ideas are right. The idea is to query the closest server, for best performance. DNS data is very small, so there's not much financial concern about transmitting data across the world (which happens all the time on the internet)

Anyway, the logical routing of the internet doesn't always match the physical world. This is routine, and not a problem until DNS traffic crosses the great firewall of China, and is modified, which is what happened here.

Since this, route announcements have changed, and the Beijing server is not being queried.

But you are also correct about ISPs. ISPs can control (if they are good) which root servers are going to be queried from their network.

My overall point is that everything was operating routinely and correctly, until a new kind of DNS problem, not observed in the wild ever before, started happening. It's hard to expect the ISPs to prevent a problem they never knew would occur.

Re:I blame American ISP's (0)

Anonymous Coward | more than 4 years ago | (#31649666)

The default "root-cache" file (which basically everyone uses) gives your nameserver a list of ALL of the root servers.

In fact, you can't even really pick which ones to use because there are only 11 IPs -- in order to scale the number of servers without making the root-cache huge (and forcing every nameserver on the internet to keep it up-to-date) BGP anycast is used. So you end up seeing the 11 servers who are "close" to you in BGP. This means that they travel through the fewest ASes (Autonomous Systems; basically different network providers). This doesn't mean that they're geographically close but hopefully having the fewest networks in between means they'll be reliable.

There's an interesting map at root-servers.org [root-servers.org] . Basically, the "rogue" nameserver in Beijing is only one of 34 machines known as i.root-servers.net (aka 192.36.148.17) Through the magic of BGP anycast there are 33 other machines throughout the world with that exact IP address. Again, when your American ISP queries that IP address it doesn't have direct control over which country gets to answer the request

Re:I blame American ISP's (1)

russotto (537200) | more than 4 years ago | (#31650054)

Shouldn't you query the closest available server, not the furthest?

A host is a host/From coast to coast/And no one will talk to a host that's close/unless the host (that isn't close)/is busy, hung, or dead!
(From the .signature file of one David Lesher...)

Re:I blame American ISP's (1)

jon3k (691256) | more than 4 years ago | (#31650946)

I agree completely. It's very simple to go into your DNS server root hints file and remove DNS servers you don't want to query. Pick your favorites, specifically ones near you, using anycast ideally, delete the rest -- problem solved.

Bigger News (0)

Anonymous Coward | more than 4 years ago | (#31647218)

I know we're all concerned with China's web censorship (I certainly am; I live in China).
But the ChinaDaily is reporting that the Chinese are *controlling the weather!*
http://www.chinadaily.cn/china/2010-03/28/content_9652977.htm (Sorry, I don't know how to make links in this dialog).

Re:Bigger News (1)

jon3k (691256) | more than 4 years ago | (#31650954)

They are. Every modernized country does research in this area in anything from cloud seeding [wikipedia.org] to haarp [alaska.edu] .

Can we? (0)

Anonymous Coward | more than 4 years ago | (#31648224)

Can we just disconnect China? 90% of the spam, malware and port scans against systems I support all seem to originate from China. I've already blocked quite a few IP ranges, but it's just not very effective.

Kurt Lindqvist is a dragon slayer! (0)

Anonymous Coward | more than 4 years ago | (#31648640)

um.... isn't kurt lindqvist the legendary dragon slayer in tom holt's comic fantasy books??

Netnod's comment (0)

klindqvist (753095) | more than 4 years ago | (#31654674)

All, as this topic has drawn quite some interest I would like to reiterate some of our other public comments.At Netnod/Autonomica we are completely dedicated to serving the IANA root zone as we receive it. We do not intercept, interfere, rewrite or otherwise alter either queries, responses or the content of the zone itself. The events that occurred are still being investigated and as soon as we deemed we had collected enough data we withdraw the announcements from on of our anycast nodes that serve i.root-servers.net. I can't guarantee that me or any of our staff monitors this thread, but we do try and communicate to the community as much as we can without adding further speculations. Best regards, - kurtis - --- Kurt Erik Lindqvist, CEO kurtis@netnod.se, Direct: +46-8-562 860 11, Switch: +46-8-562 860 00 Please note our new address: Franzéngatan 5 | SE-112 51 Stockholm | Sweden
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>