Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Chinese DNS Tampering a Real Threat To Outsiders

Soulskill posted more than 3 years ago | from the let's-hijack-their-hijack dept.

Government 181

Trailrunner7 writes "China has long used the Internet's Domain Name Service to censor Web sites and information that the ruling Communist Party deems threatening. But now security experts warn that the government's censorship is in danger of spilling over China's borders, suppressing the ability of those living outside of China to find information online. An estimated 57% of all networks on Earth passed DNS requests through a Chinese DNS rootserver at some point in 2010, according to data from security firm Renesys. Tampering by the Communist Party there poses a danger to Internet security and freedom. In fact, DNS tampering may be a bigger threat than techniques like BGP (Border Gateway Protocol) hijacking, which is believed to be responsible for an unexpected shift in Internet routing in April that has recently been the subject of mainstream media reports in the US. There is already evidence that China's efforts to tamper with DNS have bled outside the country's borders. The same report to Congress from the US-China Economic and Security Review Commission that called attention to the BGP hijacking incident from April, 2010 also mentions a March, 2010 incident in which Internet users in the US and Chile attempted to connect to social networking websites banned by the Chinese government. However, their DNS requests were handled by a Beijing-based Domain Name Server, which responded with incorrect DNS information that directed the surfers to incorrect servers, the report says."

cancel ×

181 comments

Sorry! There are no comments related to the filter you selected.

So, which is worse? (1, Interesting)

Anonymous Coward | more than 3 years ago | (#34376742)

So, is it better to have China fucking around with the internet, or the US?

Quite frankly, I don't think either of them should be able to do it.

Fuck the both of them.

Re:So, which is worse? (0)

Anonymous Coward | more than 3 years ago | (#34377128)

So just leave it up to Comcast to fuck with your internet then? :)

Probably what you are actually saying is that you would like to see governmental regulation of internet, but only if it is non-nationalistic and enormously democratic. In other words, you want the Metagovernment [metagovernment.org]

Maybe a bit of chicken-and-egg there, though, since Metagovernment is internet-based government.

Re:So, which is worse? (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34377254)

Probably what you are actually saying is that you would like to see governmental regulation of internet, but only if it is non-nationalistic and enormously democratic.

Don't be a fucking idiot ... I'm saying that both China and the US are asshats who should keep their fucking hands of the internet, because it doesn't fucking belong to them, and they're not the ones who get to call the shots. This sense of entitlement the US likes to spread around is getting fucking old.

I don't think any government should be "regulating" the internet.

Not all of us are Americans ... go fuck yourself, and go fuck your mother. Your country is already fucking you and everybody else.

Re:So, which is worse? (2, Funny)

MightyMartian (840721) | more than 3 years ago | (#34377636)

Comparing the US and China as far as the Internet goes kind of indicates who the asshat is here.

Re:So, which is worse? (0)

Anonymous Coward | more than 3 years ago | (#34377864)

Countries in different states of development may need to consider different solutions. Recently, looking back on the past 50 years, it has become quite commonplace for China's decision making to be praised in contrast to that of India, including even the low-points during Mao's time as it did lay a foundation for progress. From a traditional western perspective.. yes it's wrong, it's impossible, it's horrendous, it's a miracle.. and yet there it is. If you want to judge things in black and white and apply the same solutions to all situations, it is you who is the asshat.

Porn! (1)

toastar (573882) | more than 3 years ago | (#34377364)

NOO!!!

I don't want some red china man stealing all my porn!
They might start Blurring it on the fly!!!

Re:Porn! (1)

xnpu (963139) | more than 3 years ago | (#34378248)

Eh. Many porn sites were unblocked months ago and still are. I don't notice any blurring here.

Re:So, which is worse? (0)

Anonymous Coward | more than 3 years ago | (#34377690)

I'm glad there are some dissenting views on slashdot this time, since when stories about China come up I usually end up feeling like we're living in a new McCarthy era.

The status quo is that the US has very disproportionate influence on the internet technically and otherwise, and (especially for non-Americans) it's far from clear that this is a good thing for the world. Of course the abuse by the US doesn't make it okay for other countries to meddle with the internet to adverse effect.. but we have to keep things in perspective rather than get silly (e.g. the people here who say we should "boot China out", and other jingoistic nonsense).

In Soviet China... (2, Funny)

Marthis (1949724) | more than 3 years ago | (#34376758)

...DNS routes you! Oh, wait...

Re:In Soviet China... (1)

Qlither (1614211) | more than 3 years ago | (#34376838)

While in China, DNS....Page cannot be found....

frist prost (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34376770)

frist prost

GWB the prophet (1)

DigiShaman (671371) | more than 3 years ago | (#34376806)

"I hear there's rumors on the Internets that we're going to have a draft."

He knows something we don't? Hmmmm

Re:GWB the prophet (1)

mcgrew (92797) | more than 3 years ago | (#34377670)

As he was US President for eight years, it's a certainty that he knows a LOT of stuff that we won't ever hear about.

Root servers? (4, Insightful)

just_another_sean (919159) | more than 3 years ago | (#34376808)

I understand the need for mass replication of the DNS root servers and appreciate both the cultural and technical needs to spread them fairly evenly throughout the world but is it really necessary for China to replicate F, I and J at the root level? Would performance and the world perception of a US controlled internet really suffer if China was denied access to the root level? Let them replicate all 13 for their internal use but remove any server's root status if the server is hosted in China... Maybe I'm missing something here but is this not a reasonable stance on preventing this type of collateral damage?

Re:Root servers? (1)

metamatic (202216) | more than 3 years ago | (#34376952)

Yeah, why does anyone trust any root server located in China? (They can set up servers that claim to be root servers all they like, but that doesn't mean the rest of the root servers have to trust them, so why do they?)

Re:Root servers? (2, Insightful)

kindbud (90044) | more than 3 years ago | (#34377548)

Because DNS is fundamentally insecure and there is no way to secure it without a re-write from the ground up. DNSSEC is a bandaid with a limited window of effectiveness. Ultimately, a cache receiving root glue has no way to validate that the glue is the legit root glue. And so they will become poisoned.

Re:Root servers? (0)

Anonymous Coward | more than 3 years ago | (#34377726)

Really? My DNS Servers I can configure quite easily to ignore update request from any host except from a couple of selected ones. But perhaps everybody is using something different than my very obscure and commonly unknown software by the name of bind.

Re:Root servers? (1)

gclef (96311) | more than 3 years ago | (#34378178)

That's not the point...the update requests you get from the "selected" ones: how do you know those are right? You don't. You're choosing to trust that select few. In this case, also, F, I, and J.root-servers.net are anycast...meaning that the IP you're trusting actually appears in multiple places at the same time, one of which is in China.

Better question: How do you know that the i.root-servers.net system that you're talking to is not the one in China?

Re:Root servers? (1)

mysticalreaper (93971) | more than 3 years ago | (#34377910)

DNSSEC *does* prevent against this man-in-the-middle attack, that's in fact its main feature.

You say that a cache receiving the root glue (data about the root servers) has 'no way' to validate that the glue is legitimate. That's totally not true. There are many ways to validate the data, including verifying against an SSL website, well known public servers, etc.

Re:Root servers? (0)

Anonymous Coward | more than 3 years ago | (#34378284)

There are 'behind the back' measures to accomplish validation, but I believe his point is they aren't 'built-in' to DNS or even DNSSEC at a fundamental level.

Re:Root servers? (2, Interesting)

xnpu (963139) | more than 3 years ago | (#34378264)

Because your ISP hired a lazy ass admin, that's why. Run your own DNS, remove the Chinese root servers from it. Problem solved.

Re:Root servers? (0)

Anonymous Coward | more than 3 years ago | (#34378328)

Why do you focus on the Chinese? DNS tampering is a world-wide habit. Some countries have laws compelling ISPs to manipulate DNS. Commercial DNS manipulation is almost the norm, not the exception. DNSSEC is going to solve both of these problems (and more).

Re:Root servers? (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34377096)

Would performance and the world perception of a US controlled internet really suffer if China was denied access to the root level?

I think it would. I wouldn't be surprised if China happens to hold some control over the network (if it exists much) in North Korea, and doing something like that might cause even more tensions in what is already a difficult situation.

Re:Root servers? (1, Interesting)

guruevi (827432) | more than 3 years ago | (#34377116)

Why should you trust the US with anything? China has so far not been tampering with the worldwide independent organization of either DNS or ICANN. Something the US can't really say anymore.

It would be similar to saying, should we give control to Hitler, Stalin or Mussolini.

Wow! (0, Offtopic)

Slutticus (1237534) | more than 3 years ago | (#34377200)

This post went from "Interesting" to "Flamebait" in 3.5 seconds!

Re:Wow! (0, Offtopic)

Monkeedude1212 (1560403) | more than 3 years ago | (#34377220)

Those are pretty weird DNS names - and that's some serious latency. How many hops did it have to go through?

Re:Wow! (1)

mcgrew (92797) | more than 3 years ago | (#34377740)

Looks to m like a bad mod was corrected in 3.5 seconds. I didn't like Bush and I don't care much for Obama, but comparing them to Godwin's Ghosts is indeed flamebait.

Had he omitted that last line, it would have been interesting.

Im confused (0)

Anonymous Coward | more than 3 years ago | (#34377152)

I thought "The Internet sees censorship as damage and routes around it."

Is that not true anymore?

Re:Root servers? (1)

AdamThor (995520) | more than 3 years ago | (#34377570)

Let them replicate all 13 for their internal use but remove any server's root status if the server is hosted in China... Maybe I'm missing something here but is this not a reasonable stance on preventing this type of collateral damage?

NOOOOO! We must rebuild the entire interweb! Tiered service plans with CIA backdoors and automatic killswitches for stolen intellectual property!

It's the ONLY WAY to stop the China from routing your traffic!

We have a way to address this (at least, mostly) (3, Insightful)

autocracy (192714) | more than 3 years ago | (#34376810)

DNSSEC. Get on it.

Re:We have a way to address this (at least, mostly (5, Informative)

Kamamura (235695) | more than 3 years ago | (#34377008)

Since Chinese control 3 of the root DNS servers, I bet they are given the root zone KSKs.. and with them, you can spoof any record.

Re:We have a way to address this (at least, mostly (1)

PiSkyHi (1049584) | more than 3 years ago | (#34377304)

Not only that, but they intercept requests made to external DNSs as well - altering the results before arriving at your PC in China.

Re:We have a way to address this (at least, mostly (1)

TheRaven64 (641858) | more than 3 years ago | (#34377650)

Why would they be given the keys? Surely they'd just be given the signed root zone file - it's not like it changes very often.

Re:We have a way to address this (at least, mostly (1)

Anonymous Coward | more than 3 years ago | (#34377702)

Actually, no, the Root server operators do not need access to the private key used for key-signing. They only get a copy of the root zones, all signed ahead of time.

DNSSEC would solve this from a mis-information stand-point. It doesn't stop it from a DoS attack (just not answering, or even answering with bogus DNSSEC replies, which the DNS resolver will discard, but the end result is that you don't get your query answered).

No. (1, Informative)

Anonymous Coward | more than 3 years ago | (#34377852)

The root zone is distributed already signed to everybody. It is signed using special hardware in the US. Look up on the key signing cerimony to see the details.

Agreed on DNSSEC, but until then? (0)

Anonymous Coward | more than 3 years ago | (#34377236)

I use a "hard-coded" HOSTS file entry for my "fav" websites (like this one for example) that allows me to reach what ping'd off as "legit" @ the start of the year here, and remains so today (which is how I validate it, against the TLD that does nothing but resolve IP addresses to their correct domainname/hostname).

Additionally: This allows me to also reach them faster by not making DNS requests for them, which involves turn around response times from DNS servers, which this technique avoids said "lag"...

(Especially since 200 of my favs. are done thus in my HOSTS file, and I block out KNOWN bad sites/servers in it as well to avoid "sucking in" malscripted or other types of exploits via malevolent people)

This practice also allows me to be less "trackable" (sure, I'm still trackable by ISP/BSP, but not as easily) since I am NOT showing up on DNS request logs for my favs (where I spend a GOOD 95% of my time online each day anyhow).

Lastly, this practice also allows me to reach said sites IF my DNS servers I do use "go down" or are "misdirected" via the Kaminsky 'hack' (since they're hardcoded)... I do so, because I can't do the entire net in my HOSTS file as "hard-codes"!

Now, IF a site I like & hardcode "turns up bad" or "infected"? I get notification via the sources listed below ... and it gets blocked, even if temporarily only (& if they clean themselves up, it shows in the removal lists those sources provide too, & those sources also have "validation" screens where you can check if a site is currently "a plague ship" too - can't beat that!).

As far as DNS servers though?

Well, I use either ScrubIT DNS or OpenDNS (both are good & fast + per many DNS flaws, OpenDNS is KNOWN to "patch right away" if possible + they DO pay attention to blocking out various forms of "questionable" or "threatening" material). I also "alternate them", periodically, between those 2 (for avoiding tracking a BIT better, yes, & even from they, via DNS requests logs).

APK

P.S.=> What I do know though, is that it makes me FASTER online & SAFER TOO, by far!

My friends + family & even customers, plus others in forums I have "turned on" to this very old technique (that nowadays seems forgotten) also note it!

E.G.-> My best pal says "my online speed has DOUBLED using HOSTS files" & he used to get 200++ infestations a month (no joke) & he's down to MAYBE 2 a yr. now using HOSTS alone! We even setup his system for 8++ months without a firewall, on older Windows 2000 unpatched, & no firewall... he still had a much lower infection rate!

I also block out adbanners (sorry webmasters - I pay for my online time out of my own pocket)

I want ALL the speed I pay for, & I get a "no commercials/HBO internet" this way, much faster & safer too (since adbanners have been found w/ malicious script content in them many times the past 4-5 yrs. now no less),

This also protects myself vs. the "Kaminsky security crack" in DNS, noted above!

I also protect users & myself via HOSTS files, vs. KNOWN bad sites, via these reputable sources (others too, but here are the "bulk" of them I use to populate my HOSTS file for these purposes):

http://ddanchev.blogspot.com/ [blogspot.com]
http://www.malwareurl.com/listing-urls.php?page=1&urls=off&rp= [malwareurl.com]
http://www.malware.com.br/lists.shtml [malware.com.br]
http://securitylabs.websense.com/content/alerts.aspx [websense.com]
http://www.stopbadware.org/ [stopbadware.org]
http://blog.fireeye.com/ [fireeye.com]
http://mtc.sri.com/ [sri.com]
http://www.scansafe.com/threat_center/threat_alerts [scansafe.com]
http://news.netcraft.com/ [netcraft.com]
http://www.shadowserver.org/ [shadowserver.org]
https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch]

Alongside security articles from this site (well, the source articles, IF detailed (many are), do list botnet C&C servers or known infected sites too), and "Spybot 'Search & Destroy'" via its IMMUNIZE feature (which fortifies a HOSTS file vs. known bad sites/servers).

Yes, it's a "wee bit of work" for me to do everyday, takes about 1-2 hours, depending on the volume of material input & filtered/trimmed/alphabetized/deduplicated, but I wrote a program to do it for me here (in the fastest string & math processing language I know of - Delphi 7), so it saves time (& I also found that instead of doing the entire MILLION++ lines of entries "enmasse/all @ once", splitting the data into 8 parts does it in only 20 minutes time!)... however, others get the "benefit" of ME doing the work, I only email them copies as they ask for them! Saves them time, gains them speed, & gains them SECURITY!

To quote Tony Stark of IRON MAN fame, as regards the "Arc Reactor"? Well -> "IT WORKS!"... and, in many ways, for "the good"... apk

Re:Agreed on DNSSEC, but until then? (1)

X0563511 (793323) | more than 3 years ago | (#34377330)

The only problem with that is when IPs change. For major sites, it doesn't happen often, but when it does it may toss you through a loop.

You might find it easier (and more efficient) to just build yourself a caching nameserver and set the TTLs high (hell you can do this on the workstation itself). Couple this with your existing method if you wish, there's no reason they can't work together.

You skimmed (I do a PING validate)... apk (0)

Anonymous Coward | more than 3 years ago | (#34378254)

A quote from the VERY START of my init. post here on HOSTS files you replied to:

I use a "hard-coded" HOSTS file entry for my "fav" websites (like this one for example) that allows me to reach what ping'd off as "legit" @ the start of the year here, and remains so today (which is how I validate it, against the TLD that does nothing but resolve IP addresses to their correct domainname/hostname).

(NOTE THE BOLDED PART & MY SUBJECT LINE PLEASE, thanks!)

Ping? It's your friend!

APK

P.S.=> You're not trolling though, I think you just 'skimmed' & missed the PING part (as well as the DNS servers I use, especially OpenDNS - it was "THE FIRST" to make patches for which Dan Kaminsky found errors in DNS servers for in fact):

"You might find it easier (and more efficient) to just build yourself a caching nameserver and set the TTLs high (hell you can do this on the workstation itself). Couple this with your existing method if you wish, there's no reason they can't work together." - by X0563511 (793323) on Monday November 29, @01:52PM (#34377330) Homepage

I think that due to Dan Kaminsky's findings on DNS servers being exploitable (easily & by anyone via port 53 "enmasse sends" of incorrect info. for domain/host name resolves to IP addresses being 'spoofable') should be reason WHY I don't use one... too easy to "redirect"...

In fact, even SECUNIA.COM got "hit" that way this week -> http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk]

The problem? YOU GUESSED IT - the "Kaminsky FLAW" in DNS! Being exploited right there, this week!

(And those guys? They're SECURITY PROS - there is no real defense vs. that weakness in DNS servers... especially if set into "recursive mode")

Additionally - not only are DNS servers "weak", but they eat up CPU cycles I don't need to be using up on something I truly do NOT need!

However, since HOSTS files are the 1st thing your system looks to for resolving IP-hostname/domainname resolutions? Yes, you can have HOSTS & DNS work together, even locally, just fine! It's just as waste of resources to me is all... this isn't a server I am using here, nor do I use AD (heavy dependency on DNS in ANY directory services system pretty much is why)...apk

Re:Agreed on DNSSEC, but until then? (1)

metrix007 (200091) | more than 3 years ago | (#34377556)

I just don't get what APK's deal is. He is clearly ignorant/misinformed and surely knows better...but I don't think I have ever seen a more dedicated troll than WillyonWheels. I mean..., he has been posting this same shit for years now, slightly customizing it for each story. It must be nice to have that much free time.

You're off topic & trolling (step inside)... a (0)

Anonymous Coward | more than 3 years ago | (#34378092)

TL:DR metrix007 for Off topic trolling.

"It must be nice to have that much free time." - by metrix007 (200091) on Monday November 29, @02:08PM (#34377556)

I post what works, point-blank man. As to free time? I have as much as the next guy does (and my home, car, & all else is FULLY paid up/I am the "clear-title" owner also, so, I am fortunate enough to not have to work 2-3 jobs to make ends meet is all - I wonder, can YOU say the same?).

---

"I just don't get what APK's deal is." - by metrix007 (200091) on Monday November 29, @02:08PM (#34377556)

We know what yours is, because you don't even SAY what you feel it is I am "doing wrong", first of all.

Secondly? Well, you can read my 1st post, and get an idea (as far as how I use HOSTS files), provided you can read (but it's pretty clear you are just trolling).

---

"He is clearly ignorant/misinformed" - by metrix007 (200091) on Monday November 29, @02:08PM (#34377556)

Well, to that? I can only say, the day you've done more & better (& earlier) than I have in the field of computing:

---

"My Name is Ozymandias: King of Kings - Look upon my works, ye mighty, & DESPAIR..."

----

Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61

(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).

WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)

PC-WELT FEB 1998 - page 84, again, my work is featured there

WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there

PC-WELT FEB 1999 - page 83, again, my work is featured there

CHIP Magazine 7/99 - page 100, my work is there

GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it

HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!

Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...

Being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here -> http://www.xtremepccentral.com/forums/showthread.php?s=ee926d913b81bf6d63c3c7372fd2a24c&t=28430&page=3 [xtremepccentral.com]

Lastly, lately (this year)?

It's also been myself helping out the folks at the UltraDefrag64 project (a 64-bit defragger for Windows), in showing them how to do Process Priority Control @ the GUI usermode/ring 3/rpl 3 level in their program (good one too), & being credited for it by their lead dev & his team... see here -> http://ultradefrag.sourceforge.net/handbook/Credits.html [sourceforge.net]

----

What do I have to say about that much above? I can't say it any better, than this was stated already (from the greatest book of all time, the "tech manual for life" imo):

"But by the grace of God I am what I am: and his grace which was bestowed upon me was not in vain; but I labored more abundantly than they all: yet not I, but the grace of God which was with me." - Corinthians Chapter 10, Verse 10

(And, because I got LUCKY to have been exposed to some really GREAT classmates, professors, & colleagues on the job over time as well)

---

Again: The day you can show you've done more of respected note as I have & earlier? That is the day you can talk calling me IGNORANT etc. (because anyone can "talk a good game", but it's QUITE ANOTHER THING to have done said game, professionally, and with good reviews by peers in publications).

Also, prove anything I state about HOSTS files is technically incorrect then.

That's better than trolling me, and might prove you know a thing or two yourself (good luck - I've had the "best & brightest" trolls here try it and lose everytime - I post a factoid here about 10 points in favor of HOSTS files, vs. Adblock or DNS servers here regularly, & I have YET to see anyone disprove any of those points in fact, & that's as you said - FOR YEARS NOW! I've thought it all out, too bad my naysayers haven't!).

It's why reputable sites like mvps.org have a HOSTS file too - it just works, and for added layered security, AND speed!

---

"and surely knows better" - by metrix007 (200091) on Monday November 29, @02:08PM (#34377556)

Well, like I said? See the list above... "drink it in & digest it", and rinse, lather, repeat - but, above all else?? Show us YOU'VE done more & better than I have & earlier (up to the present day no less on my part, in the eyes of others on MANY grounds in computing).

That's all - pretty simple, & I'll be waiting...

---

"but I don't think I have ever seen a more dedicated troll than WillyonWheels." - by metrix007 (200091) on Monday November 29, @02:08PM (#34377556)

Funny, my posts on HOSTS have been up modded here quite a few times... I didn't realize troll posts get modded up... would you like a sample of one? Ok:

http://tech.slashdot.org/comments.pl?sid=1143349&cid=27012231 [slashdot.org]

(That's ONLY 1 of quite a few on HOSTS, and it's also where I spotted an "design error" on the part of Microsoft (to which Foredecker, senior mgr. of "Windows Performance Client Division" who posts here on /. even CONCEDES I AM CORRECT ON no less as far as HOST files go)).

Would you like another? I can produce more up mods from this site from my posts here on HOSTS files & their benefits to the end user.

---

"I mean..., he has been posting this same shit for years now" - by metrix007 (200091) on Monday November 29, @02:08PM (#34377556)

It gets up modded here, because others realize the value of HOSTS files as an addition to layered security and as a way to gain speed.

(Anyone in the know that is about them, unlike yourself, clearly (However, I do suspect you know about them, & you're just another "disgruntled malware maker" or webmaster "losing adbanner hits" because of them)).

---

"slightly customizing it for each story." - by metrix007 (200091) on Monday November 29, @02:08PM (#34377556)

Of course: When it applies about HOSTS files, I have to modify the content, the file is SO versatile, it's amazing... just as it can be used to speed you up & protect you here vs. all I noted in my init. reply you replied to!

APK

P.S.=> Above all else though - put down what you think is "WRONG", technically wrong, with my points on HOSTS files, and I will tear you apart, point-by-point (because you WON'T be the first I have done so to here)... apk

Re:Agreed on DNSSEC, but until then? (1)

marcello_dl (667940) | more than 3 years ago | (#34377866)

a hosts file in a git distributed repo would be a nice idea for small organizations, provides a way to safely add/update entries.

Re:Agreed on DNSSEC, but until then? (1)

icebraining (1313345) | more than 3 years ago | (#34378188)

Or they could just install a DNS caching server, it's not that hard. And besides the static hosts information, it would also share the DNS cache between all the clients, so if two of them accessed the same sites, it would be faster for the second client.

Debian comes with a few an aptitude install away.

Wikileaks... (1)

orphiuchus (1146483) | more than 3 years ago | (#34376834)

Isn't this a more deserving target than the US? Oh wait, they would immediate assassinate you if you leaked any of their information. Better keep going after the guys who don't fight back.

Re:Wikileaks... (0)

Anonymous Coward | more than 3 years ago | (#34378132)

The Chinese have largely had cynical resignation and morbid sense of humor about their government for millennia. Most of them just aren't driven to do such things, or even feel that it has any lasting positive impact in the end.. since there are always winners and losers and winners need losers. (paraphrasing, this is a core concept of Confucianism, and of older indigenous beliefs)

Regarding Wikileaks.. If they get it, they'll publish it. They are not a spy agency. They solicit leaks from outsiders and use what they get.

Re:Wikileaks... (1)

xnpu (963139) | more than 3 years ago | (#34378232)

Wikileaks is a government operation. China is well aware of that. Just like (if you did read Wikileaks) the US was well aware of China's attack on Google but chose not to tell anyone. China and US are on much better foot that you think, the theater is just for the populace.

And ? (4, Insightful)

unity100 (970058) | more than 3 years ago | (#34376840)

u.s. just grabbed 12 domain names, on the whim of some private interests inside usa. not only that they dropped an 'for other purposes' clause, in the bill/whatever that is going to allow them to do more.

'for other purposes'. you can even put 'daydreaming' in it, and legally grap domains that help people daydream.

Re:And ? (2, Interesting)

nbossett (1835098) | more than 3 years ago | (#34377178)

There's a difference between:
having a legal fight over who owns abc.com
and
deliberately misleading people and pretending to be/own abc.com

There can be abuses of either system, but rerouting traffic on the sly is potentially more dangerous to users than openly seizing a domain name.

so ? (1)

unity100 (970058) | more than 3 years ago | (#34378022)

difference ? chinese pretend to be abc com for their own aims, usa 'legally' grabs domains pretending to anyone worldwide, for their own aims. not to mention that, it makes the law that legalizes it.

United States DNS Tampering a Realer Threat (4, Informative)

Anonymous Coward | more than 3 years ago | (#34376854)

The United States government has already stolen domain names without due process. They don't even have jurisdiction over some of them.

http://yro.slashdot.org/story/10/11/27/1910232/DHS-Seizes-75-Domain-Names [slashdot.org]

Re:United States DNS Tampering a Realer Threat (1)

jbonomi (1839286) | more than 3 years ago | (#34377608)

They have jurisdiction over all of those, actually. Not necessarily the server/data, but certainly the .com and .net domains.

peter's wolf... (2, Interesting)

X0563511 (793323) | more than 3 years ago | (#34376870)

At what point are we going to get sick enough of this garbage to just completely segregate China from the rest of the internet?

Re:peter's wolf... (1)

mr_lizard13 (882373) | more than 3 years ago | (#34376930)

Who is "we"?

You're speaking on behalf of a western nation I assume?

Re:peter's wolf... (1)

X0563511 (793323) | more than 3 years ago | (#34377272)

No, I'm speaking on behalf of everyone that isn't China.

You should read what I wrote, not the words that you assume are between the lines.

Re:peter's wolf... (0, Troll)

Anonymous Coward | more than 3 years ago | (#34377166)

Same time we get tired of the US pulling the same shit [slashdot.org] : apparently, never.

Re:peter's wolf... (1)

shoehornjob (1632387) | more than 3 years ago | (#34377798)

Well that would cetainly deter them from hacking our computers and stealing state and industrial secrets.

Made in China (0)

Anonymous Coward | more than 3 years ago | (#34376876)

...I noticed a lot of DNS reponses had these black-on-gold Made in China stickers on them!

right now.. (1)

Anonymous Coward | more than 3 years ago | (#34376892)

China almost looks free compared to the nazi regime USA is trying to have on the web, randomly yanking dominas(70+ recently) because american business interests were supposedly suffering. ..

DNSSec? (2)

Kamamura (235695) | more than 3 years ago | (#34376918)

Why do we have it then? AFAIK root zone was signed in May, so just don't send those super secret root zone KSKs to red commies and every validating resolver is safe!

Hooray for advanced protocol beating the red threat back!

Re:DNSSec? (1)

just_another_sean (919159) | more than 3 years ago | (#34377658)

If China has the legitimate* right to host three replicas of the root servers they would need the KSKs, no?

Which in my mind would lead to more potential for abuse as even the technical among us think "It's OK, I'm using DNSSEC!".

* which according TFA they do now...

Definitive/Caching/Chinese (1)

RichMan (8097) | more than 3 years ago | (#34376936)

So do we need a new way of describing DNS servers ?
We also probably also need a new way of describing DNS entries so you can tell the difference between an actual DNS for a site and a DNS for an edge caching site.

Re:Definitive/Caching/Chinese (1)

ADRA (37398) | more than 3 years ago | (#34377296)

How? How many clients will actually work their way up the chain to resolve against the hosted DNS server? That makes any initial engagement with raw (or cache expired) domains much slower. For a web site that is a looking for drive by service, this would be less appealing than say going to a Google derived alternative which is always well buried in cache. If you really want is a way of verifying that the upstream data source isn't tampered with, and I'm sorry but that's not going to happen, at least not on a root server level.

After reading the article, its still entirely unclear. There's a person referred only as Zmijewski who is never given context at all in the story. Their talk points are half the story and you don't even have the wit to say who the person is.

Going back to the original US document, it seems the Chinese root server was erroneously sending censored responses to non-chinese IP blocks and was for a while pulled of its authority until the problem was resolved. As bad as national censorship can be, I suppose its acceptable to be able to pull the cord on issues of the sort. After all the news of having the US seize domains, is it really worth noting a bug in the great firewall's DNS processing that was fixed months ago?

Re:Definitive/Caching/Chinese (1)

Todd Knarr (15451) | more than 3 years ago | (#34377298)

DNSSEC. If the root-zone keys are distributed through an independent channel (ie. downloaded from ICANN and loaded into the local resolver/server software configuration), then even running a root DNS server won't let you forge responses for any part of the DNS tree you don't actually control (ie. have the private keys to generate new signatures for).

I am safe... (1)

Kamamura (235695) | more than 3 years ago | (#34376978)

... I use the fantastic, free OpenDNS, and I have set resolv.conf to ns1.opendns.ch and ns2.opendns.ch years ago... crap! John, tear the wire from the wall, fast!

Re:I am safe... (1)

psyclone (187154) | more than 3 years ago | (#34378098)

No, you are not safe. It is trivial for someone between you and ns*.opendns.ch to intercept the DNS response and modify it.

Only DNSSEC can save you here.

Re:I am safe... (1)

Thinine (869482) | more than 3 years ago | (#34378280)

Actually, OpenDNS is supporting a DNSSEC alternative, DNSCurve, which gives many of the same benefits, including the preventions of MitM attacks.

US DNS Tampering a Real Threat To Outsiders (3, Interesting)

mlawrence (1094477) | more than 3 years ago | (#34376980)

Just this past week the US government seized 75+ domains without any notice. Is this any different?

Re:US DNS Tampering a Real Threat To Outsiders (0)

Anonymous Coward | more than 3 years ago | (#34377028)

The US took domains under US law. Chinese DNS poisoning is afflicting unrelated parties.

Re:US DNS Tampering a Real Threat To Outsiders (1)

Anonymous Coward | more than 3 years ago | (#34377134)

Same thing.
The US disabled domains under US law, the Chinese disable domains under Chinese law.
What is your point exactly?

Or are you somewhat delusional to think that the US is the center of the universe I wonder...
What the US did affects unrelated parties, namely THE REST OF THE WORLD!

Re:US DNS Tampering a Real Threat To Outsiders (0)

Anonymous Coward | more than 3 years ago | (#34377262)

that sites operated by us citizens, hosted on servers located on US soil are subject to US law.

If the chinese tamper with DNS requests there is the very real, very illegal possibility of a computer outside of chinese juristiction requesting the address of server which is also outside of chinese juristiction getting redirected. see the difference?

Re:US DNS Tampering a Real Threat To Outsiders (0)

Anonymous Coward | more than 3 years ago | (#34377776)

Good point. I did not think of that. I generally don't think of websites as tied to a specific jurisdiction. Guess I want to live in denial when it comes to regulating the internet:).

My only worry is that this is a test case to possibly drive an alternate agenda.
I notice that one of the sites was a torrent link portal, hidden inbetween the fake Prada bag store domains and what not.

It will be interesting to see where this goes over the next couple of months.

Re:US DNS Tampering a Real Threat To Outsiders (4, Interesting)

Antisyzygy (1495469) | more than 3 years ago | (#34377064)

Its quite a bit different. China is attempting to control the internet, most likely for use as propaganda and as leverage in a cyber conflict. The DHS is being used by special interest groups to enforce IP law.

Re:US DNS Tampering a Real Threat To Outsiders (0)

Anonymous Coward | more than 3 years ago | (#34377186)

Its quite a bit different. China is attempting to control the internet, most likely for use as propaganda and as leverage in a cyber conflict. The DHS is being used by special interest groups to enforce IP law.

Please explain the difference between propaganda and intellectual property.

Re:US DNS Tampering a Real Threat To Outsiders (1)

jbonomi (1839286) | more than 3 years ago | (#34377876)

Please explain the difference between makeup and cinnamon rolls.

Re:US DNS Tampering a Real Threat To Outsiders (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34377270)

Okay - then which is worse?

I mean I am not condoning everything the Chinese do but nationalism isn't always a bad thing and there wouldn't BE a cyber conflict without the US. Essentially what you've got is 1 country attacking another country and you've got 1 country attacking it's own citizens. Which is which and which is worse?

Re:US DNS Tampering a Real Threat To Outsiders (5, Insightful)

Antisyzygy (1495469) | more than 3 years ago | (#34377456)

Both are bad, but neither excuses the other.

Re:US DNS Tampering a Real Threat To Outsiders (1)

yuhong (1378501) | more than 3 years ago | (#34377930)

And the US is just trying to suppress illegal content, while China is actually trying to censor criticism. The latter is IMO much worse.

Re:US DNS Tampering a Real Threat To Outsiders (2, Funny)

0123456 (636235) | more than 3 years ago | (#34378020)

And the US is just trying to suppress illegal content, while China is actually trying to censor criticism. The latter is IMO much worse.

But, uh, criticisim _is_ 'illegal content' in China.

Re:US DNS Tampering a Real Threat To Outsiders (1)

Husgaard (858362) | more than 3 years ago | (#34378082)

IMHO a fine example of the difference between communism and fascism.

Re:US DNS Tampering a Real Threat To Outsiders (2, Informative)

Anonymous Coward | more than 3 years ago | (#34377094)

That was as the .com level not at the . level. The US has not redirected .com somewhere else....

Re:US DNS Tampering a Real Threat To Outsiders (1)

X0563511 (793323) | more than 3 years ago | (#34377366)

SOMEONE has a fucking clue!?!?

(go figure it's an AC)

Re:US DNS Tampering a Real Threat To Outsiders (1)

metrix007 (200091) | more than 3 years ago | (#34377592)

What has being an AC got do do with anything?

Mod server down (3, Interesting)

jbeaupre (752124) | more than 3 years ago | (#34377026)

If only you could mod servers up or down, giving them some sort of reputation history. The your OS could determine a trusted anchor based on a server's "karma" and your requirements*. A system parallel to DNSSEC for apportioning, updating, and validating trust.

* yeah, I'm borrowing Slashdot terminology. But what the heck, it kind of works.

Re:Mod server down (1)

arachnoprobe (945081) | more than 3 years ago | (#34377710)

* yeah, I'm borrowing Slashdot terminology. But what the heck, it kind of works.

No. I saw your comment.

Secure BGP (1)

Monkius (3888) | more than 3 years ago | (#34377056)

I know of folks working currently on secure BGP. I would imagine that's part of the solution.

Re:Secure BGP (1)

xnpu (963139) | more than 3 years ago | (#34378120)

BGP knows filters and communities. It's just that those need to be setup by admins, which often don't feel like doing the work and will tell you it's too complex to deal with such a large dynamic network as their.

Red vs effing Blue (2, Funny)

MRe_nl (306212) | more than 3 years ago | (#34377112)

(tl;dr version)
Big Threat Internet Security
China censor Web sites and information ruling Communist Party threatening security experts warn government's censorship danger spilling China's suppressing China Chinese Tampering Communist Party danger security and freedom tampering bigger threat hijacking unexpected China's tamper bled
U.S.-China Economic and Security Review Commission hijacking incident incident.

(And when I count to three you will awaken and be VERY AFRAID).

WTF happened this weekend? (1)

GPLDAN (732269) | more than 3 years ago | (#34377288)

To Comcast?

http://news.cnet.com/8301-1023_3-20023949-93.html [cnet.com]


Because I can damn well tell you that spilled over into other New England area networks, including the SAVVIS and Cogent networks in Boston area. Comcast says their DNS system failed, so how the fuck does a DNS attack knock out all the peering/routing/IP transport up there?

That whole thing smells bad, and I wonder if anyone knows the truth about wtf happened.

Re:WTF happened this weekend? (0)

Anonymous Coward | more than 3 years ago | (#34377680)

From my previous experience with Comcast, sounds like typical service level. I don't see anything sinister, just typical Comcast service quality.

They had improved in the past year or so, but it used to happen at least twice a year.

Whitelisting (1)

iamsolidsnk (862065) | more than 3 years ago | (#34377610)

Wouldn't whitelisting known good IPs of frequent internet destinations within your hosts.conf (or equivalent) file provide at least moderate protection against IP hijacking?

Thanks to Cisco.. (1)

formfeed (703859) | more than 3 years ago | (#34377616)

..for providing the technology that makes it possible to censor, track, and imprison.

Re:Thanks to Cisco.. (1)

xnpu (963139) | more than 3 years ago | (#34378030)

Thanks to the American people for allowing their government and corporations to participate in these deals. Did you call your ISP and complain about their use of a company that actively participates in subjecting over a billion people to heavy censorship? I didn't think so.

DNS shall not be abridged (1)

snsh (968808) | more than 3 years ago | (#34377618)

In the USA, DNS needs to be woven into the first amendment as one of those things the government shall not fuck with, but I doubt the Roberts court will see it that way.

Solution: de-root them (1)

theNAM666 (179776) | more than 3 years ago | (#34377698)

Someone's already said this too, but it seems obvious. Don't trust the Politburo. Simple. Don't trust a root server run by the Politburo. Then implement DNSSec. :)

Re:Solution: de-root them (1)

xnpu (963139) | more than 3 years ago | (#34378068)

De-root is a useless measure. You don't trust China, someone else doesn't trust some other country hosting a root. DNSSec is the only acceptable solution currently available.

Also it's a little naive to think that Chinese cyberspace ends at it's physical borders. China's telco's have controlling stakes in many foreign communications companies as well. Not to mention lots of western ISP's are installing Huawai equipment, etc, etc.

Remove the ability of countries to censor the web (1)

jack2000 (1178961) | more than 3 years ago | (#34377842)

Tell me, why is it still possible for private parties to change things like this on a whim?
There needs to be a system where if the domain record returned from a dns server differs from the ones returned by say 4 others is different, it is discarded and the record returned by the 4 dns servers is used.

Re:Remove the ability of countries to censor the w (1)

0123456 (636235) | more than 3 years ago | (#34378048)

Tell me, why is it still possible for private parties to change things like this on a whim?

Uh, this isn't a 'private party', it's the Chinese government. DNS generally worked fine when it was controlled by 'private parties' and governments weren't meddling with it.

Re:Remove the ability of countries to censor the w (1)

xnpu (963139) | more than 3 years ago | (#34378096)

Nice idea, but this doesn't help one bit if the censorship is done close to home. E.g. on "my" network I intercept DNS and have my name server send the reply. It doesn't matter if the users are talking to Google DNS, OpenDNS or some other service, it's always my DNS server that replies. DNS is extremely easy to intercept and spoof.

This is just about lazy admins. (1)

xnpu (963139) | more than 3 years ago | (#34377984)

Since when are you obligated to use the Chinese root servers? And have you heard of DNSSEC? This is really just an issue of lazy admins. Same story with the root SSL certificates browsers ship with that include a lot of questionable organizations and governments. You are free to remove them, and no, it's not hard. The BGP hijack was no different. Carriers that have their shit organized have their filters configured and would not participate in the hijack.

Cut China off (1)

kheldan (1460303) | more than 3 years ago | (#34378172)

If you were found to be tampering with DNS, at the very least you'd have your internet service cut off, at worst you'd be arrested. The equivalent of "arresting" China would be called "World War III" and that's not going to happen (yet). We can, however, cut them off from the rest of the internet, can't we? Why haven't we? They refuse to behave, they don't own the internet (nobody does and everybody does, really), they don't have the right to do this. Cut them off until they learn to behave. Besides, to hear them talk, they'd probably prefer being cut off from the rest of the world so they can literally force their citizens to use only the sites the State wants them to.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?