As explained in RFC 7754, "Technical Considerations for Internet Service
Blocking and Filtering", it is tempting for a censor to attack, not the
direct traffic or servers, but the rendezvous systems, the most obvious
one being the DNS.
In Europe, but also in other places, several countries implemented a
DNS-based censorship system, mandating the ISP to configure their DNS
resolvers to lie (providing other answers than what the authoritative
name server wanted).
I will explain the various choices and possibilities of DNS-based
censorship, as well as the workarounds. Of course, switching to a
non-lying resolver is easy. But we'll see it's not so easy and that it
is only the start of a arms race, specially giving the fact that
"alternative" resolvers are often not secured, and therefore can be
hijacked.
I will show examples and statistics on the actual deployment, both
of the censorship and of the workarounds. This will mostly be done with
RIPE Atlas probes. They allow to perform detailed measurements of DNS
data, even in countries where you've never been.
Note: this will be the continuation of this article:
https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes/
and this talk: https://ripe68.ripe.net/presentations/158-bortzmeyer-google-dns-turkey.pdf
No comments:
Post a Comment