A new step in the fight between the Turkish government and the
Internet occurred recently when the access providers in Turkey
started, not only to install lying
The first attempt of censorship by the Turkish government was to
request (around 20 March) the IAP (Internet Access Providers), who typically provide a
recursive DNS service to their users, to configure these recursors to
lie, providing false answers when queried about censored names like
An obvious workaround to this technique is to use other resolvers
than the IAP's ones. Hence the calls on the walls of many Turkish
cities to use a service like
Now, the Turkish governement, replying to the reply, went
apparently further. Before discussing what they have done, let's see
the facts. We will use the network of RIPE Atlas probes to query Google
Public DNS from various places, in the world and in Turkey, since the
excellent RIPE Atlas interface allows you to select probes based on
many criteria, including the country. The probe can resolve names
(like
First, to see the ground truth, let's ask a hundred probes
worldwide to resolve
...
[199.59.148.10 199.59.149.198 199.59.150.7] : 2 occurrences
[199.16.156.38 199.16.156.6 199.16.156.70] : 8 occurrences
[199.59.149.230 199.59.150.39 199.59.150.7] : 5 occurrences
...
All IP addresses do belong to Twitter (checked with
10 probes reported, 10 successes
[199.16.156.230 199.16.156.6 199.16.156.70] : 1 occurrences
[195.175.254.2] : 8 occurrences
[199.16.156.198 199.16.156.230 199.16.156.70] : 1 occurrences
Test done at 2014-03-29T16:57:38Z
Two probes give normal results, with three IP addresses, all in
Twitter space. The majority of probes, eight, give an IP address at a
Turkish provider (
We can measure with another censored name,
10 probes reported, 10 successes
[173.194.34.160 173.194.34.161 173.194.34.162 173.194.34.163 173.194.34.164 173.194.34.165 173.194.34.166 173.194.34.167 173.194.34.168 173.194.34.169 173.194.34.174] : 1 occurrences
[195.175.254.2] : 8 occurrences
[195.22.207.20 195.22.207.24 195.22.207.25 195.22.207.29 195.22.207.30 195.22.207.34 195.22.207.35 195.22.207.39 195.22.207.40 195.22.207.44 195.22.207.45 195.22.207.49 195.22.207.50 195.22.207.54 195.22.207.55 195.22.207.59] : 1 occurrences
Test done at 2014-03-30T15:16:22Z
The same IP address is obtained, and of course it is not possible that
the real Twitter and the real YouTube are hosted at the same place.
[All measurements show that two Atlas probes in Turkey do not see the hijacking. Why are they spared? According to the manager of one of these probes, his entire network was tunneled to a foreign server, to escape filtering, which explains why the probe on the network saw normal DNS replies.]
If you try another well-known DNS resolver, such as
So, someone replies, masquerading as the real Google Public DNS
resolver. Is it done by a network equipment on the path, as it is
common in China where you get DNS responses even from IP addresses
where no name server runs? It seems instead it was a trick with
u*>? 8.8.4.4/32 100 None
212.156.250.157 None -
No As-Path
while a normal route wil look like:
u*>i 74.82.42.0/24 100 1
212.156.100.1 None -
6939
*i 74.82.42.0/24 100 1
212.156.100.1 None -
6939
(6939 being the origin AS of the remote route, here a foreign one,
while
Another indication that the hijacking is not done by a man in the middle mangling any DNS reply (as it is done in China) is that, if you try a little-known open DNS resolver, there is no problem, even from Turkey, you get correct results (measurement #1605104).
Also, a
From: 212.58.13.159 8685 DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.,TR
Source address: 212.58.13.159
Probe ID: 3506
1 212.58.13.253 8685 DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.,TR [3.98, 3.235, 3.101]
2 82.151.154.193 8685 DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.,TR [3.15, 3.044, 3.11]
3 212.156.133.117 9121 TTNET Turk Telekomunikasyon Anonim Sirketi,TR [4.146, 4.807, 4.157]
4 [u'*', u'*', 'late', u'*']
5 81.212.204.205 9121 TTNET Turk Telekomunikasyon Anonim Sirketi,TR [11.185, 10.657, 10.67]
6 81.212.204.149 9121 TTNET Turk Telekomunikasyon Anonim Sirketi,TR [10.864, 11.007, 10.685]
7 ['late', u'*', 'late', u'*', u'*']
8 [u'*', u'*', u'*']
9 [u'*', u'*', u'*']
10 [u'*', u'*', u'*']
11 [u'*', u'*', u'*']
255 [u'*', u'*', u'*']
But RIPE Atlas probes are able to do traceroute with
From: 212.58.13.159 8685 DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.,TR
Source address: 212.58.13.159
Probe ID: 3506
1 212.58.13.253 8685 DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.,TR [3.866, 3.13, 3.132]
2 82.151.154.193 8685 DORUKNET Doruk Iletisim ve Otomasyon Sanayi ve Ticaret A.S.,TR [3.316, 3.012, 3.176]
3 212.156.133.117 9121 TTNET Turk Telekomunikasyon Anonim Sirketi,TR [4.362, 5.976, 4.394]
4 [u'*', u'*', 'late', u'*']
5 81.212.204.205 9121 TTNET Turk Telekomunikasyon Anonim Sirketi,TR [13.922, 13.574, 13.753]
6 81.212.204.149 9121 TTNET Turk Telekomunikasyon Anonim Sirketi,TR [13.933, 17.873, 13.571]
7 8.8.4.4 15169 GOOGLE - Google Inc.,US [11.689, 11.761, 11.897]
Is the lying resolver a full standalone resolver or does it just
proxy requests to the real servers, after censoring some names? To be
sure, we ask the Atlas probes to query Google Public DNS with the name
10 probes reported, 10 successes
[74.125.18.80] : 2 occurrences
[195.175.255.66] : 8 occurrences
Test done at 2014-03-30T14:49:39Z
We learn with whois that
There is no other easy way to be sure we talk to the real Google
Public DNS or not: Google's servers, unfortunately, do not support
the NSID identification system and, anyway, even if they did, it is
easy to forge. The only real solution to be sure is the resolver you
use, is
Of course,
About censoring with DNS, I recommend the comprehensive
report of AFNIC Scientific Council. Thanks to Sedat
Kapanoğlu for his measurements. Some other articles on this issue: