Triplet Censors: Demystifying Great Firewall's DNS Censorship Behavior (FOCI 2020) about bbs HOT 8 OPEN

The IP addresses making up the total pool are not random—most of them belong to US-based organizations like Facebook, Dropbox, and Twitter

Ah, this is interesting. This could explain more and more reports that access to websites encounters certificate errors instead of timeout. Certificate errors appear legitimately caused by misconfiguration instead of censorship as certificate misconfiguration is very common in China, thus the grievance is no longer directed at the GFW.

There is more than one DNS injector

I think these could be independently developed projects with different design goals. Maybe some of these are outsourced to contractors. Being independent allows them not fail simultaneously.

from bbs.

This could explain more and more reports that access to websites encounters certificate errors instead of timeout.

Thank you for sharing such an interesting hypothesis; however, it seems these certificate errors may not mainly because the clients were directed to some Facebook/Dropbox/Twitter servers. This is because clients in China could not even complete a TCP handshake to the port 443 of these injected IPs in the first place.

As mentioned in Section 3.2, we test the reachability of the 216 injected IPs from our VPS in China and the United States by initiating TCP handshakes on port 80 and port 443. Specifically, we perform this experiment daily for 7 days (from April 17, 2020 to April 23, 2020) and each days results looked similar.

The result, summarized in Figure 3, shows only 0.4% of these IP-port pairs were ever observed to be reachable from China.

You may find the following code and data helpful:

• Injected IPs before and after November 19, 2020
• Original code and data for reachability test

from bbs.

OK, these reports may come users with partial circumvention where they can reach the injected IPs but nonetheless are affected by DNS pollution for some reasons. As is quantified in your data, this should be an uncommon case.

from bbs.

There is more than one DNS injector

I think these could be independently developed projects with different design goals. Maybe some of these are outsourced to contractors.

This is a very reasonable hypothesis.

Being independent allows them not fail simultaneously.

It makes sense that the censor tries to avoid single point failure. One evidence that supports your hypothesis is that we indeed observed some injectors were halting for a short period of time, but we never observed all three injectors halted at the same time.

Specifically, as introduced in the Halting interval of injectors paragraph, we discover that while Injector 2 has been working consecutively, Injector 1 and Injector 3 occasionally stopped working for a few hours. All of these occasionally happened halts lasted less than 6 hours and most of them happened during work hours in China.

from bbs.

OK, these reports may come users with partial circumvention where they can reach the injected IPs but nonetheless are affected by DNS pollution for some reasons.

Oh, it definitely makes sense then! These cases are not uncommon in many circumvention scenarios.

from bbs.

we discover that while Injector 2 has been working consecutively, Injector 1 and Injector 3 occasionally stopped working for a few hours. All of these occasionally happened halts lasted less than 6 hours and most of them happened during work hours in China.

This is a more vivid picture. I imagine the three injectors are maintained by three different contractors independently and this allows they to rotate shifts and improve reliability at the project management level.

from bbs.

Sorry, to add one more. Certificate errors are very common in this sense: A common setup uses domain-based traffic routing to improve performance so domestic traffic is direct and not routed through circumvention. Facebook, Twitter, et al are always in the circumvention routing lists. And whenever a domain (especially CDN domains) is blocked but not updated to the routing list, it will be resolved directly and incorrectly to Facebook's IPs and then have certificate errors via circumvention, which are confusing because users will perceive this as errors on the CDN side.

from bbs.

And whenever a domain (especially CDN domains) is blocked but not updated to the routing list,

Yes, we agreed this could happen quiet often, especially nowadays when one of the most popular routing list is less actively maintained.

from bbs.