Abstract:
Internet censorship in different countries like China has improved over the last few years. It is used to restrict access to public information or shape the countries’ culture. One possible way to censor traffic on the internet is by manipulating DNS messages. The analysis and circumvention of this manipulation is an integral part of internet censorship research. Normally, DNS messages are transmitted in cleartext, resulting in the leaking of the requested domain. This allows states to monitor requested domains and potentially manipulate the response or inject forged responses. In this thesis, we analyze and evaluate possible circumvention techniques for DNS censorship in China. From these results, we implemented a command-line tool called DNSCensorBreaker, which can automatically bypass DNS censorship in China. Further, we analyze DNS censorship in Iran, Russia, and Indonesia. For that, we manually analyze DNS censorship and automatically scan for DNS manipulation with one million domains. Additionally, we evaluate the possibility of using encrypted DNS as a countermeasure in these countries. We evaluated four working circumvention techniques that could bypass DNS censorship of the Great Firewall of China (GFW). Three of them are implemented in DNSCensorBreaker. The first evaluated method was proposed by Hoang et al. in 2021, which detects and discards injected responses [31]. The second technique is using encrypted DNS to prevent monitoring the requested domain. The third evaluated method utilizes fragmentation of the DNS query on the TCP layer, which prevented the inspection of the packet. The last tested method utilizes sending the DNS query over a different port than the standard port 53. To the best of our knowledge, we found a new censorship behavior in Iran. It injects fixed IP addresses that belong to the domain but are fixed for all related domains. Further, we could fingerprint and identify Iran’s censorship behavior. It normally injects two IPs resulting in a block page. After scanning, we found that Iran blocks websites related to pornography, gambling, and provocative attire the most. Unfortunately, we could not confirm DNS censorship with our vantage point in Russia. We could not detect DNS manipulation on the vantage point directly or on any DNS resolver located in Russia. In Indonesia, we could identify DNS censorship on two DNS resolvers. We confirmed that in Indonesia, DNS censorship is not implemented at the ISP level but rather on DNS resolvers. The IP is censored using a CNAME record directing to a block page. Like Iran, Indonesia blocks pornographic and gambling related websites the most. We could identify that DNS censorship is implemented widely but there are significant differences between countries. However, we found that encrypted DNS is universally effective. Although we could identify this, it is only a snapshot of the current implementation and should be monitored in the future.