[Dnsmasq-discuss] Ignore certain returned DNS response?

Nicholas Weaver nweaver at gmail.com
Thu Oct 9 16:28:26 BST 2014

On Oct 9, 2014, at 7:48 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:

> On 08/10/14 13:13, Glen Huang wrote:
>> Is it possible to ask dnsmasq to ignore DNS responses whose records
>> match a certain list of ip, and keep waiting for another response?
>> The rational behind this is that in China, when querying a domain
>> like youtube.com or twitter.com, a fake ip is quickly returned,
>> fooling dnsmasq to discard the genuine response that comes after it.
>> Luckily the returned fake ips are of a limited set. So it’s
>> relatively easy to distinguish such bogus responses.

People have been doing this in small numbers in other systems for a while: All you want to know (and then some) about the Great Firewall's DNS injector is here:


"Towards a Comprehensive Picture of the Great Firewall’s DNS Censorship", by Anonymous.

> Sigh. Now if Twitter and Youtube did DNSSEC signatures, such silly games
> would no longer be possible.

Unfortunately not true in many cases:  In order for DNSSEC to handle packet injection, the resolver MUST keep accepting replies until it gets one which validates DNSSEC completely, which can get rather messy rather quickly.

And its not like this actually stops the censor if it gets widely deployed: the censor can instead recognize the TLS certificates for Facebook, Youtube, etc, and packet inject a RST on those connections.

Nicholas Weaver                  it is a tale, told by an idiot,
nweaver at icsi.berkeley.edu                full of sound and fury,
510-666-2903                                 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20141009/7a82aa8d/attachment.sig>

More information about the Dnsmasq-discuss mailing list