China propose running their own root domain servers

[borgs8472]

https://tools.ietf.org/html/draft-diao-aip-dns-00 via reddit - "Chinese draft RFC proposes hilariously bad DNS extension for nationally split Internet name resolution"

I believe the proposal is akin to split horizon DNS, but rather than having custom resolution for inside your company, you have custom resolution for inside your country.

Obviously China realises that the US and other countries who control the root domain servers are in the privilaged position of typically wanting to actually serve up root domain data, rather than presumably how China'd do it, with traffic analysis and censorship.

To take a UK example, if the UK ran its own root domain controllers, all UK domain controllers, e.g. controlled by ISPs could be effected by UK DNS blocks against the pirate bay, without actually having to actively engage with said UK ISPs like they have to currently.

Now the Americans havn't abused their use of the root DNS servers yet - or have they? Could the amount of queries through to questionable-jihadist-site.com or anti-capitalist-discussion.net statistics be shared with the US government to gauge the activity of websites otherwise outside of their control? The more I think about it, I suspect this is happening.

Let's face it, DNS is getting political, I then read an interesting comment:

I think the best thing for Internet freedom would be to have root servers in international territory, perhaps governed by the UN. Unfortunately that's pie in the sky thinking, I have my doubts that the Yankees will cede control of the root servers any time soon.

I wonder if an international body would actually be better than the US government? Thoughts please!

[M2Ys4U]

A lot of the root DNS servers are - physically and operationally - outside of the US.



if the US wanted to change the root DNS zone the people who host the anycast servers could fork the root and there's not much the US could do aside from screw around with the routing system (This isn't as hard as it sounds, Pakistan null routed YouTube for a lot of people around the world not too long ago). However, if they were to do that then it would be pretty obvious. I don't think they could do it on the sly.

Then again, the people in control of the servers could be in a conspiracy with the US.


In addition, the root DNS servers don't actually serve much, if everything is configured correctly.
When you perform a DNS lookup, this is what happens.

; <<>> DiG 9.7.3 <<>> pirateparty.org.uk +trace
;; global options: +cmd
. 381981 IN NS b.root-servers.net.
. 381981 IN NS d.root-servers.net.
. 381981 IN NS g.root-servers.net.
. 381981 IN NS a.root-servers.net.
. 381981 IN NS k.root-servers.net.
. 381981 IN NS f.root-servers.net.
. 381981 IN NS l.root-servers.net.
. 381981 IN NS i.root-servers.net.
. 381981 IN NS m.root-servers.net.
. 381981 IN NS e.root-servers.net.
. 381981 IN NS j.root-servers.net.
. 381981 IN NS c.root-servers.net.
. 381981 IN NS h.root-servers.net.
;; Received 504 bytes from 87.117.198.200#53(87.117.198.200) in 1 ms

uk. 172800 IN NS ns2.nic.uk.
uk. 172800 IN NS ns1.nic.uk.
uk. 172800 IN NS ns7.nic.uk.
uk. 172800 IN NS nsd.nic.uk.
uk. 172800 IN NS nsb.nic.uk.
uk. 172800 IN NS ns6.nic.uk.
uk. 172800 IN NS ns3.nic.uk.
uk. 172800 IN NS ns5.nic.uk.
uk. 172800 IN NS nsa.nic.uk.
uk. 172800 IN NS nsc.nic.uk.
uk. 172800 IN NS ns4.nic.uk.
;; Received 498 bytes from 128.8.10.90#53(d.root-servers.net) in 78 ms

pirateparty.org.uk. 172800 IN NS ns0-vh.tagadab.com.
pirateparty.org.uk. 172800 IN NS ns2-vh.tagadab.com.
pirateparty.org.uk. 172800 IN NS ns1-vh.tagadab.com.
;; Received 110 bytes from 156.154.102.3#53(nsc.nic.uk) in 215 ms

pirateparty.org.uk. 86400 IN A 95.172.29.90
;; Received 52 bytes from 195.8.69.53#53(ns2-vh.tagadab.com) in 2 ms

Basically, your browser contacts a DNS server which - if it has an empty cache - will contact a root server to get the information for the nameservers for the .uk zone. Then it asks one of the servers in the .uk zone what the nameservers are for pirateparty.org.uk. Then it asks one of the nameservers for the domain what IP address the domain resolves to.

So, collecting statistics from the root servers is pointless, all you'll get is statistics for TLDs.

Now, you could then spy on the TLD nameservers, but good DNS resolvers will cache responses from them rendering the numbers off at best and meaningless at worst.

[borgs8472]

Hey there

I would have expected you would have known I was aware of all of those points so I'm not sure why you listed them.

First of all, the picture you posted backs up my point about about root name servers being located in 'western' countries, effectively putting most of them under the control of the same political alliance - I take the RFC as implying China has a problem with this.

I am fully aware how ISP level caching works so let me demonstrate how you could data mine even correctly configured systems.

Let's say questionable-jihadist-site.sa (saudi arabia) is registered in the saudi TLD. For the sake of this example let's say the 'Q' zone is hosted in a US/western controlled region.

Normal intelligence detects there is a new site on the scene and the powers that be want to know how widespread its use is. They could requisition the logs for the hosts of the 'Q' zone and find out:
* How many unique calls for that 'Q' zone there have been since registration
* The geographical locations of those IPs

They could then use that information to profile whether the site is more likely to be used by would be jihadists in westerns countries, vs being used by middle eastern users only.

If they detected western ISPs pulling the DNS zone, they could request further data from those ISPs to the users who had done so and so forth.

Running through this thought experiment, because it can be done, I believe it likely is being done.

[borgs8472]

I missed the fact that the TLD name servers are the ones where new domain traffic can actually be mined, not the root name servers - oh well!