中国DNS污染通过根服务器影响全世界

Ars Technica报道，据IETF DNS operations邮件列表的讨论， 一位来自智利域名注册商的技术人员周三称，他们在DNS根服务器“i.root-servers.net”的一个节点上观察到了奇怪的响应行为，当用户查 询facebook.com、youtube.com和 twitter.com等域名时，返回的是虚假的IP地址，没有转到.com。正常情况下，DNS根服务器只会提供一个正确的顶级域名服务器指示，在此例 中用户查询的.com顶级域名服务器由美国弗吉尼亚州的VeriSign公司运行。他们根据路由追踪发现这个节点位于中国。i.root- servers.net的一位工作人员表示正对此展开调查。很多人指出中国根服务器DNS污染已经发生过多次，而一位自称管理根服务器中国镜像的 ICANN机构的人员声明，ICANN与此事无关。

On Wednesday, someone from the Chilean domain registry .cl noticed that one of the DNS root servers was responding in a very strange way to queries for domain names like facebook.com, youtube.com, and twitter.com. Normally, root servers only provide a pointer to the correct set of Top Level Domain servers—in this case, the .com servers operated by Verisign. But here, the "I" root server responded with (apparently fake) addresses.
It turns out that these queries were answered by a root server residing in China, and China has been applying this type of creativity to DNS queries since at least 2002. So this is just your basic Internet censoring, nothing to see here, move along. (Can we interest you in some DNS security?)
In this case, however, the ways in which the network of root servers is operated and the DNS protocol works interact in a way that can create problems outside China. The problem with the root servers is that they're "anycasted." The number of root servers is limited to not much more than the current 13 (A through M) because more wouldn't fit into a single DNS packet without additional measures. So rather than add more root servers with their own addresses, most root server addresses are actually used by multiple servers around the world. The routing system delivers queries to the nearest server so answers come back quickly, and attackers only get to send packets to root servers in their own region, limiting the scope of any attacks. This means that if the routing system considers an instance of a root server in China close by, routers will send the request to China. Regular users have very little control over these routing decisions.
To add insult to injury, the queries to root servers contain the full DNS name that the user is looking for, even though root servers by their nature only respond to the .com, .net, .fr, or .cl part of a DNS name. It's a bit like putting your income on the outside of the envelope containing your tax return and trusting the postal service to ignore it.
Very likely, ISPs will soon start blocking routing updates announcing reachability to anycasted root servers coming from China, so DNS requests will be forwarded to non-Chinese instances of root servers. Note however, that these spoofed results are unlikely to create much trouble, even for users who consistently receive them. And this is unlikely for anyone outside China, because only a few root server instances are deployed in the People's Republic. In any event, normally, the pointers to the .com servers will already be cached by a local DNS server, so the query is sent directly to a .com server rather than to a root server first.