dslreports logo
site
spacer

spacer
 
   
spc
story category
Turkish ISPs Intercepting Google Public DNS
by Karl Bode 04:29PM Monday Mar 31 2014
As we've been discussing, the Turkish government has been attempting to block numerous social media websites; both to paint these services as negative outside influences that erode family values (read: political brownie points) but to stifle discussion and debate as well. Most Internet users in Turkey have in response turned to alternative DNS providers to erode some of the bans (though some are based on IP ranges).

According to a Google blog post, Turkish ISPs are battling this by intercepting Google's own DNS services:
quote:
We have received several credible reports and confirmed with our own research that Google’s Domain Name System (DNS) service has been intercepted by most Turkish ISPs (Internet Service Providers)...imagine if someone had changed out your phone book with another one, which looks pretty much the same as before, except that the listings for a few people showed the wrong phone number. That’s essentially what’s happened: Turkish ISPs have set up servers that masquerade as Google’s DNS service.

view:
topics flat nest 

PhoenixDown
FIOS is Awesome
Premium
join:2003-06-08
Fresh Meadows, NY
kudos:1

1 recommendation

That's why the US should cede control of the Internet to the UN...

... or perhaps not.

Ano

@comcast.net

Doesn't that go against the rules for being allowed to have IP's?

I am too lazy to go read into it more but doesn't part of ISP's being provided public addresses from ARIN, which are required to get online, is them agreeing to only use addresses to which they are authorized/assigned to?

The only way they could intercept Google DNS request (because they are IP specific) is if they are spoofing or actually assigning the Google DNS server IP's on the ISP network for other devices, which would thus violate ARIN (or whatever version of Arin in said countries).

Otherwise ISP's would just have a mess etc.

It's funny. The web should be open and free.
If people don't like what they see don't look at it.
Next countries and government will restrict how much air we are allowed to have in a day...

The internet is always going to exist and continue to grow, as you can tell you can try but you can't stop people going around it. The only way to do that is remove any connections to the rest of the world, at which point, you are no longer the internet but basically a big Intranet.

I hope the people of the country use OpenDNS with DNSCrypt or other providers that support DNSCrypt. They can't just intercept that because certificate/keys are used not to mention it's encrypted. hah

»dnscrypt.org/
whiteyonenh

join:2004-08-09
Keene, NH

2 edits

Re: Doesn't that go against the rules for being allowed to have IP's?

said by Ano :

...The only way they could intercept Google DNS request (because they are IP specific) is if they are spoofing or actually assigning the Google DNS server IP's on the ISP network for other devices, which would thus violate ARIN (or whatever version of Arin in said countries).

Not necessarily, just about any linux-based router can do this with dnsmasq, intercepting Port 53 on UDP is trivial to do, and many public wifi hotspots already do this. The fact that it's being used by Turkish ISP's/government for censorship, is also not surprising.

Edit: The part about dnscrypt, *may* work, as long as they haven't explicitly blocked any/all known publicly available dnscrypt servers.

Edit2: If you think you're safe on public wifi because you're "using https", you'd be wrong »www.thoughtcrime.org/software/sslstrip/ (Always, ALWAYS VPN WHEN POSSIBLE, to an endpoint that YOU or SOMEONE YOU TRUST controls, or don't use public wifi.)

battleop

join:2005-09-28
00000

Re: Doesn't that go against the rules for being allowed to have IP's?

The ISP can pretty much pull anything off they want with ease using the same methods a hacker would except they would not have to break in to anything to do it. They could easily bring up their own DNS servers and announce 8.8.8.0/24 into their routing table and point. 8.8.8.8 to that DNS server they control.

There are dozens of ways to implement this. When you control the network you easily do what you want.
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.

battleop

join:2005-09-28
00000
The internet is rather fragile when it comes to this kind of stuff. I've not suffered this on my network but I know that's something like a rouge BGP announcement can cause a lot of collateral damage.
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.

NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC

Re: Doesn't that go against the rules for being allowed to have IP's?

said by battleop:

I know that's something like a rouge BGP announcement can cause a lot of collateral damage.

The best way to control a rouge BGP announcement is to write the operator a blanc cheque!
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

pclover

join:2008-08-02
Santa Cruz, CA
A rouge BGP announcement shouldn't happen but it does.

Look at the YouTube BGP incident in 2008.

Your peers should have proper filters that filter bad stuff out such as advertising a prefix that you doesnt own.

battleop

join:2005-09-28
00000

Re: Doesn't that go against the rules for being allowed to have IP's?

It seems that once you get outside of the 1st world networks proper filtering seems to be overrated.
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.

pclover

join:2008-08-02
Santa Cruz, CA

1 recommendation

FWIW ARIN is the RIR for North America.

AFIK Turkey falls under RIPE NCC

Anonymous_
Anonymous
Premium
join:2004-06-21
127.0.0.1
kudos:2
Reviews:
·Time Warner Cable

1 recommendation

said by Ano :

I am too lazy to go read into it more but doesn't part of ISP's being provided public addresses from ARIN, which are required to get online, is them agreeing to only use addresses to which they are authorized/assigned to?

The only way they could intercept Google DNS request (because they are IP specific) is if they are spoofing or actually assigning the Google DNS server IP's on the ISP network for other devices, which would thus violate ARIN (or whatever version of Arin in said countries).

Otherwise ISP's would just have a mess etc.

It's funny. The web should be open and free.
If people don't like what they see don't look at it.
Next countries and government will restrict how much air we are allowed to have in a day...

The internet is always going to exist and continue to grow, as you can tell you can try but you can't stop people going around it. The only way to do that is remove any connections to the rest of the world, at which point, you are no longer the internet but basically a big Intranet.

I hope the people of the country use OpenDNS with DNSCrypt or other providers that support DNSCrypt. They can't just intercept that because certificate/keys are used not to mention it's encrypted. hah

»dnscrypt.org/

yes we should just ban countries from the internet that overly censor it and send them back to the stone age
--
Live Free or Die Hard...
MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4

1 recommendation

Google should drop Turkey in retaliation


Just wipe Turkey off the internet search map..... hotels, businesses, airlines, exporters......
openbox9
Premium
join:2004-01-26
Germany
kudos:2

1 recommendation

Re: Google should drop Turkey in retaliation

Do no evil? Two wrongs does not make a right.
Chubbysumo

join:2009-12-01
Superior, WI

Re: Google should drop Turkey in retaliation

no, but three rights make a left!
kaila

join:2000-10-11
Lincolnshire, IL

Let them try.....

The internet was created to route around damage. As much as they try, those bits are going to find a way in/out.