[dns-operations] Interesting DNS blunder in France this morning

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Oct 17 20:37:55 UTC 2016


The french ISP are bound by law ("décret n° 2015-125 du 5 février
2015"
<https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000030195477&dateTexte=&categorieLien=id>)
to filter out some domain names, the list being prepared by the police
(without judicial check) and sent to the main ISPs. (The list is not
public.) Then, they configure it in their DNS resolvers.

This morning, Orange, the biggest ISP in France, added to the
list... Google and Wikipedia (and a few others).

On Orange network:

% dig A +short @192.168.10.1 www.google.fr
90.85.16.52

Using another resolver:

% dig A +short @8.8.8.8 www.google.fr
172.217.20.35

The Web site listening at 90.85.16.52 posts a warning that you were
trying to see a terrorist Web site (they test the Host: header so, use
<http://interieur2.eu.org/> to see the message). Luckily, for most
users, the site was overwhelmed by Google+Wikipedia traffic and went
down.

The error was fixed after one hour but the caches of all the home
routers kept it for six hours (the TTL).

Such a mistake already happened in Denmark
<http://www.computerworld.dk/art/214431/koks-hos-dansk-politi-spaerrer-for-8-000-websites>

Here is an example as seen by the RIPE Atlas probes. Some probes live
on a network which is using an alternative DNS resolver but the
majority see the lie:

% atlas-resolve --as 3215 -r 100 www.google.fr
[74.125.24.94] : 1 occurrences
[216.58.208.195] : 2 occurrences
[74.125.206.94] : 2 occurrences
[216.58.210.35] : 2 occurrences
[216.58.210.227] : 3 occurrences
[216.58.211.67] : 3 occurrences
[172.217.16.67] : 2 occurrences
[216.58.213.35] : 1 occurrences
[216.58.211.99] : 2 occurrences
[172.217.18.227] : 2 occurrences
[216.58.204.3] : 1 occurrences
[90.85.16.52] : 75 occurrences
[216.58.208.227] : 2 occurrences
Test #6886264 done at 2016-10-17T08:06:14Z
  



More information about the dns-operations mailing list