[dns-operations] Google DNS in mainland .cn

[Matthäus Wander]

John Kristoff wrote on 2017-01-21 21:30:
> I'm interested in the current state of access (DNS client queries)
> to Google DNS resolvers (8.8.8.8, 8.8.4.4 and IPv6 equivalent) from
> within mainland China.  Particularly availability and trustworthiness.
> Keyword triggering by the GFW is not a big concern, but the just idea
> that something may be tampered with is not reassuring.

Current practice of the GFW is (was?) to let all DNS queries pass, and
to inject additional spoofed responses for blacklisted domain names.
Spoofed responses race with genuine responses, but will arrive first
because the GFW is topologically closer to the query sender than the
authoritative server. To my knowledge, DNS messages are neither dropped
nor altered.

> I'm considering whether it would be OK to utilize a traditional
> resolv.conf that points to Google DNS for some systems or if I should
> just start getting used to implementing something like dnscrypt or DNS
> over TLS to try avoid potential problems.

If keyword triggering is not a concern, Google DNS is an option. Even
better: set up a local validating resolver, as this beats the GFW at
least for signed domains.

However, expect that the GFW technology will change in the future, if it
hasn't already (my knowledge is based on experiments from 2013/2014). It
might be wise to set up a monitoring system to warn about future outages.

The GFW aims to censor the masses of mainlanders. Tunneling solutions
should work in general, if they aren't advertised within China as
censorship circumvention tools. Tor IP addresses are probably blocked,
but TLS or VPN to your home university should be fine.

Regards,
Matt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5523 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170122/1d6e3df5/attachment.bin>