[dns-operations] K-root in CN leaking outside of CN

Magnus Sandberg mem at fallback.netnod.se
Tue Nov 9 08:31:58 UTC 2021

Hi all,

This comment is my personal views and has nothing to do with Netnod or 

My take is that the Great Firewall is a complex thing that acts 
different depending on situation or protocol in use.

For DNS/port 53 I see the GFW more as an IDS (Intrusion Detection 
System) listening on traffic and acting in ways we only see the result 
of from time to time. The IDS thing can be anywhere in the network, at 
the borders (probably not), at core locations at ISP networks or close 
to the eyeballs.

For other protocols, like SSH or your favorite VPN, the GFW probably 
acts more as a classic "brick" firewall with an inside and outside 

If the GFW do things with BGP, I don't know.

So, I don't see the Great Firewall as firewall as the word let us think. 
I see it as a complex system made of many different parts and sometimes 
we notice it when the "impersonation" affects the wrong "audience".

As of this complexity (both on general network level and the GFW), I 
don't think of local DNS root instances in the way that an instance can 
be "country local".
I don't see Internet routing and BGP as a binary thing at network level. 
Of cause the routing decision in a single router has to be "binary" to 
select next-hop, but on a larger scale you can't predict exact what will 
happen with your outgoing packets, as Liman wrote.

// mem

Den 2021-11-09 kl. 08:23, skrev Davey Song:
> AFAIK, the root server instances in China are not expected to serve queries
> outside of China. They are called local Root instances when they are
> introduced.
> It is true as Liman said no one wishes to inflict problems on clients
> outside China.
> There are must be a network error I think which allows resolvers out of
> China to reach it.
> Network errors always happen, so the old issues will happen again. Sad.
> Davey
> On Mon, 8 Nov 2021 at 16:15, Anand Buddhdev <anandb at ripe.net> wrote:
>> Hi Davey, Manu,
>> The server we operate in Guangzhou was indeed reachable from outside
>> China. This is not the intention, of course. On Saturday, when we got
>> notification about this, we withdrew the prefix from the server, and we
>> are communicating with the host to solve this.
>> Many people have already said this, but I'd like to make it clear that
>> the K-root server was NOT emitting false responses for Facebook and
>> WhatsApp. The responses were being modified by something between the
>> server and its clients.
>> Regards,
>> Anand Buddhdev
>> On 08/11/2021 08:45, Davey Song wrote:
>>> If it is urgent, I suggest the K root operator withdraw the route of the
>>> instance in Guangzhou immediately.

More information about the dns-operations mailing list