CAFAI Liens en Vrac 06/02/2015
This is well-known, for many years, that the chinese governement censors the Internet via several means, including DNS lies. For a long time, these DNS lies have been generated by the netwok itself: when a DNS query for a censored name is seen, an active censorship device generates a lie and sends a reply with the wrong IP address. A few weeks ago, there have been a change in this system: the IP addresses returned by the Great FireWall are more often actual addresses used by real machines, which suddently have to sustain a big traffic from China.

This technique have been studied and documented in several papers such as "The Great DNS Wall of China" or "Source code to identify the fake DNS packets from China". Basically, every DNS request in a chinese network, whatever the destination IP address, is examined and, if the qname (Query Name) in it matches a predefined list of censored domains, a fake reply is generated and sent to the requester. The bad consequences of this technique outside of China have been described in articles like "Accidentally Importing Censorship or "China censorship leaks outside Great Firewall via root server": since the censorship system acts whatever the destination IP address is, if one of your DNS packets happen to goes through China, you will be subjected to chinese censorship.
(Permalink)