sensitivexvideos..com

GlobalMeasurementofDNSManipulationPaulPearceBenJonesFrankLiRoyaEnsaNickFeamsterNickWeaverVernPaxsonUniversityofCalifornia,BerkeleyPrincetonUniversityInternationalComputerScienceInstitute{pearce,frankli,vern}@cs.
berkeley.
edu{bj6,rensa,feamster}@cs.
princeton.
edunweaver@icsi.
berkeley.
eduAbstractDespitethepervasivenatureofInternetcensorshipandthecontinuousevolutionofhowandwherecensorshipisapplied,measurementsofcensorshipremaincompara-tivelysparse.
Understandingthescope,scale,andevo-lutionofInternetcensorshiprequiresglobalmeasure-ments,performedatregularintervals.
Unfortunately,thestateoftheartreliesontechniquesthat,byandlarge,requireuserstodirectlyparticipateingatheringthesemeasurements,drasticallylimitingtheircoverageandin-hibitingregulardatacollection.
Tofacilitatelarge-scalemeasurementsthatcanllthisgapinunderstanding,wedevelopIris,ascalable,accurate,andethicalmethodtomeasureglobalmanipulationofDNSresolutions.
IrisrevealswidespreadDNSmanipulationofmanydomainnames;ourndingsbothconrmanecdotalorlimitedre-sultsfrompreviousworkandrevealnewpatternsinDNSmanipulation.
1IntroductionAnecdotesandreportsindicatethatInternetcensorshipiswidespread,affectingatleast60countries[29,39].
Despiteitspervasivenature,empiricalInternetmeasure-mentsrevealingthescopeandevolutionofInternetcen-sorshipremainrelativelysparse.
Amorecompleteun-derstandingofInternetcensorshiparoundtheworldre-quiresdiversemeasurementsfromawiderangeofgeo-graphicregionsandISPs,notonlyacrosscountriesbutalsowithinregionsofasinglecountry.
Diversityisim-portantevenwithincountries,becausepoliticaldynam-icscanvaryinternally,andbecausedifferentISPsmayimplementlteringpoliciesdifferently.
Unfortunately,mostmechanismsformeasuringIn-ternetcensorshipcurrentlyrelyonvolunteerswhorunmeasurementsoftwaredeployedontheirownInternet-connecteddevices(e.
g.
,laptops,phones,tablets)[43,49].
Becausethesetoolsrelyonpeopletoinstallsoft-wareandperformmeasurements,itisunlikelythattheycaneverachievethescalerequiredtogathercontinu-ousanddiversemeasurementsaboutInternetcensorship.
PerformingmeasurementsofthescaleandfrequencynecessarytounderstandthescopeandevolutionofIn-ternetcensorshipcallsforfundamentallynewtechniquesthatdonotrequirehumaninvolvementorintervention.
Weaimtodeveloptechniquesthatcanperformwidespread,longitudinalmeasurementsofglobalInter-netmanipulationwithoutrequiringtheparticipationofindividualusersinthecountriesofinterest.
Organiza-tionsmayimplementcensorshipatmanylayersoftheIn-ternetprotocolstack;theymight,forexample,blocktraf-cbasedonIPaddress,ortheymightblockindividualwebrequestsbasedonkeywords.
Recentworkhasde-velopedtechniquestocontinuouslymeasurewidespreadmanipulationatthetransport[23,42]andHTTP[45]lay-ers,yetasignicantgapremainsinourunderstandingofglobalinformationcontrolconcerningthemanipulationoftheInternet'sDomainNameSystem(DNS).
Towardsthisgoal,wedevelopanddeployamethodandsystemtodetect,measure,andcharacterizethemanipulationofDNSresponsesincountriesacrosstheentireworld.
DevelopingatechniquetoaccuratelydetectDNSma-nipulationposesmajorchallenges.
AlthoughpreviousworkhasstudiedinconsistentorotherwiseanomalousDNSresponses[32,34],thesemethodshavefocusedmainlyonidentifyingDNSresponsesthatcouldreectavarietyofunderlyingcauses,includingmiscongura-tions.
Incontrast,ourworkaimstodevelopmethodsforaccuratelyidentifyingDNSmanipulationindicativeofanintenttorestrictuseraccesstocontent.
Toachievehighdetectionaccuracy,werelyonacollectionofmet-ricsthatwebaseontheunderlyingpropertiesofDNSdomains,resolutions,andinfrastructure.
Onesetofdetectionmetricsfocusesonconsistency—intuitively,whenwequeryadomainfromdifferentlo-cations,theIPaddressescontainedinDNSresponsesshouldreecthostingfromeitheracommonserver(i.
e.
,thesameIPaddress)orthesameautonomoussystem.
Anothersetofdetectionmetricsfocusesonindependentveriability,bycomparisontoindependentinformationsuchastheidentityintheTLScerticatefortheweb-sitecorrespondingtothedomain.
Eachofthesemetricsnaturallylendsitselftoexceptions:forexample,queriesfromdifferentlocationsutilizingacontentdistributionnetwork(CDN)willoftenreceivedifferentIPaddresses(andsometimesevendifferentCDNs).
However,wecanuseviolationsofallofthemetricsasastrongindicatorofDNSmanipulation.
Inadditiontoachievingaccurateresults,anothersig-nicantdesignchallengeconcernsethics.
Incontrasttosystemsthatexplicitlyinvolvevolunteersincollectingmeasurements,methodsthatsendDNSqueriesthroughopenDNSresolversdeployedacrosstheInternetraisetheissueofpotentiallyimplicatingthirdpartieswhodidnotinfactagreetoparticipateinthemeasurement.
Using"openresolvers"ispotentiallyproblematic,asmostofthesearenotactualresolversbutinsteadDNSforwardersinhomeroutersandotherdevices[46].
Acensormaymisattributerequestsfromtheseresourcesasindividualcitizensattemptingtoaccesscensoredresources.
Reasoningabouttherisksofimplicatingindividualcitizensrequiresdetailedknowledgeofhowcensorsindifferentcountriesmonitoraccesstocensoredmaterialandhowtheypenalizesuchactions.
Thesepoliciesandbehaviorsmaybecomplex,varyingacrosstime,region,individualsinvolved,andthenatureofthecensoredcon-tent;suchrisksarelikelyintractabletoaccuratelyde-duce.
Tothisend,ourdesigntakesstepstoensurethat,totheextentpossible,weonlyqueryopenDNSresolvershostedinInternetinfrastructure(e.
g.
,withinInternetser-viceprovidersorcloudhostingproviders),inanattempttoeliminateanyuseofresolversorforwardersinthehomenetworksofindividualusers.
ThisstepreducesthesetofDNSresolversthatwecanuseforourmea-surementsfromtensofmillionstoonlyafewthousand.
However,wendthattheresultingcoveragestillsufcestoachieveaglobalviewofDNSmanipulation,and—importantly—inasaferwaythanpreviousstudiesthatexploitopenDNSresolvers.
Ourworkmakesthefollowingcontributions.
First,wedesign,implement,anddeployIris,ascalable,eth-icalsystemformeasuringDNSmanipulation.
Second,wedevelopanalysismetricsfordisambiguatingnaturalvariationinDNSresponsesforadomainfromnefariousmanipulation.
Third,weperformaglobalmeasurementstudythathighlightstheheterogeneityofDNSmanip-ulation,acrosscountries,resolvers,anddomains.
WendthatmanipulationvariesacrossDNSresolversevenwithinasinglecountry.
2RelatedWorkCountry-speciccensorshipstudies.
Inrecentyearsmanyresearchershaveinvestigatedthewhats,hows,andwhysofcensorshipinparticularcountries.
Thesestud-iesoftenspanashortperiodoftimeandreectasinglevantagepointwithinatargetcountry,suchasbyrentingvirtualprivateservers.
Forexample,studieshavespecif-icallyfocusedoncensorshippracticesinChina[55],Iran[7],Pakistan[38],Syria[12],andEgypt[8].
Stud-ieshavealsoexploredtheemploymentofvariouscensor-shipmethods,e.
g.
,injectionoffakeDNSreplies[5,36],blockingofTCP/IPconnections[54],andapplication-levelblocking[19,33,41].
Anumberofstudiessuggestthatcountriessometimeschangetheirblockingpoliciesandmethodsintimessurroundingpoliticalevents.
Forexample,FreedomHousereports15instancesofInter-netshutdowns—wherethegovernmentcutoffaccesstoInternetentirely—in2016alone[29].
Mostofthesewereapparentlyintendedtopreventcitizensfromreachingso-cialmediatospreadunwantedinformation.
Otherstudieshavedemonstratedthatgovernmentcen-sorshipcoversabroadvarietyofservicesandtop-ics,includingvideoportals(e.
g.
,youtube.
com)[51],blogs(e.
g.
,livejournal.
com)[3],andnewssites(e.
g.
,bbc.
com)[9].
Censorsalsotargetcircumventionandanonymitytools;mostfamously,theGreatFirewallofChinahasengagedinadecade-longcat-and-mousegamewithTor[24,53].
Althoughthesestudiesprovideimportantdatapoints,eachreectsasnapshotatasinglepointintimeandthuscannotcaptureongoingtrendsandvariationsincensorshippractices.
Globalcensorshipmeasurementtools.
Severalre-searcheffortsdevelopedplatformstomeasurecensorshipbyrunningexperimentsfromdiversevantagepoints.
Forinstance,CensMon[48]usedPlanetLabnodesindiffer-entcountries,andUBICA[1]aimedtoincreasevantagepointsbyrunningcensorshipmeasurementsoftwareonhomegatewaydevicesanduserdesktops.
Inpractice,asfarasweknow,neitheroftheseframeworksarestillde-ployedandcollectingdata.
TheOpenNetInitiative[39]hasuseditspublicproletorecruitvolunteersaroundtheworldwhohaveperformedone-offmeasurementsfromhomenetworkseachyearforthepasttenyears.
OONI[49]andICLab[30],twoongoingdatacollectionprojects,usevolunteerstorunbothcustomsoftwareandcustomembeddeddevices(suchasRaspberryPis[26]).
Althougheachoftheseframeworkscanperformaex-tensivesetoftests,theyrelyonvolunteerswhorunmea-surementsoftwareontheirInternet-connecteddevices.
Thesehumaninvolvementsmakeitmorechallenging—ifnotimpossible—togathercontinuousanddiversemea-surements.
Pearceetal.
recentlydevelopedAugur,amethodtoperformlongitudinalglobalmeasurementusingTCP/IPsidechannels[42].
AlthoughAugurexaminesasimilarsetofdomainsandcountriesasIris,itfocusesonidenti-fyingIP-baseddisruptionratherthanDNS-basedmanip-ulation.
MeasuringDNSmanipulation.
TheDNSprotocol'slackofauthenticationandintegritycheckingmakesitaprimetargetforattacks.
Jonesetal.
presentedtech-niquesfordetectingunauthorizedDNSrootservers,thoughfoundlittlesuchmanipulationinpractice[32].
Jiangetal.
identiedavulnerabilityinDNScacheup-datepoliciesthatallowsmaliciousdomainstostayinthecacheevenifremovedfromthezonele[31].
SeveralprojectshaveexploredDNSmanipulationus-ingalimitednumberofvantagepoints.
Weaveretal.
ex-ploredDNSmanipulationwithrespecttoDNSredirec-tionforadvertisementpurposes[52].
TheauthorsalsoobservedincidentsinwhichDNSresolversredirectedendhoststomalwaredownloadpages.
Therearemanycountry-specicstudiesthatshowhowdifferentcoun-triesuseavarietyofDNSmanipulationtechniquestoex-erciseInternetcensorship.
Forexample,inIranthegov-ernmentexpectsISPstoconguretheirDNSresolverstoredirectcontentiousdomainstoacensorshippage[7].
InPakistan,ISPsreturnNXDOMAINresponses[38].
InChina,theGreatFirewallinjectsforgedDNSpacketswithseeminglyarbitraryIPaddresses[5].
Thesestudieshoweveralldrewuponasmallorgeographicallylimitedsetofvantagepoints,andforshortperiodsoftime.
Usingopenresolvers.
Anumberofstudieshaveex-ploredDNSmanipulationatalargerscalebyprob-ingtheIPv4addressspacetondopenresolvers.
In2008,Dagonetal.
foundcorruptDNSresolversbyrun-ningmeasurementsusing200,000openresolvers[18];theydonotanalyzetheresultsforpotentialcensor-ship.
Asimilarscanbyanonymousauthors[4]in2012showedevidenceofChineseDNScensorshipaffectingnon-Chinesesystems.
Follow-onworkin2015byK¨uhreretal.
tackledamuchlargerscope:billionsoflookupsfor155domainnamesbymillionsofopenresolvers[34].
Thestudyexaminedabroadrangeofpotentiallytamperedresults,whichinadditiontocensorshipincludedmalware,phish-ing,domainparking,adinjection,captiveportals,searchredirection,andemaildelivery.
TheydetectedDNSma-nipulationbycomparingDNSresponsesfromopenre-solverswithgroundtruthresolutionsgatheredbyquery-ingcontrolresolvers.
Theythenidentiedlegitimateun-manipulatedanswersusinganumberofheuristiclter-ingstages,suchastreatingadifferingresponseaslegit-imateifitsreturnedIPaddresslieswithinthesameASthegroundtruthIPaddress.
Wetriedtousetheirmethodforconductingglobalmeasurementsspecicallyfordetectingcensorship.
However,censorshipdetectionwasnotafocusoftheirwork,andthepaperdoesnotexplicitlydescribethede-tailsofitsdetectionprocess.
Inparticular,otherthanexaminingHTTPpagesfor"blockedbytheorderof.
.
.
"phrasing,thepaperdoesnotpresentadecisionpro-cessfordeterminingwhetheragiveninstanceofappar-entmanipulationreectscensorshiporsomeotherphe-nomenon.
Inaddition,theirmeasurementsleverageopenresolversenmasse,whichraisesethicalconcernsforenduserswhomaybewronglyimplicatedforattemptingtoaccessbannedcontent.
Incontrast,weframeanexplicit,reproduciblemethodforgloballymeasuringDNS-basedmanipulationinanethicallyresponsiblemanner.
In2016,Scottetal.
introducedSatellite[47],asys-temwhichleveragesopenresolverstoidentifyCDNdeploymentsandnetworkinterferenceusingcollectedresolutions.
GivenabipartitegraphlinkingdomainsqueriedwithIPaddressanswerscollectedfromtheopenresolvers,Satelliteidentiesstronglyconnectedcom-ponents,whichrepresentdomainshostedbythesameservers.
UsingmetricsfordomainsimilaritybasedontheoverlapinIPaddressesobservedfortwodomains,SatellitedistinguishesCDNsfromnetworkinterferenceascomponentswithhighlysimilardomains(addition-ally,otherheuristicshelprenethisclassication).
3MethodInthissectionwedescribeIris,ascalable,lightweightsystemtodetectDNSmanipulation.
Webeginbyscop-ingtheproblemspace,identifyingthecapabilitiesandlimitationsofvariousmeasurementbuildingblocks,andstatingourassumptionsaboutthethreatmodel.
Weex-plaintheprocessbywhichweselect(1)whichdomainnamestomeasure,and(2)thevantagepointstomeasurethemfrom,takingintoconsiderationquestionsofethicsandscalability.
Wethendescribe,givenasetofmea-surementvantagepointsandDNSdomainnames,howwecharacterizetheresultsofourmeasurementsandusethemtodrawconclusionsaboutwhetherDNSmanipu-lationistakingplace,basedoneithertheconsistencyortheindependentveriabilityoftheresponsesthatwere-ceive.
Next,weconsiderourtechnicalapproachinlightofexistingethicalnormsandguidelines,andexplainhowvariousdesigndecisionshelpusadheretothoseprinci-plesasmuchaspossible.
Finally,wediscusstheimplicitandtechnicallimitationsofIris.
3.
1OverviewWeaimtoidentifyDNSmanipulation,whichwedeneastheinstanceofaDNSresponseboth(1)havingat-tributes(e.
g.
,IPaddresses,autonomoussystems,webcontent)thatarenotconsistentwithrespecttoawell-denedcontrolset;and(2)returninginformationthatisdemonstrablyincorrectwhencomparedagainstindepen-dentinformationsources(e.
g.
,TLScerticates).
Approach.
DetectingDNSmanipulationisconceptu-allysimple:Atahigh-level,theideaentailsperformingDNSqueriesthroughgeographicallydistributedDNSre-solversandanalyzingtheresponsesforactivitythatsug-geststhattheresponsesforaDNSdomainmightbema-nipulated.
Despiteitsapparentsimplicity,however,real-izingasystemtoscalablycollectDNSdataandanalyzeitformanipulationposesbothethicalandtechnicalchal-lenges.
TheethicalchallengesconcernselectingDNSresolversthatdonotimplicateinnocentcitizens,aswellasensuringthatIrisdoesnotinduceundueloadontheDNSresolutioninfrastructure;§3.
2explainstheethicalguidelinesweusetoreasonaboutdesignchoices.
§3.
3describeshowIrisselectsa"safe"setofopenDNSre-solvers;Thetechnicalchallengescenterarounddevelop-ingsoundmethodsfordetectingmanipulation,whichwedescribein§3.
4and§3.
5.
IdentifyingDNSnamestoquery.
IrisqueriesalistofsensitiveURLscompiledbyCitizenLab[14].
WecallthislisttheCitizenLabBlockList(CLBL).
ThislistofURLsiscompiledbyexpertsbasedonknowncensor-shiparoundtheworld,dividedbycategory.
WedistilltheURLsdowntodomainnamesandusethislistasthebasisofourdataset.
WethensupplementthislistbyaddingadditionaldomainnamesselectedatrandomfromtheAlexaTop10,000[2].
TheseadditionaldomainnameshelpaddressgeographicorcontentbiasesinthetheCLBLwhilenotdrasticallyincreasingthetotalnum-berofqueries.
Assumptionsandfocus.
First,IrisaimstoidentifywidespreadmanipulationatthescaleofInternetserviceprovidersandcountries.
Wecannotidentifymanipu-lationthatistargetedatspecicindividualsorpopula-tionsormanipulationactivitiesthatexploithigh-valueresourcessuchasvalidbutstolencerticates.
Second,wefocusonmanipulationtacticsthatdonotrelyonstealth;weassumethatadversarieswilluseDNSre-solverstomanipulatetheresponsestoDNSqueries.
WeassumethatadversariesdonotreturnIPaddressesthatareincorrectbutwithinthesameIPprexasacorrectanswer[5,7,38].
Finally,whenattributingDNSma-nipulationtoaparticularcountryordependentterritory,werelyonthecountryinformationavailablefromCen-sys[21]supplementedwithMaxMind's[37]datasettomaparesolvertoaspeciccountry(ordependentterri-tory).
3.
2EthicsThedesignofIrisincorporatesmanyconsiderationsre-gardingethics.
OurprimaryethicalconcernistherisksassociatedwiththemeasurementsthatIrisconducts,asissuingDNSqueriesforpotentiallycensoredormanipu-latedDNSdomainsthroughresolversthatwedonotowncouldpotentiallyimplicateotherwiseinnocentusers.
AsecondconcerniswhethertheDNSqueriesthatwegen-erateintroduceunduequeryloadonauthoritativeDNSnameserversfordomainsthatwedonotown.
Withtheseconcernsinmind,weconsidertheethicsofperformingmeasurementswithIris,usingtheethicalguidelinesoftheBelmontReport[10]andMenloReport[20]toframeourdiscussion.
Oneimportantethicalprincipleisrespectforpersons;essentially,thisprinciplestatesthatanexperimentshouldrespecttherightsofhumansasautonomousdecision-makers.
Sometimesthisprincipleismisconstruedasarequirementforinformedconsentforallexperiments.
Inmanycases,however,informedconsentisneitherprac-ticalnornecessary;accordingly,Salganik[44]charac-terizesthisprincipleinsteadas"someconsentformostthings".
InthecaseofIris,obtainingtheconsentofallopenDNSresolveroperatorsisimpractical.
Inlieuofattemptingtoobtaininformedconsent,weturntotheprincipleofbenecence,whichweighsthebenetsofconductinganexperimentagainsttherisksassociatedwiththeexperiment.
Notethatthegoalofbenecenceisnottoeliminaterisk,butmerelytore-duceittotheextentpossible.
Iris'sdesignreliesheavilyonthisprinciple:Specically,wenotethatthebenetofissuingDNSqueriesthroughtensofmillionsofre-solvershasrapidlydiminishingreturns,andthatusingonlyopenresolversthatwecandetermineareunlikelytocorrespondtoindividualusersgreatlyreducestherisktoanyindividualwithoutdramaticallyreducingtheben-etsofourexperiment.
Wenotethatourconsiderationofethicsinthisregardisasignicantdeparturefrompre-viousworkthathasissuedqueriesthroughopenDNSresolverinfrastructurebuthasnotconsideredethics.
Theprincipleofjusticestatesthatthebeneciariesofanexperimentshouldbethesamepopulationthatbearstheriskofthatexperiment.
Onthisfront,weenvi-sionthatthebeneciariesofthekindsofmeasurementsthatwecollectusingIriswillbewide-ranging:design-ersofcircumventiontools,aswellaspolicymakers,re-searchers,andactivistswhoareimprovingcommunica-tionsandconnectivityforcitizensinoppressiveregimesallneedbetterdataabouttheextentandscopeofInternetcensorship.
Inshort,evenintheeventthatsomeentityinacountrythathostsanopenDNSresolvermightbearsomeriskasaresultofthemeasurementsweconduct,weenvisionthatthosesameentitiesmayultimatelybenetfromtheresearch,policy-making,andtooldevelopmentthatIrisfacilitates.
Analguidelineconcernsrespectforlawandpublicinterest,whichessentiallyextendstheprincipleofbenef-icencetoallrelevantstakeholders,notonlytheexperi-mentparticipants.
ThisprincipleisusefulforreasoningabouttheexternalitiesthatourDNSqueriescreatebyin-creasingDNSqueryloadonthenameserversforvariousDNSdomains.
Toabidebythisprinciple,werate-limitourDNSqueriesforeachDNSdomaintoensurethattheownersofthesedomainsdonotfacelargeexpensesasaresultofthequeriesthatweissue.
ThisratelimitisnecessarybecausesomeDNSserviceproviderschargebasedonthepeakornearpeakqueryrate.
3.
3OpenDNSResolversToobtainawiderangeofmeasurementvantagepoints,weuseopenDNSresolversdeployedaroundtheworld;suchresolverswillresolvequeriesforanyclient.
MeasurementusingopenDNSresolversisanethicallycomplexissue.
Previousworkhasidentiedtensofmil-lionsoftheseresolversaroundtheworld[34].
Giventheirprevalenceandglobaldiversity,openresolversareacompellingresource,providingresearcherswithconsid-erablevolumeandreach.
Unfortunately,openresolversalsoposearisknotonlytotheInternetbuttoindividualusers.
Openresolverscanbetheresultofcongurationerrors,frequentlyonend-userdevicessuchashomerouters[34].
Usingthesedevicesformeasurementcanincurmonetarycost,andifthemeasurementinvolvessensitivecontentorhosts,canexposetheownertoharm.
Furthermore,openresolversarealsoacommontoolinvariousonlineattackssuchasDistributedDenial-of-Service(DDoS)amplicationattacks[35].
Despiteef-fortstoreduceboththeprevalenceofopenresolversandtheirpotentialimpact[40],theyremaincommonplace.
Duetotheseandtheethicsconsiderationsthatwedis-cussedin§3.
2,werestrictthesetofopenresolversthatweusetothefewthousandresolversthatwearereason-ablycertainarepartoftheInternetinfrastructure(e.
g.
,belongingtoInternetserviceproviders,onlinecloudhostingproviders),asopposedtoattributabletoanysin-gleindividual.
Figure1illustratestheprocessbywhichIrisndssafeopenDNSresolvers.
Wenowexplainthisprocessinmoredetail.
Conceptually,theprocesscom-prisestwosteps:(1)scanningtheInternetforopenDNSresolvers;or(2)pruningthelistofopenDNSresolversthatweidentifytolimittheresolverstoasetthatwecanreasonablyattributetoInternetinfrastructure.
ByusingDNSresolverswedonotcontrol,wecannotdifferentiatebetweencountry-wideorstate-mandatedcensorshipandlocalizedmanipulation(e.
g.
,captivepor-tals,malware[34])atindividualresolvers.
ThereforeFigure1:OverviewofIris'sDNSresolveridenticationandselectionpipeline.
IrisbeginswithaglobalscanoftheentireIPv4addressspace,followedbyreverseDNSPTRlookupsforallopenresolvers,andnallylteringresolverstoonlyincludeDNSinfrastructure.
wemustaggregateandanalyzeresultsatISPorcoun-tryscale.
Step1:ScanningtheInternet'sIPv4spaceforopenDNSresolvers.
ScanningtheIPv4addressspacepro-videsuswithaglobalperspectiveonallopenresolvers.
Todoso,wedevelopedanextensiontotheZMap[22]networkscannertoenableInternet-wideDNSresolu-tions1.
Thismodulequeriesport53ofallIPv4addresseswitharecursiveDNSArecordquery.
Weuseapurpose-registereddomainnamewecontrolforthesequeriestoensurethereisaknowncorrectanswer.
WeconductmeasurementsandscansfromIPaddresseshavingaPTRrecordidentifyingthemachineasa"researchscanner.
"TheseIPaddressesalsohostawebpageidentifyingouracademicinstitutionandofferingtheabilitytoopt-outofscans.
Fromthesescans,weselectallIPaddressesthatreturnthecorrectanswertothisqueryandclassifythemasopenresolvers.
In§4.
1,weexplorethepopulationofopenDNSresolversthatweuseforourstudy.
Step2:IdentifyingInfrastructureDNSResolvers.
GivenalistofallopenDNSresolversontheInternet,weprunethislisttoincludeonlyDNSresolversthatcanlikelybeattributedtoInternetinfrastructure.
Todoso,weaimtoidentifyopenDNSresolversthatap-peartobeauthoritativenameserversforagivenDNSdomain.
IrisperformsreverseDNSPTRlookupsforallopenresolversandretainsonlytheresolversthathaveavalidPTRrecordbeginningwiththesubdomainns[0-9]+ornameserver[0-9]*.
Thislteringstepreducesthenumberofusableopenresolvers—frommil-lionstothousands—yeteventheremainingsetofopenDNSresolversprovidesbroadcountry-andnetwork-levelcoverage(characterizedfurtherin§4.
1).
UsingPTRrecordstoidentifyinfrastructurecanhave1OurextensionhasbeenacceptedintotheopensourceprojectandtheresultsofourscansareavailableaspartoftheCensys[21]system.
bothfalsenegativesandfalsepositives.
Notallinfras-tructureresolverswillhaveavalidPTRrecord,norwilltheyallbeauthoritativenameservers.
Thesefalsenega-tiveslimitthescopeandscaleofourmeasurement,butarenecessarytoreducerisk.
Similarly,ifauseroper-atedtheirownauthoritativenameserverontheirhomeIPorifaPTRrecordmatchedournamingcriteriabutwasnotauthoritative,ourmethodwouldidentifythatIPasinfrastructure(falsepositives).
3.
4PerformingtheMeasurementsGivenalistofDNSdomainnamestoqueryandaglobalsetofopenDNSresolversfromwhichwecanissuequeries,weneedamechanismthatissuesqueriesforthesedomainstothesetofresolversthatwehaveatourdisposal.
Figure2showsanoverviewofthemeasure-mentprocess.
Atahighlevel,IrisresolveseachDNSdomainusingtheglobalvantagepointsaffordedbytheopenDNSresolvers,annotatestheresponseIPaddresseswithinformationfrombothoutsidedatasetsaswellasadditionalactiveprobing,andusesconsistencyandinde-pendentveriabilitymetricstoidentifymanipulatedre-sponses.
Therestofthissectionoutlinesthismeasure-mentprocessindetail,while§3.
5describeshowweusetheresultsofthesemeasurementstoultimatelyidentifymanipulation.
Step1:PerformingglobalDNSqueries.
IristakesasinputalistofsuitableopenDNSresolvers,aswellasthecombinedCLBLandAlexadomainnames.
Inaddi-tiontotheDNSdomainsthatweareinterestedintesting,weinclude3DNSdomainsthatareunderourcontroltohelpuscomputeourconsistencymetricswhenidentify-ingmanipulation.
QueryingtensofthousandsofdomainsacrosstensofthousandsofresolversrequiredthedevelopmentofanewDNSquerytool,becausenoexistingDNSmeasurementtoolsupportsthisscale.
WeimplementedthistoolinGo[27].
Thetooltakesasinputasetofdomainsandresolvers,andcoordinatesrandomqueryingofeachdo-mainacrosseachresolver.
Thetoolsupportsavarietyofquerytypes,multipleofwhichcanbespeciedperrun,includingA,AAAA,MX,andANY.
Foreach(domain,re-solver)pair,thetoolcraftsarecursiveDNSrequestandsendsittotheresolver.
Therecursivequeryrequeststhattheresolverresolvethedomainandreturntheultimateanswer,loggingallresponses,includingtimeouts.
ThetoolfollowsthesetofresponsestoresolveeachdomaintoanIPaddress.
Forexample,ifaresolverreturnsaCNAME,thetoolthenqueriestheresolverforresolutionofthatCNAME.
Toensureresolversarenotoverloaded,thetoolin-cludesacongurablerate-limit.
Forourexperiments,welimitedqueriestoresolverstoanupperboundof5persecond.
Inpractice,thisratetendstobemuchlowerduetonetworklatencyinbothreachingtheresolver,aswellasthetimeittakestheresolvertoperformthere-cursiveresponse.
Tocopewithspecicresolversthatareunstableortimeoutfrequently,thetoolprovidesacon-gurablefailurethresholdthathaltsaspecicresolver'ssetofmeasurementsshouldtoomanyqueriesfail.
Toensurethedomainswequeryarenotoverloaded,thetoolrandomizestheorderofdomainsandlimitsthenumberofresolversqueriedinparallelsuchthatintheworstcasenodomainexperiencesmorethan1querypersecond,inexpectation.
Step2:AnnotatingDNSresponseswithauxiliaryin-formation.
Ouranalysisultimatelyreliesoncharacter-izingboththeconsistencyandindependentveriabilityoftheDNSresponsesthatwereceive.
ToenablethisclassicationwerstmustgatheradditionaldetailsabouttheIPaddressesthatarereturnedineachoftheDNSre-sponses.
IrisannotateseachIPaddressreturnedinthesetofDNSresponseswithadditionalinformationabouteachIPaddress'sgeolocation,autonomoussystem(AS),port80HTTPresponses,andport443HTTPSX.
509cer-ticates.
WerelyontheCensys[21]datasetforthisaux-iliaryinformation;Censysprovidesdailysnapshotsofthisinformation.
ThisdatasetdoesnotcontaineveryIPaddress;forexample,thedatasetdoesnotincludeIPad-dressesthathavenoopenports,oradversariesmayin-tentionallyreturnIPaddressesthatreturnerrorpagesorareotherwiseunresponsive.
Inthesecases,weannotateallIPaddressesinourdatasetwithASandgeolocationinformationfromtheMaxmindservice[37].
AdditionalPTRandTLSscanning.
ForeachIPad-dress,weperformaDNSPTRlookuptoassistwithsomeofoursubsequentconsistencycharacterization(aprocesswedetailin§3.
5).
Anothercomplicationintheannota-tionexerciserelatestothefactthatinpracticeasingleIPaddressmighthostmanywebsitesviaHTTPorHTTPS(i.
e.
,virtualhosting).
Asaresult,whenCensysretrievescerticatesviaport443(HTTPS)acrosstheentireIPv4addressspace,thecerticatethatCensysretrievesmightdifferfromthecerticatethattheserverwouldreturninresponsetoaqueryviaTLS'sServerNameIndication(SNI)extension.
SuchadiscrepancymightleadIristomischaracterizevirtualhostingasDNSinconsistency.
Tomitigatethiseffect,foreachresultingIPaddressweper-formanadditionalactiveHTTPSconnectionusingSNI,specifyingthenameoriginallyqueried.
Weannotateallresponseswiththisinformation,whichweuseforanswerclassication(examinedfurtherin§5.
1).
3.
5IdentifyingDNSManipulationTodeterminewhetheraDNSresponseismanipulated,Irisreliesontwotypesofmetrics:consistencymetricsFigure2:OverviewofDNSresolution,annotation,ltering,andclassication.
IrisinputsasetofdomainsandDNSresolversandoutputsresultsindicatingmanipulatedDNSresponses.
andindependentveriabilitymetrics.
Wesaythatare-sponseiscorrectifitsatisesanyconsistencyorinde-pendentveriablemetric;otherwise,weclassifythere-sponseasmanipulated.
Inthissection,weoutlineeachclassofmetricsaswellasthespecicfeatureswede-veloptoclassifyanswers.
Therestofthissectiondenesthesemetrics;§5.
1explorestheefcacyofeachofthem.
3.
5.
1ConsistencyAccesstoadomainshouldhavesomeformofconsis-tency,evenwhenaccessedfromvariousglobalvantagepoints.
Thisconsistencymaytaketheformofnetworkproperties,infrastructureattributes,orevencontent.
Weleveragetheseattributes,bothinrelationtocontroldataaswellasacrossthedatasetitself,toclassifyDNSre-sponses.
ConsistencyBaseline:ControlDomainsandRe-solvers.
Centraltoournotionofconsistencyishavingasetofgeographicallydiverseresolverswecontrolthatare(presumably)notsubjecttomanipulation.
Thesecon-trolsgiveusasetofhigh-condencecorrectanswerswecanusetoidentifyconsistencyacrossarangeofIPad-dressproperties.
Geographicdiversityhelpsensurethatarea-specicdeploymentsdonotcausefalse-positives.
Forexample,severaldomainsinourdatasetusediffer-entcontentdistributionnetwork(CDN)hostinginfras-tructureoutsideNorthAmerica.
Aspartofourmeasure-mentsweinsertdomainnameswecontrol,withknowncorrectanswers.
Weusethesedomainstoensureare-solverreliablyreturnsunmanipulatedresultsfornon-sensitivecontent(e.
g.
,notacaptiveportal).
Foreachdomainname,wecreateasetofcon-sistencymetricsbytakingtheunionofeachmetricacrossallofourcontrolresolvers.
Forexample,ifControlAreturnstheanswer192.
168.
0.
10and192.
168.
0.
11andControlBreturns192.
168.
0.
12,wecreateasetofconsistentIPsetof(192.
168.
0.
10,192.
168.
0.
11,192.
168.
0.
12).
Wesaytheansweris"correct"(i.
e.
,notmanip-ulated)if,foreachmetric,theanswerisanon-emptysubsetofthecontrols.
ReturningtoourIPexample,ifaglobalresolverreturnstheanswer(192.
168.
0.
10,192.
168.
0.
12),itisidentiedascorrect.
Whenarequestreturnsmultiplerecords,wecheckallrecordsandconsiderthereplygoodifanyresponsepassestheappropriatetests.
Additionally,unmanipulatedpassiveDNS[6]datacollectedsimultaneouslywithourexperimentsacrossageographicallydiversesetofcountriescouldenhance(orreplace)ourconsistencymetrics.
Unfortunatelywearenotawareofsuchadatasetbeingavailablepublicly.
IPAddress.
ThesimplestconsistencymetricistheIPaddressorIPaddressesthataDNSresponsecontains.
AutonomousSystem/Organization.
Inthecaseofge-ographicallydistributedsitesandservices,suchasthosehostedonCDNs,asingledomainnamemayreturndif-ferentIPaddressesaspartofnormaloperation.
Toat-tempttoaccountforthesediscrepancies,wealsocheckwhetherdifferentIPaddressesforadomainmaptothesameASweseewhenissuingqueriesforthedomainnamethroughourcontrolresolvers.
BecauseasingleASmayhavemultipleASnumbers(ASNs),weconsidertwoIPaddresseswitheitherthesameASNorASorganiza-tionnameasbeingfromthesameAS.
AlthoughmanyresponseswillexhibitASconsistencyevenifindividualIPaddressesdiffer,evendomainswhosequeriesarenotmanipulatedwillsometimesreturninconsistentAS-levelandorganizationalinformationaswell.
Thisinconsis-tencyisespeciallycommonforlargeserviceproviderswhoseinfrastructurespansmultipleregionsandconti-nentsandisoftentheresultofacquisitions.
Toaccountfortheseinconsistencies,weneedadditionalconsistencymetricsathigherlayersoftheprotocolstack(specicallyHTTPandHTTPS),describednext.
HTTPContent.
IfanIPaddressisrunningawebserveronport80,weincludeahashofthecontentreturnedasanadditionalconsistencymetric.
Thesecontenthashescomefromaport80IPaddressCensyscrawl.
Thismetriceffectivelyidentiessiteswithlimiteddynamiccontent.
Asdiscussedin§5.
1,thismetricisalsouse-fulinidentifyingsiteswithdynamiccontentbutsharedinfrastructure.
Forexample,asthesehashesarebasedonHTTPGETfetchesusinganIPaddressastheHostintheheader,thisfetchuniquelyngerprintsandcate-gorizesCDNfailuresordefaulthostpages.
Inanotherexample,muchofGoogle'swebhostinginfrastructurewillreturnthebyte-wiseidenticalredirectionpagetohttp://www.
google.
com/forHTTPGETswithoutavalidGooglehostheader.
TheseidenticalpagesallowustoidentifyGoogleresolutionsascorrectevenforIPaddressesactingasaPoint-of-Presence.
HTTPSCerticate.
WelabelaresponseascorrectifthehashoftheHTTPScerticatepresenteduponconnec-tionmatchesthatofanIPreturnedviaourcontrols.
Notethisisnotanindependentveriabilitymetric,asthecer-ticatesmayormaynotbetrusted,andmaynotevenbecorrectforthedomain.
PTRsforCDNs.
Fromourcontroldata,weclassifydo-mainsashostedonparticularCDNsbasedonPTR,AS,andcerticateinformation.
Weconsideranon-controlresponseasconsistentifthePTRrecordforthatresponsepointstothesameCDN.
3.
5.
2IndependentVeriabilityInadditiontoconsistencymetrics,wealsodeneasetofmetricsthatwecanindependentlyverifyusingexternaldatasources,suchastheHTTPScerticateinfrastruc-ture.
Wedescribethesemethodsbelow.
HTTPSCerticate.
WeconsideraDNSresponsetobecorrect,independentofcontrols,iftheIPaddresspresentsavalid,browser-trustedcerticateforthecor-rectdomainnamewhenqueriedwithoutSNI.
Wefurtherextendthismetrictoallowforcommoncongurationer-rors,suchasreturningcerticatesfor*.
example.
comwhenrequestingexample.
com.
HTTPSCerticatewithSNI.
Weaddanadditionalmetricthatcheckswhetherthecerticatereturnedfromourfollow-upSNI-enabledscansreturnsavalid,browser-trustedcerticateforthecorrectIPaddress.
3.
6LimitationsTofacilitateglobalcoverageinourmeasurements,ourmethodhaslimitationsthatimpactourscopeandlimitourresults.
LocalizedManipulation.
SinceIrisreliesentirelyonopeninfrastructureresolversthatwedonotcontrol,inregionswithfewresolvers,wecannotdifferentiatebe-tweenlocalizedmanipulationbytheresolver'sopera-torandISPorcountry-widemanipulation.
AnalysisofincorrectresultsfocusingonconsistencyacrossISPorcountry,orexaminationofwebpagecontent,couldaidinidentifyinglocalizedmanipulation.
DomainBias.
Fromoursetofinfrastructureresolvers,wemeasuremanipulationoftheCLBLandasubsetofAlexatopsites.
AlthoughtheCLBLisacommunity-basedefforttoidentifysensitivecontentglobally,byitsverynatureitisnotcomplete.
URLsanddomainsaremissing,andsensitivecontentmaychangefasterthanthelistisupdated.
Similarly,thelistmayexhibitgeographicbiasbasedonthelanguageoftheprojectandwhocon-tributestoit.
ThisbiascouldaffecttherelativevolumeandscopeofmanipulationthatIriscandetect.
Evasion.
AlthoughwefocusonmanipulationatISPorcountryscale,anactiveadversarycanstillattempttoevadeourmeasurements.
UpstreamresolverscoulduseEDNSClientSubnet[16]toonlymanipulateresultsforcertaintargetIPranges,orISPresolverscouldchoosetomanipulateonlytheirowncustomers.
Country-widerewallsthatperforminjectioncouldidentifyourscan-ningIPaddressesandeithernotinjectresultsorblockourcommunicationentirely.
AnadversarycouldalsoexploitourconsistencymetricsandinjectincorrectIPaddresseswithinthesameASasthetargets.
GeolocationError.
WerelyonCensys[21]andMax-mind[37]forgeolocationandASlabelingofinfras-tructureresolverstoperformcountryorISP-levelaggre-gation.
Incorrectlabelingwouldidentifycountry-widemanipulationasincomplete(falsenegatives),oridentifymanipulationincountrieswhereitisnotpresent(falsepositives).
4DatasetInthissection,wecharacterizethedatacollectedandhowweprocessedittoobtaintheresultsusedinouranal-ysis.
4.
1OpenResolverSelectionWeinitiallyidentiedalargepoolofopenDNSresolversthroughanInternet-wideZMapscanusingourDNSex-tensiontoZMapinJanuary2017.
Intotal,4.
2millionopenresolversrespondedwithacorrectanswertoourscanqueries.
ThisnumberexcludesresolversthatrepliedwithvalidDNSresponsesbuthadeitheramissingorin-correctIPresolutionforourscan'squerydomain.
ResolverDatasetsTotalResolversNumberCountriesMedian/CountryAllUsable4,197,543232659.
5EthicallyUsable6,5641576.
0ExperimentSet6,0201516.
0Table1:DNSresolverdatasets.
Weidentifyallcorrectlyfunc-tioningopenresolversareacrosstheIPv4addressspace.
Theexperimentsetconsistsofresolversthatpassedadditionalfunc-tionaltestsbeyondourbasicscan.
Notethatthenumberofcountriesincludesdependentterritories.
ResolverDatasetAFASEUNAOCSAAllUsable554952412114EthicallyUsable29424225811ExperimentSet26414124811Table2:Numberofcountries(anddependentterritories)con-tainingusableresolversbycontinent.
AF=Africa,AS=Asia,EU=Europe,NA=NorthAmerica,OC=Oceana/Australia,SA=SouthAmerica.
ThedegreetowhichwecaninvestigateDNSma-nipulationacrossvariouscountriesdependsonthege-ographicdistributionoftheselectedDNSresolvers.
BygeolocatingthisinitialsetofresolversusingCensys[21]andMaxMind[37],weobservedthattheseresolversre-sidein232countriesanddependentterritories2,withamedianof659resolverspercountry.
Duetotheethi-calconsiderationsweoutlinedin§3.
2,werestrictthissetofresolversto6,564infrastructureresolvers,in157countries,againwithamedianof6resolverspercountry.
Finally,weremoveunstableorotherwiseanomalousre-solvers;§4.
3describesthisprocessinmoredetail.
Thislteringreducesthesetofusableresolversto6,020in151countries,withamedianof6resolversineach.
Ta-ble1summarizestheresultingpopulationofresolvers;Table2showsthebreakdownacrosscontinents.
Wealsouse4geographicallydiverseresolversforcontrolledex-periments;the2GooglePublicDNSservers[28],aGer-manopenresolverhostedonAmazonAWS,andare-solverthatwemanageattheUniversityofCalifornia,Berkeley.
4.
2DomainSelectionWeinvestigateDNSmanipulationforbothdomainsknowntobecensoredanddomainsforpopularwebsites.
WebeganwiththeCitizenLabBlockList(CLBL)[14],consistingof1,376sensitivedomains.
Weaugmentthislistwith1,000domainsrandomlyselectedfromtheAlexaTop10,000,aswellas3controldomainsweman-2CountriesanddependentterritoriesaredenedbytheISO3166-1alpha-2codes,thegranularityofMaxmind'scountrygeolocation.
ResponseDatasetsTotalResponsesNumberResolversNumberDomainsAllResponses14,539,1986,5642,330AfterFiltering13,594,6836,0202,303Table3:DNSresponsedatasetbeforeandafterlteringprob-lematicresolvers,domains,andfailedqueries.
agethatshouldnotbemanipulated.
Duetooverlapbe-tweenthetwodomainsets,ourcombineddatasetcon-sistsof2,330domains.
Weexcluded27problematicdo-mainsthatweidentiedthroughourdatacollectionpro-cess,resultinginournalpopulationof2,303domains.
4.
3ResponseFilteringWeissued14.
5millionDNSArecordqueriesforour2,330pre-ltereddomains,across6,564infrastructureandcontrolopenresolversduringa2dayperiodinJan-uary2017.
Weobservedvariouserroneousbehaviorthatrequiredfurtherltering.
Excludingthesedegeneratecasesreducedourdatasetcollectionto13.
5millionre-sponsesacross2,303domainsand6,020resolvers,assummarizedinTable3.
Therestofthissectiondetailsthislteringprocess.
Resolvers.
Wedetectedthat341resolversstoppedre-spondingtoourqueriesduringourexperiment.
Anad-ditional202resolversincorrectlyresolvedourcontroldomainnames,despitepreviouslyansweringcorrectlyduringourInternet-widescans.
Thecommoncauseofthisbehaviorwasratelimiting,asourInternet-widescansqueriedresolversonlyonce,whereasourexperi-mentsnecessitatedrepeatedqueries.
Weidentiedan-otherproblematicresolverthatexhibitedaqueryfail-urerateabove70%duetoaggressiveratelimiting.
Weeliminatedtheseresolversandtheirassociatedqueryre-sponsesfromourdataset,reducingthenumberofvalidresponsesby510K.
Domains.
OurcontrolDNSresolverscouldnotresolve15domainnames.
Weexcludedtheseandtheirasso-ciated90Kqueryresponsesfromourdataset.
Were-movedanother12domainsandtheir72KcorrespondingqueryresponsesastheirDNSresolutionsfailedanauto-matedsanitycheck;resolversacrossnumerouscountriesprovidedthesameincorrectDNSresolutionforeachofthesedomains,andtheIPaddressreturnedwasuniqueperdomain(i.
e.
,notablockpageorlteringappliance).
Wedidnotexpectcensorstoexhibitthisbehavior;asin-glecensorisnotlikelytooperateacrossmultiplecoun-triesorgeographicregions,andmanipulationssuchasblockpagesthatuseasingleIPaddressacrosscountriesshouldalsobespreadacrossmultipledomains.
ThesedomainsdonotsupportHTTPS,andexhibitgeograph-icallyspecicdeployments.
WithincreasedgeographicdiversityofcontrolresolversordeploymentofHTTPSbythesesites,ourconsistencyorveriabilitymetricswouldaccountforthesedomains.
Queries.
Welteredanother256Kqueriesthatreturnedfailureerrorcodes;93.
7%ofallerrorsweretimeoutsandserverfailures.
Timeoutsdenoteconnectionswheretheresolverdidnotrespondtoourquerywithin15seconds.
Serverfailuresindicatewhenaresolvercouldnotrecur-sivelyresolveadomainwithinitsownpre-conguredtimeallotment(10secondsbydefaultinBIND).
Table4providesadetailedbreakdownoferrorresponses.
FailureTypeCount%ofResponsesTimeout140,5510.
97%ServerFail107,8260.
74%ConnRefused7,8230.
05%ConnError3,6860.
03%Truncated3,4510.
02%NXDOMAIN1,7130.
01%Table4:Breakdownofthe265,050DNSresponsesthatre-turnedanon-successerrorcode.
ReturninganNXDOMAINresponsecode[38],whichinformsaclientthatadomaindoesnotexist,isanob-viouspotentialDNScensorshipmechanism.
Unfortu-nately,someCDNsreturnthiserrorinnormalopera-tions,presumablyduetoratelimitingorclientcongu-rationsettings.
WefoundthatthemostprevalentNXbe-havioroccurredinthecountriesofTongaandPakistan;bothcountriesexhibitedcensorshipofmultiplecontenttypes,includingadultandLGBT.
PreviousstudieshaveobservedNXDOMAINblockinginPakistan[38].
TheseinstancescompriseasmallpercentageofoverallNX-DOMAINresponses.
Giventhemanynon-censorshipNXDOMAINresponsesandtherelativeinfrequencyoftheiruseforcensorship,weexcludethesefromouranal-ysis.
Another72KresponseshadaSUCCESSresponsecode,butcontainednoIPaddressintheresponse.
ThisfailuremodefrequentlycoincidewithCNAMEresponsesthatcouldnotberesolvedfurther.
Weexcludedthesequeries.
Table5providesageographicbreakdownofNXDOMAINresponses.
Afterremovingproblematicresolvers,domains,andfailedqueries,thedatasetcomprisesof13,594,683DNSresponses.
Byapplyingourconsistencyandindepen-dentveriabilitymetrics,weidentify41,778responses(0.
31%)asmanipulated,spreadacross58countries(anddependentterritories)and1,408domains.
Country%NXDOMAINTonga2.
93%Pakistan0.
37%Bosnia/Herzegovina0.
12%IsleofMan0.
04%CapeVerde0.
04%Table5:Thetop5countries/dependentterritoriesbytheper-centofqueriesthatrespondedwithNXDOMAIN.
Figure3:Theabilityofeachcorrectnessmetrictoclassifyre-sponsesascorrect.
Tableisordered(toptobottom,lefttoright)bythelinesonthegraph(lefttoright).
5ResultsWenowevaluatetheeffectivenessofourDNSmanipula-tionmetricsandexploremanipulatedDNSresponsesinthecontextofInternetcensorship.
5.
1EvaluatingManipulationMetricsToassesstheeffectivenessoftheconsistencyandinde-pendentveriabilitymetrics,wequantifytheabilityofeachmetrictoidentifyunmanipulatedresponses(toex-cludefromfurtherinvestigation).
Figure3showseachmetric'sefcacy.
Thehorizontalaxisrepresentsthefrac-tionofresponsesfromaparticularresolverthatareclas-siedascorrectbyagivenmetric.
Theverticalaxisindi-catesthenumberofresolversthatexhibitthatsamefrac-tionofcorrectresponses(againunderthegivenmetric).
Forexample,almost6,000resolvershadroughly8%oftheirresponsesidentiedascorrectunderthe"SameCDN"metric.
Anarrowbandindicatesthatmanyre-solversexhibitsimilarfractionsofcorrectresponsesun-derthatmetric(i.
e.
,itismorestable).
Thecloserthecen-termassofahistogramliesto1.
0,themoreeffectiveitscorrespondingmetric,sincealargerfractionofresponsesareclassiedascorrect(i.
e.
,notmanipulation)usingthatmetric.
Figure4:Thefractionofresponsesmanipulated,perresolver.
For89%ofresolvers,weobservednomanipulation.
TheASconsistencymetric("SameAS")isthemosteffective:itclassied90%oftheDNSresponsesascon-sistent.
Similarly,identifyingmatchingIPaddressesbe-tweenresponsesfromourcontrolresolversandourex-perimentresolversaggedabout80%ofresponsesascorrectacrossmostresolvers.
"SameHTTPPage"isalsorelativelyeffective,asmanygeographicallydistributeddeploymentsofthesamesite(suchaswithPoints-of-Presence)haveeitheridenticalcontentorinfrastructureerrorcharacteristics(see§3.
5.
1).
Thisgurealsoillus-tratestheimportanceofSNI,increasingtheeffective-nessofcorrectandvalidHTTPScerticatesfrom38%to55%.
ThesameHTTPScerticate("SameCert")metricturnsouttobemoreeffectivethansimplyhavingacor-rectcerticate("CorrectCert"),becausesomanysitesincorrectlydeployHTTPS.
5.
2ManipulatedDNSResponsesWedetectnearly42,000manipulatedDNSresponses;wenowinvestigatethedistributionoftheseresponsesacrossresolvers,domains,andcountries.
Manipulatedresponsesbyresolver.
Figure4showsthecumulativefractionofresultsthatreturnatleastacer-tainfractionofmanipulatedresponses:88%ofresolversexhibitednomanipulation;for96%ofresolvers,weob-servemanipulationforfewerthan5%ofresponses.
ThemodesintheCDFhighlightdifferencesbetweenresolversubpopulations,whichuponfurtherinvestigationwedis-coveredreecteddifferingmanipulationpracticesacrosscountries.
Additionally,62%ofdomainsaremanipu-latedbyatleastoneresolver,whichisexpectedgiventhatmorethanhalfofourselecteddomainsaresensitivesitesontheCLBL.
Weexplorethesevariationsinmoredetaillaterinthissection.
Country(#Res.
)MedianMeanMaxMinIran(122)6.
02%5.
99%22.
41%0.
00%China(62)5.
22%4.
59%8.
40%0.
00%Indonesia(80)0.
63%2.
81%9.
95%0.
00%Greece(26)0.
28%0.
40%0.
83%0.
00%Mongolia(6)0.
17%0.
18%0.
36%0.
00%Iraq(7)0.
09%1.
67%5.
79%0.
00%Bermuda(2)0.
04%0.
04%0.
09%0.
00%Kazakhstan(14)0.
04%0.
30%3.
90%0.
00%Belarus(18)0.
04%0.
07%0.
30%0.
00%Table6:Top10countriesbymedianpercentofmanipulatedresponsesperresolver.
Weadditionallyprovidethemean,max-imum,andminimumpercentforresolversineachcountry.
Thenumberofresolverspercountryislistedwiththecountryname.
Manipulatedresponsesbycountry.
Previousworkhasobservedthatsomecountriesdeploynation-wideDNScensorshiptechnology[5];therefore,weexpectedtoseegroupsofresolversinthesamecountry,eachmanipu-latingasimilarsetofdomains.
Table6liststhepercentofmanipulatedresponsesperresolver,aggregatedacrossresolversineachcountry.
ResolversinIranexhibitedthehighestdegreeofmanipulation,withamedianof6.
02%manipulatedresponsesperIranianresolver;Chinafol-lowswithamedianvalueof5.
22%.
Theserankingsde-pendonthedomainsinourdomainlist,andmaymerelyreectthattheCLBLcontainedmoredomainsthatarecensoredinthesecountries.
Thetop10countriesshowninTable6allhaveatleastoneresolverthatdoesnotmanipulateanydomains;IPaddressgeolocationinaccuracymaypartiallyexplainthissurprisingnding.
Forexample,uncensoredresolversinHongKongmaybeincorrectlylabeledasChinese.
Ad-ditionally,forcountriesthatdonotdirectlyimplementthetechnicalmanipulationmechanismsbutratherrelyonindividualISPstodoso,theactualmanifestationofma-nipulationmayvaryacrossISPswithinasinglecountry.
Localizedmanipulationbyresolveroperatorsincoun-trieswithfewresolverscouldalsoinuencetheseresults.
§5.
3investigatesthesefactorsfurther.
Figure5showstherepresentationofresponsesinourdatasetbycountry.
Forexample,theleftmostpairofbarsshowsthat,whilelessthan5%ofallresponsesinourdatasetcamefromIranianresolvers,theresponsesthatwereceivedaccountedfornearly40%ofmanipulatedre-sponsesinthedataset.
Similarly,Chineseresolversrep-resented1%ofresponsesinthedatabutcontributedto15%ofthemanipulatedresponses.
Incontrast,30%ofourDNSresponsescamefromresolversintheUnitedStates,butaccountedforonly5%ofcensoredresponses.
Table7showsthebreakdownofthetopmanipulatedFigure5:Thefractionofallresponsesinourdatasetfromeachcountry(blue),andthefractionofallmanipulatedresponsesinourdatasetfromthecorrespondingcountry(red).
responses,bytheIPaddressthatappearsinthemanipu-latedanswer.
Thetoptwospecial-purpose(i.
e.
,private)IPaddressesappearinthemajorityofresponseswithinIran.
ThethirdmostcommonresponseisanOpenDNS(aDNSlteringandsecurityproduct[13])blockpageindicatingadultcontent.
Thefourthmostfrequentre-sponseisanIPaddresshostinganHTTPerrorpageknowntobeusedinTurkeyDNSmanipulation[11].
Privateandspecial-purposeIPv4addressesinma-nipulatedDNSresponses.
Oftheroughly42,000ma-nipulatedDNSresponses,17,806correspondtospecial-purposeIPv4addressesasdenedbyRFC6890[17];theremaining23,972responsescorrespondedtoaddressesinthepublicIPaddressspace.
Table8showstheex-tenttowhichcountriesreturnprivateIPaddressesinresponses,forthetop10countriesrankedbytherela-tiveamountofDNSmanipulationcomparedtothetotalnumberofresultsfromthatcountry.
Forexample,weobservedmoremanipulatedresponsesfromTurkeythanIraq,butIrisusedmoreopenDNSresolversinTurkey,soobservedfrequenciesrequirenormalization.
Here,wenoticethatcountriesthatmanipulateDNStendtoeitherreturnonlyspecial-purposeIPaddressesinmanipulatedresponses(asinthecaseofIran,Iraq,andKuwait)oronlypublicIPaddresses(China).
Figure6presentsthedistributionofobservedpub-licIPaddressesacrossmanipulatedresponsesinourdataset.
ThemostfrequentlyreturnedpublicIPaddress,anOpenDNSblockpage,constitutedalmost15%ofallmanipulatedresponsescontainingpublicIPaddresses.
ThetoptenpublicIPaddressesaccountedfornearly60%ofresponses.
ManyIPanswershavebeenobservedinpreviousstud-iesonChineseDNScensorship[5,25].
TheseaddressesAnswerResultsNamesCategory10.
10.
34.
3612,144140Private10.
10.
34.
344,566776Private146.
112.
61.
1063,495801OpenDNSAdult195.
175.
254.
23,137129HTTPErrorPage93.
46.
8.
891,57188China*118.
97.
116.
271,212155Safe/Filtering243.
185.
187.
391,16788China*127.
0.
0.
1876267Private95.
53.
248.
254566566Resolver'sOwnIP95.
53.
248.
254565565Resolver'sOwnIP8.
7.
198.
4541175China*202.
169.
44.
80379113Safe/Filtering212.
47.
252.
200371371Resolver'sOwnIP212.
47.
254.
200370370Resolver'sOwnIP213.
177.
28.
9035222GamblingBlockpg208.
91.
112.
55349320Blockpg180.
131.
146.
7312145Safe/Filtering203.
98.
7.
6530378China*202.
182.
48.
245302100AdultBlockpg93.
158.
134.
25025886Safe/FilteringTable7:Mostcommonmanipulatedresponsesbyvolume,withmanualclassicationforpublic,non-resolverIPaddresses.
Thecategory"China*"areIPaddressespreviouslyobservedbyFarnanetal.
in2016[25].
areseeminglyarbitrary;theyhostnoservices,notevenafundamentalwebpage.
The10mostfrequentChineseresponsesconstitutedalmost75%ofChineseresponses.
Theremaining25%arespreadoveralongtailofnearly1,000seeminglyarbitrarynon-ChineseIPaddresses.
5.
3ManipulationWithinCountriesFigure7showstheDNSmanipulationofeachdomainbythefractionofresolverswithinacountry,forthe10coun-trieswiththemostnormalizedamountofmanipulation.
Eachpointrepresentsadomain;theverticalaxisrepre-sentsthefractionofresolversinthatcountrythatmanip-ulateit.
Shadingshowsthedensityofpointsforthatpartofthedistribution.
Theplotrevealsseveralinterestingphenomena.
Onegroupofdomainsismanipulatedbyabout80%ofresolversinIran,andanothergroupisma-nipulatedbyfewerthan10%ofresolvers.
Thissecondgroupofdomainsismanipulatedbyasmallerfractionofresolvers,alsoreturningnon-publicIPaddresses.
TheseeffectsareconsistentwithpreviouslynotedblackholingemployedbyDNSmanipulationinfrastructure[7];thisphenomenondeservesfurtherinvestigation.
Similarly,onesetofdomainsinChinaexperiencesmanipulationbyapproximately80%ofresolvers,andanothersetexperiencesmanipulationonlyhalfthetime.
Incontrast,manipulationinGreeceandKuwaitismorehomogeneousacrossresolvers.
Country(#Res.
)%Incor.
%Pub.
Iran(122)6.
02%0.
01%China(62)4.
52%99.
46%Indonesia(80)2.
74%95.
08%Iraq(7)1.
68%1.
49%NewZealand(16)1.
59%100.
00%Turkey(192)0.
84%99.
81%Romania(45)0.
77%100.
00%Kuwait(10)0.
61%0.
00%Greece(26)0.
41%100.
00%Cyprus(5)0.
40%100.
00%Table8:PercentofpublicIPaddressesinmanipulatedre-sponses,bycountry.
Countriesaresortedbyoverallfrequencyofmanipulation.
Figure6:ManipulatedbutpublicIPaddressesinourdataset.
ThehorizontalaxisissortedbythemostcommonIP.
Heterogeneityacrossacountrymaysuggestasitua-tionwheredifferentISPsimplementlteringwithdiffer-entblocklists;itmightalsoindicatevariabilityacrossgeographicregionwithinacountry.
Thefactthatma-nipulationratesvaryevenamongresolversinacertaingroupwithinacountrymayindicateeitherprobabilisticmanipulation,ortheinjectionofmanipulatedresponses(aphenomenonthathasbeendocumentedbefore[5]).
Othermorebenignexplanationsexist,suchascorporaterewalls(whicharecommonintheUnitedStates),orlo-calizedmanipulationbyresolveroperators.
Ceilingsonthepercentofresolverswithinacountryperformingmanipulation,suchasnodomaininChinaexperiencingmanipulationacrossmorethanapproxi-mately85%ofresolvers,suggestIPgeolocationerrorsarecommon.
Figure7:Thefractionofresolverswithinacountrythatma-nipulateeachdomain.
Figure8:Thenumberofcountries(ordependentterritories)thatblockeachdomainwithobservedmanipulatedresponses,sortedbymanipulationprevalence.
5.
4CommonlyManipulatedDomainsCommonlymanipulateddomainsacrosscountries.
Manydomainsexperiencedmanipulationacrossarangeofcountries.
Figure8showsaCDFofthenumberofcountries(ordependentterritories)forwhichatleastoneresolvermanipulatedeachdomain.
30%ofdomainsweremanipulatedinonlyasinglecountry,while70%weremanipulatedin5orfewercountries.
Nodomainwasmanipulatedinmorethan19countries.
Table9highlightsdomainsthatexperiencemanipula-tioninmanycountries(ordependentterritories).
The2mostmanipulateddomainsarebothgamblingwebsites,eachexperiencingcensorshipacross19differentcoun-tries.
DNSresolutionsforpornographicwebsitesaresimilarlymanipulated,accountingforthenext3mostcommonlyaffecteddomains.
Peer-to-peerlesharingRankDomainNameCategory#Cn#Res1*pokerstars.
comGambling192512betway.
comGambling192343pornhub.
comPornography192224youporn.
comPornography191925xvideos.
comPornography191746thepiratebay.
orgP2Psharing182367thepiratebay.
seP2Psharing182178xhamster.
comPornography182009*partypoker.
comGambling1722610beeg.
comPornography1718380torproject.
orgAnon.
&cen.
12159181twitter.
comTwitter9160250*youtube.
comGoogle8165495*citizenlab.
orgFreedomexpr.
4148606www.
google.
comGoogle3561086google.
comGoogle15Table9:Domainnamesmanipulatedinthemostcountries(ordependentterritories),orderedbynumberofcountrieswithmanipulatedresponses.
Domainsbeginningwith*beginwith"www.
".
sitesarealsocommonlytargeted,particularlyThePi-rateBay.
TheTorProject[50]DNSdomainisthemostwidelyinterferedwithdomainamongstanonymityandcensorshiptools,manipulatedacross12countries.
Cit-izenLab[15]alsoexperiencedmanipulationacross4countries.
Wenotethatwww.
google.
comisimpactedacrossmorecountriesthangoogle.
com,unsurprisingsinceallHTTPandHTTPSqueriestogoogle.
comim-mediatelyredirecttowww.
google.
com;forexample,Chinamanipulateswww.
google.
comqueriesbutdisre-gardsthoseforgoogle.
com.
Thisresultunderscorestheneedfordomaindatasetsthatcontaincompletedo-mainsandsubdomains,ratherthansimplysecond-leveldomains.
WealsonotethatcommonlymeasuredsitessuchasTheTorProject,Google,andTwitter,experiencema-nipulationacrosssignicantlyfewercountriesthansomesites.
Suchdisparitypointstotheneedforadiversedo-maindataset.
ChinafocusesitsDNSmanipulationnotjustonadultcontentbutalsomajorEnglishnewsoutlets,suchasnytimes.
com,online.
wsj.
com,andwww.
reuters.
com.
ChinaistheonlycountryobservedtomanipulatetheDNSresponsesforthesedomains;italsocensoredtheChineselanguageWikipediadomain.
Commonlymanipulatedcategories.
Table10showstheprevalenceofmanipulationbyCLBLcategories.
Weconsideracategoryasmanipulatedwithinacountryifanyresolverwithinthatcountrymanipulatesadomainofthatcategory.
DomainsintheAlexaTop10Kexpe-RankDomainCategory#Cn.
#Resolv.
1AlexaTop10k364422Freedomofexpr.
353843P2Plesharing343944Humanrights312885Gambling293776Pornography293427Alcoholanddrugs282748Anon.
&censor.
243039Hatespeech2215810Multimediasharing2129320Google1623434Facebook1017538Twitter9160Table10:Top10domaincategories,orderedbynumberofcountries(ordependentterritories)withmanipulatedanswers.
riencedthemostmanipulation;thesedomainsdidnotappearintheCLBL,whichhighlightstheimportanceofmeasuringbothcuratedlistsfromdomainexpertsaswellasbroadsamplesofpopularwebsites.
Althoughnosingledomainexperiencesmanipulationinmorethan19countries,severalcategoriesexperiencemanipulationinmorethan30countries,indicatingthatwhilebroadcat-egoriesappeartobecommonlytargeted,thespecicdo-mainsmayvarycountrytocountry.
Tostudyhowmanipulatedcategoriesvaryacrosscountries,weanalyzedthefractionofresolverswithineachcountrythatmanipulateaparticularcategory.
Thetopcategoriesvaryextensivelyacrosscountries.
Ta-ble11showsthemostfrequentlymanipulatedcategoriesforthetop10countriesbynormalizedamountsofma-nipulation.
ThetopcategoryofmanipulatedcontentinIran,"provocativeattire,"isnotacategoryacrossanyoftheothertop10countries.
Manipulationofdo-mainsrandomlyselectedfromAlexabutnotintheCLBL("AlexaTop10k")isprevalentacrossnumerouscoun-tries,againreinforcingtheneedfordiversedomaindatasets.
Anonymityandcensorshiptoolsaremanipu-latedextensivelyacross85%ofresolversinChina,butnotacrosstherestofthetop10.
Pornographyandgam-blingsitesaremanipulatedthroughout.
6SummaryInternetcensorshipiswidespread,dynamic,andcontin-uallyevolving;understandingthenatureofcensorshipthusrequirestechniquestoperformcontinuous,large-scalemeasurement.
Unfortunately,thestate-of-the-arttechniquesformeasuringmanipulation—acommoncen-sorshiptechnique—relyonhumanvolunteers,limitingthescaleandfrequencyofmeasurements.
Thisworkin-troducesamethodformeasuringDNSmanipulationonCountryDomainCategory%ofResolv.
IRProvocativeattire90.
98%AlexaTop10k90.
16%Freedomofexpr.
90.
16%CNAlexaTop10k85.
48%Freedomofexpr.
85.
48%Anon.
&censor.
85.
48%IDPornography57.
50%AlexaTop10k56.
25%P2Plesharing52.
50%IQPoliticalBlog57.
14%AlexaTop10k28.
57%Freedomofexpr.
28.
57%NZAlexaTop10k12.
50%Freedomofexpr.
12.
50%P2Plesharing12.
50%TRAlexaTop10k18.
23%Freedomofexpr.
17.
71%Pornography16.
67%ROAlexaTop10k37.
78%Gambling37.
78%Freedomofexpr.
2.
22%KWAlexaTop10k10.
00%Freedomofexpr.
10.
00%P2Plesharing10.
00%GRGambling50.
00%AlexaTop10k46.
15%CYAlexaTop10k40.
00%Gambling40.
00%Table11:Breakdownofthetop3domaincategoriesexperi-encingmanipulation,percountry.
Countriesareorderedbytherelativeamountofmanipulatedresponsesforthatcountry.
BothGreece(GR)andCyprus(CY)onlyexperiencemanipu-latedresponsesacross2categories.
aglobalscalebyusingasvantagepointsopenDNSre-solversthatformpartoftheInternet'sinfrastructure.
Themajorcontributionsofourworkare:(1)Iris:ascalable,ethicalsystemformeasuringDNSmanipula-tion;(2)ananalysistechniquefordisambiguatingnatu-ralvariationinDNSresponses(e.
g.
,duetoCDNs)frommorenefarioustypesofmanipulation;and(3)alarge-scalemeasurementstudythathighlightstheheterogene-ityofDNSmanipulation,acrosscountries,resolvers,anddomains.
Notably,wendthatmanipulationishet-erogeneousacrossDNSresolversevenwithinasinglecountry.
Irissupportsregular,continuousmeasurement,whichwillultimatelyfacilitatetrackingDNSmanipula-tiontrendsastheyevolveovertime;ournextstepistooperationalizesuchmeasurementstofacilitatelongitudi-nalanalysis.
AcknowledgementsTheauthorsaregratefulfortheassistanceandsupportofManosAntonakakis,RandyBush,JedCrandall,ZakirDurumeric,andDavidField.
ThisworkwassupportedinpartbyNationalScienceFoundationAwardsCNS-1237265,CNS-1406041,CNS-1518878,CNS-1518918CNS-1540066andCNS-1602399.
References[1]G.
Aceto,A.
Botta,A.
Pescap`e,N.
Feamster,M.
F.
Awan,T.
Ahmad,andS.
Qaisar.
Monitor-ingInternetCensorshipwithUBICA.
InInterna-tionalWorkshoponTrafcMonitoringandAnaly-sis(TMA),2015.
[2]AlexaTopSites.
http://www.
alexa.
com/topsites.
[3]C.
Anderson,P.
Winter,andRoya.
GlobalNet-workInterferenceDetectionOvertheRIPEAtlasNetwork.
InUSENIXWorkshoponFreeandOpenCommunicationsontheInternet(FOCI),2014.
[4]Anonymous.
TheCollateralDamageofInternetCensorshipbyDNSInjection.
SIGCOMMCom-puterCommunicationReview,42(3):21–27,June2012.
[5]Anonymous.
TowardsaComprehensivePictureoftheGreatFirewall'sDNSCensorship.
InUSENIXWorkshoponFreeandOpenCommunicationsontheInternet(FOCI),2014.
[6]M.
Antonakakis,R.
Perdisci,D.
Dagon,W.
Lee,andN.
Feamster.
BuildingaDynamicReputationSystemforDNS.
InUSENIXSecuritySymposium,2010.
[7]S.
Aryan,H.
Aryan,andJ.
A.
Halderman.
Inter-netCensorshipinIran:AFirstLook.
InUSENIXWorkshoponFreeandOpenCommunicationsontheInternet(FOCI),2013.
[8]M.
BaileyandC.
Labovitz.
CensorshipandCo-optionoftheInternetInfrastructure.
TechnicalRe-portCSE-TR-572-11,UniversityofMichigan,AnnArbor,MI,USA,July2011.
[9]BBC.
BBC'sWebsiteisbeingBlockedacrossChina.
http://www.
bbc.
com/news/world-asia-china-29628356,October2014.
[10]TheBelmontReport-EthicalPrinciplesandGuidelinesfortheProtectionofHumanSub-jectsofResearch.
http://ohsr.
od.
nih.
gov/guidelines/belmont.
html.
[11]S.
Bortzmeyer.
Hijackingthroughroutinginturkey.
https://ripe68.
ripe.
net/presentations/158-bortzmeyer-google-dns-turkey.
pdf.
[12]A.
Chaabane,T.
Chen,M.
Cunche,E.
D.
Cristo-faro,A.
Friedman,andM.
A.
Kaafar.
CensorshipintheWild:AnalyzingInternetFilteringinSyria.
InACMInternetMeasurementConference(IMC),2014.
[13]CiscoOpenDNS.
https://www.
opendns.
com/.
[14]CitizenLab.
BlockTestList.
https://github.
com/citizenlab/test-lists.
[15]CitizenLab.
https://citizenlab.
org.
[16]C.
Contavalli,W.
vanderGaast,D.
C.
Lawrence,andW.
Kumari.
ClientSubnetinDNSQueries.
RFC7871.
[17]M.
Cotton,L.
Vegoda,R.
Bonica,andB.
Haber-man.
Special-PurposeIPAddressRegistries.
RFC6890.
[18]D.
Dagon,N.
Provos,C.
P.
Lee,andW.
Lee.
Cor-ruptedDNSResolutionPaths:TheRiseofaMa-liciousResolutionAuthority.
InNetwork&Dis-tributedSystemSecuritySymposium(NDSS),2008.
[19]J.
Dalek,B.
Haselton,H.
Noman,A.
Senft,M.
Crete-Nishihata,P.
Gill,andR.
J.
Deibert.
AMethodforIdentifyingandConrmingtheUseofURLFilteringProductsforCensorship.
InACMInternetMeasurementConference(IMC),2013.
[20]D.
DittrichandE.
Kenneally.
TheMenloReport:EthicalPrinciplesGuidingInformationandCom-municationTechnologyResearch.
Technicalre-port,U.
S.
DepartmentofHomelandSecurity,Aug2012.
[21]Z.
Durumeric,D.
Adrian,A.
Mirian,M.
Bailey,andJ.
A.
Halderman.
ASearchEngineBackedbyInternet-WideScanning.
InACMConferenceonComputerandCommunicationsSecurity(CCS),2015.
[22]Z.
Durumeric,E.
Wustrow,andJ.
A.
Halderman.
ZMap:FastInternet-WideScanninganditsSecu-rityApplications.
InUSENIXSecuritySymposium,2013.
[23]R.
Ensa,J.
Knockel,G.
Alexander,andJ.
R.
Cran-dall.
DetectingIntentionalPacketDropsontheIn-ternetviaTCP/IPSideChannels.
InPassiveandActiveMeasurementsConference(PAM),2014.
[24]R.
Ensa,P.
Winter,A.
Mueen,andJ.
R.
Crandall.
AnalyzingtheGreatFirewallofChinaOverSpaceandTime.
PrivacyEnhancingTechnologiesSym-posium(PETS),1(1),2015.
[25]O.
Farnan,A.
Darer,andJ.
Wright.
PoisoningtheWell–ExploringtheGreatFirewall'sPoisonedDNSResponses.
InACMWorkshoponPrivacyintheElectronicSociety(WPES),2016.
[26]A.
Filast`oandJ.
Appelbaum.
OONI:OpenObser-vatoryofNetworkInterference.
InUSENIXWork-shoponFreeandOpenCommunicationsontheIn-ternet(FOCI),2012.
[27]TheGoProgrammingLanguage.
https://golang.
org/.
[28]GooglePublicDNS.
https://developers.
google.
com/speed/public-dns/.
[29]F.
House.
FreedomontheNet.
2016.
[30]ICLab.
ICLab:aCensorshipMeasurementPlat-form.
https://iclab.
org/.
[31]J.
Jiang,J.
Liang,K.
Li,J.
Li,H.
Duan,andJ.
Wu.
GhostDomainName:RevokedyetStillResolv-able.
InNetwork&DistributedSystemSecuritySymposium(NDSS),2012.
[32]B.
Jones,N.
Feamster,V.
Paxson,N.
Weaver,andM.
Allman.
DetectingDNSRootManipulation.
InPassiveandActiveMeasurement(PAM),2016.
[33]B.
Jones,T.
-W.
Lee,N.
Feamster,andP.
Gill.
Auto-matedDetectionandFingerprintingofCensorshipBlockPages.
InACMInternetMeasurementCon-ference(IMC),2014.
[34]M.
K¨uhrer,T.
Hupperich,J.
Bushart,C.
Rossow,andT.
Holz.
GoingWild:Large-ScaleClassi-cationofOpenDNSResolvers.
InACMInternetMeasurementConference(IMC),2015.
[35]M.
K¨uhrer,T.
Hupperich,C.
Rossow,andT.
Holz.
ExitfromHellReducingtheImpactofAmpli-cationDDoSAttacks.
InUSENIXSecuritySympo-sium,2014.
[36]G.
Lowe,P.
Winters,andM.
L.
Marcus.
TheGreatDNSWallofChina.
Technicalreport,NewYorkUniversity,2007.
[37]MaxMind.
https://www.
maxmind.
com/.
[38]Z.
Nabi.
TheAnatomyofWebCensorshipinPak-istan.
InUSENIXWorkshoponFreeandOpenCommunicationsontheInternet(FOCI),2013.
[39]OpenNetInitiative.
https://opennet.
net/.
[40]OpenResolverProject.
http://openresolverproject.
org/.
[41]J.
C.
ParkandJ.
R.
Crandall.
EmpiricalStudyofaNational-ScaleDistributedIntrusionDetectionSystem:Backbone-LevelFilteringofHTMLRe-sponsesinChina.
InIEEEInternationalConfer-enceonDistributedComputingSystems(ICDCS),2010.
[42]P.
Pearce,R.
Ensa,F.
Li,N.
Feamster,andV.
Pax-son.
Augur:Internet-WideDetectionofConnec-tivityDisruptions.
InIEEESymposiumonSecurityandPrivacy(S&P),2017.
[43]A.
Razaghpanah,A.
Li,A.
Filast`o,R.
Nithyanand,V.
Ververis,W.
Scott,andP.
Gill.
ExploringtheDe-signSpaceofLongitudinalCensorshipMeasure-mentPlatforms.
TechnicalReport1606.
01979,ArXivCoRR,2016.
[44]M.
Salganik.
BitbyBit:SocialResearchfortheDigitalAge,2016.
http://www.
bitbybitbook.
com/.
[45]SamBurnettandNickFeamster.
Encore:LightweightMeasurementofWebCensorshipwithCross-OriginRequests.
InACMSIGCOMM,2015.
[46]K.
Schomp,T.
Callahan,M.
Rabinovich,andM.
Allman.
OnMeasuringtheClient-SideDNSInfrastructure.
InACMInternetMeasurementCon-ference(IMC),2013.
[47]W.
Scott,T.
Anderson,T.
Kohno,andA.
Krish-namurthy.
Satellite:JointAnalysisofCDNsandNetwork-LevelInterference.
InUSENIXAnnualTechnicalConference(ATC),2016.
[48]A.
Sfakianakis,E.
Athanasopoulos,andS.
Ioanni-dis.
CensMon:AWebCensorshipMonitor.
InUSENIXWorkshoponFreeandOpenCommuni-cationsontheInternet(FOCI),2011.
[49]TheTorProject.
OONI:Openobservatoryofnet-workinterference.
https://ooni.
torproject.
org/.
[50]TheTorProject.
https://www.
torproject.
org/.
[51]G.
TuysuzandI.
Watson.
TurkeyBlocksYouTubeDaysafterTwitterCrackdown.
http://www.
cnn.
com/2014/03/27/world/europe/turkey-youtube-blocked/,Mar.
2014.
[52]N.
Weaver,C.
Kreibich,andV.
Paxson.
Redirect-ingDNSforAdsandProt.
InUSENIXWorkshoponFreeandOpenCommunicationsontheInternet(FOCI),2011.
[53]P.
Winter.
ThePhilippinesareblockingTorTorTracticket,June2012.
https://bugs.
torproject.
org/6258.
[54]P.
WinterandS.
Lindskog.
HowtheGreatFirewallofChinaisBlockingTor.
InUSENIXWorkshoponFreeandOpenCommunicationsontheInternet(FOCI),2012.
[55]X.
Xu,Z.
M.
Mao,andJ.
A.
Halderman.
Inter-netCensorshipinChina:WhereDoestheFilteringOccurInPassiveandActiveMeasurementCon-ference(PAM),2011.