reports an unprecedented number of domain name hi-jackings in China.
Washington, D.C., October 1, 2002 -
Dynamic Internet Technology Inc. (DIT Inc.) today reported test results that indicate an unprecedented number of domain name hi-jackings all over China.
This development is the latest turn in an ongoing struggle. China wants to use the internet to help promote economic growth, but at the same time prevent its people from having unfettered use of the internet. Independent news agencies and dissident groups wish to use the internet for the purpose it was originally intended, to bring everyone everywhere unfiltered access to information. At stake in this struggle is whether the government's control of all information flow in China can be successfully challenged by the internet, or whether China will pioneer ways that defeat the internet's original liberating promise, along the way setting a precedent for a central government successfully controlling information and showing other repressive governments how to subdue this powerful technology.
How China Does It
The new success China is enjoying in blocking unwanted internet sites depends on using a new technique.
Bill Dong, a Spokesman for DIT Inc. (http://www.dit-inc.us/), a company providing technical services to Voice of America's Chinese-language Web site explained,
"This is the largest web site hijacking activity in history. Since late last week, visitors to the most popular forbidden sites are re-directed to a single IP address, which is already blocked in China at the international gateway level. This is performed by spoofing DNS records on name servers all over China."
The technique works by falsifying the records in Domain Name Servers (DNS) throughout China. Domain Name Servers are computers that work to tell each computer the I.P. address for any web site. If someone types in the domain name for a site, such as www.voanews.com , then the DNS will tell the computer of the person trying to log onto the site what the address for the site is. Once the computer has the address, it is routed to the web site, and the connection is made.
In the case of forbidden web sites, technicians for the Ministry for Public Security change the records of the DNS so that it will give a false I.P. address. The address the Chinese have chosen to provide for the forbidden web sites is 64.33.88.161. This is the address for http://falundafa.ca - a Canadian registered non-profit organization aimed at promoting the practice of Falun Gong. The Chinese have chosen this address because it is already blocked at the gateway that all traffic must go through to reach users in China. Thus, anyone trying to log onto a forbidden site will be routed to falundafa.ca, and also be blocked.
Why the Government Developed this Technique
The advantage for the Chinese of this technique is that it defeats one of the main ways that web sites have evaded attempts to block them in the past. If the Chinese blocked the I.P. address of a web site, then, from time to time, the web site would simply change its I.P. address. This technique of faking the DNS records ends this cat and mouse game. No matter how often a web site changes its I.P. address, would-be users will still be referred to the blocked I.P. address for falundafa.ca.
At the end of August the government blocked the I.P. address for the internet search engine Google, just as it had blocked I.P. addresses for many forbidden web sites. Analysts speculated that this block was put in place because Google was a popular way for people in China to search for information on Falun Gong. There was an immediate international outcry at what the government did, and within a few days, the government lifted the block on Google's I.P. address. Then the government for the first time used fake DNS records to block a site. The government attempted to frustrate users who wished to use Google by referring them to other domestic search engines that are far less effective. But this was still a form of blockade, and did not satisfy China's critics.
The government then adopted a different approach. Rather than block Google, the government decided to use computers to filter how it might be used. These content filters would cause searches by Google users in China for forbidden words to come up empty. Thus, if someone types in the words "Falun Gong," Google in China finds nothing.
The block on Google was an international scandal because it demonstrated so clearly the threat to international internet commerce of the Chinese government's attempts to censor the internet for political purposes. At the same time, this method of blocking Google violated international protocols for the use of the internet.
The episode with Google demonstrates the limitations of the technique of hijacking web sites with faked DNS records. Such an obvious blockade cannot withstand international scrutiny when what is blocked is an important commercial asset, and a less visible means of control had to be found. Content filters were appropriate from the government's point of view because they allowed Google to function within the limits set by the government's censors.
However, one may doubt that the web sites China has blocked in this recent massive effort will have the clout to get the block on them reversed as Google's was reversed, and their content is such that the more stealthy method of using content filters could never satisfy the government. These forbidden sites are in themselves thought to be objectionable.
Who Is Blocked?
DynaWeb is DIT Inc.'s secure proxy network for Chinese users to access blacklisted URLs. In July, DIT Inc. published a list of Top Ten Forbidden Websites that are visited through Dynaweb:
All ten of these sites currently resolve to the IP address for falundafa.ca. In addition, DynaWeb itself is also pointed to this same address all over China.
This internet blockade has not been restrained by the principle of "one nation two systems." The hi-jackings appear to be nationwide within mainland China (.cn). In Hong Kong (.hk) the hi-jackings are less extensive, but several DNSs have been blocked. The effect on Macau (.mo) is not yet clear.
The government is still working out the bugs in its technique. The official site dailynews.sina.com.cn was found to be pointed to the falundafa.ca address. This error on the part of the technicians at the Ministry for Public Security appears to be due to the huge scale of the government's effort.
Around 50 DNSs for different local Individual Service Providers (ISPs) all over China were checked and all found to be part of this hijacking. We can infer that all ISPs in China are affected. With so many DNSs and ISPs throughout China, mistakenly blocking one authorized web site's domain name should not be surprising.
A webpage is available that will allow a user to test if a domain is resolved to the right IP address in China at http://www.dit-inc.us/dnsspoofing.asp . A detailed analysis will be published at www.dit-inc.us/hj-09-02.html soon.
Media contact: Bill Dong: bill@dit-inc.us.