2012-sparks-collateral
findings extracted from this paper
-
DNSSEC validation naturally prevents DNS injection collateral damage: both .de and .kr sign their results, allowing a validating resolver to reject the unsigned injected reply while awaiting the legitimate signed response. The paper identifies DNSSEC deployment at the TLD level as the most robust structural defense against injection-based collateral damage.
-
Probing 43,842 open recursive resolvers across 173 countries found 26.41% (11,579) suffer some collateral damage from Chinese DNS injection, distributed across 109 countries. The top-affected regions are Iran (88.20%), Malaysia (85.34%), South Korea (79.20%), Hong Kong (74.63%), and Taiwan (66.13%).
-
DNS injection collateral damage arises from three structural properties of DNS: iterative resolution (full queries sent to root and TLD authorities), anycast routing (two resolvers may reach different physical servers via different paths), and dynamic routing through censored transit ASes. A single domain lookup may generate many queries at multiple levels, any of which can be intercepted by a censored transit AS even when both the originating resolver and the authoritative server are outside the censored network.
-
TraceQuery probing identified 3,120 router IPs performing DNS injection belonging to exactly 39 Chinese ASes. AS4134 (Chinanet) alone accounts for 1,952 router IPs (62.6% of injecting routers); the top 5 ASes account for over 77% of all identified injecting routers.
-
TLD-level paths are the primary collateral-damage vector: 11,573 resolvers (26.40%) suffered collateral damage via censored transit to TLD authorities, while only 1 resolver (0.002%) was affected via paths to root servers. The .de ccTLD was most affected because a large fraction of US-to-Germany transit traverses Chinese networks.