2022-cheng-in-depth
findings extracted from this paper
-
Among 18,199 stable open DNS resolvers discovered in Shanghai's IPv4 space, 136 were completely immune to GFW DNS filtering and correctly resolved all 83 blocked domains. On average, each blocked domain had more than 436 open resolvers with ACR ≥ 0.5 capable of returning its correct IP address.
-
Chinese public (pDNS) and ISP (iDNS) DNS resolvers exhibit highly variable filtering bypass rates: some resolvers return correct IPs for specific blocked domains with ACR > 0.6 (e.g., wsj.com, vpnintouch.com), while the same resolver queried from a different ISP or region may have ACR < 0.1. The paper identifies three factors that determine effective bypass: DNS resolver identity, client vantage-point location, and the specific blocked domain.
-
The authors implement a system that identifies correct IP addresses of blocked domains inside a censored network by exploiting the predictable characteristics of forged IPs returned by GFW DNS filtering devices. The system achieves 100% accuracy in identifying valid IPs within a short time period, using 1.7 billion DNS records collected over 40 days across 86,876 resolvers.
-
GFW DNS filtering effectiveness shows diurnal variation: correct response rates are lowest in the early morning hours (before 6:00 a.m.) and rise throughout the day, suggesting filtering devices fail to process all DNS queries during peak traffic periods. However, the overall variance across time is small — maximum standard deviation of 0.03 — indicating the filtering mechanism is broadly stable over the 40-day measurement window.
-
Queries from inside China to non-Chinese public DNS resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1) that pass through GFW DNS filtering devices yield an Absolute Correct Rate (ACR) of less than 1% for blocked domain lookups, regardless of the client's region or ISP. Even a self-built US resolver (45.63.86.214) was affected by the national-level DNS filtering mechanism.