CERTainty: Detecting DNS Manipulation at Scale using TLS Certificates

CERTainty identifies DNS manipulation by attempting a full TLS handshake with the IP returned by a remote resolver and inspecting whether the resulting certificate belongs to the legitimate origin or to an injected blockpage destination. This certificate-based ground truth substantially reduces false positives compared to prior DNS measurement systems that could not distinguish intentional manipulation from CDN geo-DNS or captive portals.

Abstract / §1 evaluation dns-poisoningmeasurement-platform cnirru

Prior DNS-manipulation measurement systems suffered from high false-positive rates because DNS anomalies are also produced by benign infrastructure (CDNs, geo-DNS, captive portals). CERTainty's TLS certificate inspection step disambiguates these cases, establishing that certificate validation is a necessary complement to DNS-response comparison for reliable censor classification.

Abstract / §3 detection dns-poisoningmeasurement-platform generic

CERTainty measured DNS manipulation across thousands of resolvers in 102 countries, identifying state-level censorship in China, Iran, and Russia, among others. The breadth of coverage — both resolver count and country count — demonstrates that TLS certificate validation scales to Internet-wide vantage-point studies.

Abstract / §5 evaluation dns-poisoningmeasurement-platform cnirru

CERTainty demonstrates that state-level DNS censorship in China, Iran, and Russia operates through resolver-level injection: queries sent to in-country resolvers return IPs whose TLS certificates do not correspond to the queried domain, revealing blockpage or sinkhole destinations. This pattern is distinguishable from CDN or geographic DNS behavior precisely because blockpage servers cannot present a valid certificate for the censored hostname.

Abstract / §5–6 evaluation dns-poisoningip-blocking cnirru