Myanmar junta keeps expanding the secret block list


– Understanding DNS blocking in Myanmar

In August 2020, Qurium released the report Internet blocking in Myanmar – secret block list and no means to appeal, describing how the Myanmar authorities are forcing all operators to silently block a large number of news websites without informing the targeted organizations about the blocking order nor providing them a way to appeal the decision. The report focused on Telenor and MPT’s which both where using DNS tampering to block connections to the black listed sites.

Since the military coup in February 2021, we have seen more and more independent media being added to the non-public block list. People’s Spring is a news media collaboratively founded by young veteran journalists from Burma. While it sprung up along with Burmese Spring Revolution after the 2021 coup, People’s Spring is a free, independent, and non-partisan news media. Since its creation in April 2021, People’s Spring has been hosted with Qurium. On April 14th, the traffic from Burma suddenly dropped to their website. Qurium could quickly rule out the option of a fiber cut, and it became obvious that they had been added to the infamous block list.

Our website was banned by the military junta so that the audience inside Myanmar can no longer access to our news at that time it is reaching highest ever local audience. Banning the People’s Spring website is the latest act of the military junta’s crackdown on media, from forcefully rescinding media licenses of local news outlets, arresting journalists, raiding newsrooms, to blocking people from reading independent news online”, says the Managing Editor of People’s Spring.

The traffic to People’s Spring’s website was blocked on April 14, 2022.

How is the blocking implemented?

In collaboration with People’s Spring, Qurium has investigated the blocking methods implemented by the state-owned operator

  • Myanma Posts and Telecommunications (MPT)
  • Ooredoo
  • Telenor Myanmar (M1 Group)

Qurium’s findings show that all three operators block websites using DNS tampering, just like they did back in 2020. Hence, no more advanced technology has been procured by these operators to strengthen the blocking. DNS tampering is seen as a fairly “weak” method to block websites, as it easily can be circumvented by changing the DNS lookup service in use.

Detailed findings for each operator are provided below and is based on in-country traffic recordings between the operators and the blocked domains ludunwayoo.com, karennews.org and dvb.no.

How to bypass DNS tampering?

  1. Laptop/desktop: Change your DNS resolver to any of these publicly available ones (like Google’s 8.8.8.8)
  2. SmartPhone – Wifi connection: Modern smart phone allows you to select a “private DNS” for your Wifi connections. Google provides a guide for both Android (version 9 and later) and iPhone.
  3. SmartPhone – data connection: As changing DNS resolver for a data connection is not possible. For this scenario, we recommend that you use Tor Browser.

Qurium has deployed a Bifrost mirror for People’s Spring to provide a simple mean for users with any types of devices to access the website. Bifrost is a circumvention solution that is resilient to any kind of blocking, and does not require the end user to install any software or make any modifications to their devices.

The Bifrost mirror of People’s Spring is available at: https://storage.googleapis.com/qurium/ludunwayoo.com/index.html

Myanma Posts and Telecommunications (MPT)

The state owned operator MPT has opted to send a DNS response with error code “Refused”. DNS Code 5 (0101).

172.20.10.6.55230 > 172.20.10.1.53: 18251+ A? www.ludunwayoo.com. (36)
172.20.10.1.53 > 172.20.10.6.55230: 18251 Refused 0/0/0 (36)

Ooredoo

Ooredoo has opted to send a DNS response with the error code “No such name”. DNS Code 3 (0011). What is interesting is that they have also opted to add an additional DNS record of type SOA and Name “Blacklist“. They also include the mail postmaster [@] no.email.please in the response.

192.168.130.207.58111 > 192.168.130.216.53: [udp sum ok] 2+ A? karennews.org. (31)
192.168.130.216.53 > 192.168.130.207.58111: [udp sum ok] 2 NXDomain q: A? karennews.org. 0/0/1 ar: Blacklist. [1h] SOA gidnszya101.ooredoo.mm. postmaster.no.email.please. 671218064 3600 600 2592000 3600 (124)

Telenor / M1 Group

Six months after the military coup in February 2021 Telenor Myanmar announced that they would sell the company to the Lebanese M1 Group. “Telenor has to leave Myanmar to be able to adhere to our own values on human rights and responsible business, and because local laws in Myanmar conflict with European laws.“ said Sigve Brekke President and CEO of Telenor Group. The sales deal was finally approved by the Myanmar authorities in April 2022. The business will continue to operate under the brand name Telenor Myanmar until August 2022.

Telenor/M1 Group implements by far the most “creative” way to perform the DNS blocking. The company still uses Telenor’s former mechanisms to perform the DNS blocking. Telenor/M1 opted to provide a DNS response (CNAME) pointing to the domain redirect-host[.]telenor.com.mm.xyz that only resolves inside of their network.

192.168.43.27.63851 > 192.168.43.1.53: 38049+ A? www.ludunwayoo.com. (36)
192.168.43.1.53 > 192.168.43.27.63851: 38049 2/0/0 www.ludunwayoo.com. CNAME redirect-host.telenor.com.mm.xyz., redirect-host.telenor.com.mm.xyz. A 167.172.4.60 (98)
telenor.com.mm[.]xyz resolving to 167.172.4[.]60 inside of their network

The redirection shows a website with the text:

တောင်းပန်ပါသည်။ ဤ URLမှာ မြန်မာနိုင်ငံတွင် ကြည့်ရှု၍ မရနိုင်ပါ။ ဥပဒေနှင့် အညီ တားမြစ်ထားပါသည်။
Sorry, this URL is not available from Myanmar. It has been blocked due to obligation under law..

Telenor keeps using a VPS in Digital Ocean to host the captive page of blocked websites. In the past the IP address was used to redirect to the domain urlblocked[.]pw.

It is puzzling to see how Telenor is hijacking the domain telenor[.]com.xyz to implemented the DNS redirection and forcing readers to visit a website hosted abroad in Digital Ocean.