DNS tampering in Vietnam


June 12, 2018

Internet blocking of site luatkhoa.org in Vietnam

The following report present our findings of the current Internet blocking of the site luatkhoa.org inside Vietnam.

Methodology

During late May 2018, we conducted tests in ten different autonomous systems inside Vietnam, and over more than hundred different name servers.

Results

The main mechanism to block the website is DNS tampering at each of the providers’ infrastructure.

In summary the tampering works as follows:

  • The customers of a given Internet Provider receive a set of predetermined nameservers offered by the provider.
  • This information is pushed to the customer in the configuration of their connection (DHCP, PPPoE…)
  • When the customer places a connection to the site luatkhoa.org, a DNS request arrives to the predefined name servers.
  • The provider then blocks the connection by sending bogus responses to the customer for that domain name.

During our research we have found three  different types of bogus responses:

  1. The domain name resolves to 127.0.0.1
  2. The domain name does NOT resolve and timeouts after 10 seconds.
  3. A fake authoritative name server is provided.

Example of Viettel

In the following example, we see that Viettel provides the DNS servers 203.113.188.1 and 203.113.131.3 as part of the PPPoE authentication in their infrastructure. The customer uses the modem TP-Link TL-WR841N.

 

 

The blocking is taking place by DNS tampering in the upstream provider. The provider pushes two DNS servers into the customers, namely 203.113.188.1 and 203.113.133.3.

When placing requests for the domain luatkhoa.org, the company resolvers respond after 10 seconds with a SERVFAIL (timeout).

An interesting behavior of DNS tampering in this provider is that for domains that do not resolve they spoof a response to the IP:

125.235.4.59 viettelmobile.com.vn

In that IP address we can find the webpage:

<!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Viettel Telecom</title> </head> <body> <div class="wrapper"> <div class="box_line">
<div align="center" style="color: red;font-weight: normal;display:block"> 
<b>Thông báo: Địa chỉ website không tồn tại!<br/> </b> </div> </div> </div> </body> </html> I

Info: Website address does not exist!

 

Summary of DNS tampering in different providers

The following section provides a summary of the DNS tampering techniques and in which providers we found the three fake responses.

noerror : 127.0.0.1

This tampering resolves the blocked domain with the IP address 127.0.0.1. We found the NOERROR behavior in the following providers:

AS45903 CMC Telecom Infrastructure Company
AS7602 Saigon Postel Corporation

Their DNS servers also forge the SOA record as follows:

luatkhoa.org. 86400 IN SOA hni.ns1.cmcti.vn. thanhnn.cmcti.vn. 2010912201 10800 15 604800 10800
luatkhoa.org. 86400 IN SOA hcmc.saigonnet.vn. root.saigonnet.vn. 2014040201 28800 7200 1209600 86400

servfail: timeout error

This second form of tampering responds with a SERVFAIL response after 10 seconds. This is a sign that the name server of the provider is trying to reach the name servers of the domain luatkhoa.org.: ns1.c29494.sgvps.net and ns2.c29494.sgvps.net but the response does not reach the provider’s name server.

We found the SERVFAIL behavior in the following providers:

AS131427 AOHOAVIET
AS18403 The Corporation for Financing & Promoting Technology
AS24066 Vietnam Internet Network Information Center
AS38731 CHT Compamy Ltd
AS45899 VNPT Corp
AS63734 365 Online technology joint stock company
AS7552 Viettel Corporation

bar: bogus authoritative response

In this type of tampered response the provider’s DNS response provides a bogus authoritative DNS server. An example of this type of response is:

luatkhoa.org. 850 IN SOA vdc-hn01.vnn.vn. postmaster.vnn.vn. 2005010501 10800 3600 604800 86400
luatkhoa.org: type A, class IN
Name: luatkhoa.org
[Name Length: 12]
[Label Count: 2]
Type: A (Host Address) (1)
Class: IN (0x0001)
Authoritative nameservers
luatkhoa.org: type SOA, class IN, mname vdc-hn01.vnn.vn
Name: luatkhoa.org
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Time to live: 474
Data length: 50
Primary name server: vdc-hn01.vnn.vn
Responsible authority's mailbox: postmaster.vnn.vn
Serial Number: 2005010501
Refresh Interval: 10800 (3 hours)
Retry Interval: 3600 (1 hour)
Expire limit: 604800 (7 days)
Minimum TTL: 86400 (1 day)

We have seen this behavior in the provider:

AS7643 Vietnam Posts and Telecommunications (VNPT)

Conclusions

The website luatkhoa.org is blocked in Vietnam by means of DNS tampering. The DNS tampering is implemented by at least three different techniques. DNS tampering can be bypassed by changing the predefined name servers provided by the providers and using alternative ones (open resolvers).

A list of open resolvers is available here: