June 12, 2018
The following report present our findings of the current Internet blocking of the site luatkhoa.org inside Vietnam.
During late May 2018, we conducted tests in ten different autonomous systems inside Vietnam, and over more than hundred different name servers.
The main mechanism to block the website is DNS tampering at each of the providers’ infrastructure.
In summary the tampering works as follows:
- The customers of a given Internet Provider receive a set of predetermined nameservers offered by the provider.
- This information is pushed to the customer in the configuration of their connection (DHCP, PPPoE…)
- When the customer places a connection to the site luatkhoa.org, a DNS request arrives to the predefined name servers.
- The provider then blocks the connection by sending bogus responses to the customer for that domain name.
During our research we have found three different types of bogus responses:
- The domain name resolves to 127.0.0.1
- The domain name does NOT resolve and timeouts after 10 seconds.
- A fake authoritative name server is provided.
Example of Viettel
In the following example, we see that Viettel provides the DNS servers 220.127.116.11 and 18.104.22.168 as part of the PPPoE authentication in their infrastructure. The customer uses the modem TP-Link TL-WR841N.
The blocking is taking place by DNS tampering in the upstream provider. The provider pushes two DNS servers into the customers, namely 22.214.171.124 and 126.96.36.199.
When placing requests for the domain luatkhoa.org, the company resolvers respond after 10 seconds with a SERVFAIL (timeout).
An interesting behavior of DNS tampering in this provider is that for domains that do not resolve they spoof a response to the IP:
In that IP address we can find the webpage:
<!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Viettel Telecom</title> </head> <body> <div class="wrapper"> <div class="box_line"> <div align="center" style="color: red;font-weight: normal;display:block"> <b>Thông báo: Địa chỉ website không tồn tại!<br/> </b> </div> </div> </div> </body> </html> I
Info: Website address does not exist!
Summary of DNS tampering in different providers
The following section provides a summary of the DNS tampering techniques and in which providers we found the three fake responses.
noerror : 127.0.0.1
This tampering resolves the blocked domain with the IP address 127.0.0.1. We found the NOERROR behavior in the following providers:
AS45903 CMC Telecom Infrastructure Company AS7602 Saigon Postel Corporation
Their DNS servers also forge the SOA record as follows:
luatkhoa.org. 86400 IN SOA hni.ns1.cmcti.vn. thanhnn.cmcti.vn. 2010912201 10800 15 604800 10800 luatkhoa.org. 86400 IN SOA hcmc.saigonnet.vn. root.saigonnet.vn. 2014040201 28800 7200 1209600 86400
servfail: timeout error
This second form of tampering responds with a SERVFAIL response after 10 seconds. This is a sign that the name server of the provider is trying to reach the name servers of the domain luatkhoa.org.: ns1.c29494.sgvps.net and ns2.c29494.sgvps.net but the response does not reach the provider’s name server.
We found the SERVFAIL behavior in the following providers:
AS131427 AOHOAVIET AS18403 The Corporation for Financing & Promoting Technology AS24066 Vietnam Internet Network Information Center AS38731 CHT Compamy Ltd AS45899 VNPT Corp AS63734 365 Online technology joint stock company AS7552 Viettel Corporation
bar: bogus authoritative response
In this type of tampered response the provider’s DNS response provides a bogus authoritative DNS server. An example of this type of response is:
luatkhoa.org. 850 IN SOA vdc-hn01.vnn.vn. postmaster.vnn.vn. 2005010501 10800 3600 604800 86400
luatkhoa.org: type A, class IN Name: luatkhoa.org [Name Length: 12] [Label Count: 2] Type: A (Host Address) (1) Class: IN (0x0001) Authoritative nameservers luatkhoa.org: type SOA, class IN, mname vdc-hn01.vnn.vn Name: luatkhoa.org Type: SOA (Start Of a zone of Authority) (6) Class: IN (0x0001) Time to live: 474 Data length: 50 Primary name server: vdc-hn01.vnn.vn Responsible authority's mailbox: postmaster.vnn.vn Serial Number: 2005010501 Refresh Interval: 10800 (3 hours) Retry Interval: 3600 (1 hour) Expire limit: 604800 (7 days) Minimum TTL: 86400 (1 day)
We have seen this behavior in the provider:
AS7643 Vietnam Posts and Telecommunications (VNPT)
The website luatkhoa.org is blocked in Vietnam by means of DNS tampering. The DNS tampering is implemented by at least three different techniques. DNS tampering can be bypassed by changing the predefined name servers provided by the providers and using alternative ones (open resolvers).
A list of open resolvers is available here: