China Telecom reportedly injected private IPs in DNS responses

[gfw-report]

On September 4, 2021, @shell12345 reported that "the China Telecom will send '127.0.0.1' if request a sensitive domain name". In particular, cp.cloudflare.com was resolved to 127.0.0.1.

Our investigation shows that this specific censorship event was likely to be implemented by the ISP (China Telecom), rather than the GFW of China.

This interesting censorship incident reveals an interesting phenomena: in addition to the censorship by the GFW, the Chinese users can also suffer from the censorship by the ISP. While the GFW of China exclusively used public IP addresses as answers in forged DNS responses (See Section 5.1 of Hoang et al. and Section 3.2 of Anonymous et al.), the Chinese ISPs may inject private IP addresses in forged DNS responses (See Table 8 of Liu et al.).

Indirect evidence

The following three pieces of evidence (indirectly) support our conjecture that this specific censorship event was implemented by the ISP (China Telecom), rather than the GFW of China.

First, we have been monitoring the DNS censorship of Alexa Top 1 million domains on a bi-hourly basis since May 2019. 127.0.0.1 was not in any forged responses among the six million queries we sent in the last 24 hours.

Second, it appears that cp.cloudflare.com is not even on the DNS blacklist of the GFW. We randomly selected an IP address 14.121.1.0 which belongs to the China Telecom (AS4134). We then made the following two queries from the outside of China to the IP address:

;; got a forged answer
$ dig @14.121.1.0 www.youtube.com +short
66.220.151.20

;; timeout
$ dig @14.121.1.0 cp.cloudflare.com +short

Third, as shown in Table 8 of Liu et al., since as early as 2018, AS4134, ChinaTelecom had been observed to inject DNS responses with private IP addresses 192.168.32.1 and 10.231.240.77 as answers.

Direct evidence (You can help!)

The three pieces of evidence above indirectly support the conjecture that the censorship was implemented by the ISP, not the GFW of China. Unfortunately, we couldn't take advantage of the bi-directional censorship of the GFW to test from the outside of China. To get direct and concrete evidence, we encourage @shell12345 or any other China Telecom users to try the following testing and to post their findings below:

First, choose an IP address outside of China, eg. 216.58.195.0.

Second, open wireshark or run tcpdump to capture the traffic:

sudo tcpdump host 216.58.195.0 -Uw "dns.pcap"

Third, open another terminal and run the following command to make sure that no DNS service is running on this IP address:

# The query should timeout if no DNS service is running on this IP
dig @216.58.195.0 www.baidu.com

Forth, send the sensitive query to the IP:

dig @216.58.195.0 cp.cloudflare.com

Fifth, open the captured dns.pcap with wireshark or tshark, to observe the traffic:

tshark -r dns.pcap

Acknowledgement

We thank David Fifield for sharing this user report with us.

[wkrp]

Thanks for doing this analysis. Good catch on the private IP addresses documented by Liu et al.

[huangshaomingS001]

法轮功网站部分地区被私有地址重定向的概率会大大增加，有时候是ISP有时候是gfw

Some areas of the Falun Gong website are much more likely to be redirected to private addresses, sometimes by ISPs and sometimes by gfw