2020-anonymous-triplet-censors
Triplet Censors: Demystifying Great Firewall's DNS Censorship Behaviorcore
Abstract
We analyze the GFW's DNS injection behavior over nine months using the
Alexa top 1M domains. Three distinct DNS injectors are fingerprinted
by IP-DF/IP-TTL/DNS-AA/DNS-TTL combinations; one injector echoes the
probe IP TTL, with implications for TTL-limited probing. We also
observe groups of public IPs used to filter specific sets of domains.
Team notes
The three-injector model from this paper is foundational for any DNS-
based circumvention reasoning. The TTL-mirroring injector specifically
is a useful adversarial fingerprint: a measurement that observes it
is almost certainly observing the GFW. For Lantern, the takeaway is
that DNS-based bootstrap channels (DoH, DNSTT, kindling's DNS path)
must assume the GFW is forging responses for many more domains than
the obvious blocklists suggest.