Changes

Page history
Apply conversion script to all *.md files. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Show whitespace changes
Inline Side-by-side
doc/OONI/Tests/DNSLookup.md
View page @ a1a4b621
= DNS Tamper =
# DNS Tamper
== What it detects ==
## What it detects
* Malicious or cache-poisoned DNS servers which return false IP addresses for a domain name.
== Inputs ==
* The '''list''' of domain names to be tested.
* The '''list''' of IP addresses of the DNS servers to be tested
* The **list** of domain names to be tested.
* The **list** of IP addresses of the DNS servers to be tested
* The IP address of a DNS server to be used as the control
== Experiment ==
......@@ -16,15 +16,16 @@ Takes a list of domain names and a list of DNS servers to be tested, and it reso
For example, given the domain name list ['google.com', 'ooni.nu', 'torproject.org'] and the DNS server list ['208.67.222.222', '156.154.70.1'], ooniprobe would try the following DNS resolves:
||Source||Destination||Protocol||Info||
||1.2.3.4||208.67.222.222||DNS||STANDARD query A google.com||
||1.2.3.4||208.67.222.222||DNS||STANDARD query A ooni.nu||
||1.2.3.4||208.67.222.222||DNS||STANDARD query A torproject.org||
||1.2.3.4||156.154.70.1||DNS||STANDARD query A google.com||
||1.2.3.4||156.154.70.1||DNS||STANDARD query A ooni.nu||
||1.2.3.4||156.154.70.1||DNS||STANDARD query A torproject.org||
|Source|Destination|Protocol|Info|
|------|-----------|--------|----|
|1.2.3.4|208.67.222.222|DNS|STANDARD query A google.com|
|1.2.3.4|208.67.222.222|DNS|STANDARD query A ooni.nu|
|1.2.3.4|208.67.222.222|DNS|STANDARD query A torproject.org|
|1.2.3.4|156.154.70.1|DNS|STANDARD query A google.com|
|1.2.3.4|156.154.70.1|DNS|STANDARD query A ooni.nu|
|1.2.3.4|156.154.70.1|DNS|STANDARD query A torproject.org|
== Control ==
## Control
Next, the test resolves the same domain name list with a known good server (set to Google's main DNS server, 8.8.8.8, by default), and compares the returned IP addresses with those obtained from the test DNS servers. If there are any IP addresses which match in both results, the test reports that the user's DNS has not been tampered with for that domain name.
......@@ -32,7 +33,7 @@ Next, the test resolves the same domain name list with a known good server (set
* Whether or not censorship was detected, and, if so, what caused the result to be flagged as censorship.
== Questions ==
## Questions
Many high usage online services use GeoIP load balancing to reduce resource consumption on servers. This results in a DNS server in one geographic region pointing to one set of IP addresses, and a DNS server in a different region pointing to others. The DNSLookup test mistakenly interprets these conflicting results as an act of DNS tampering. To attempt to decrease false positives resulting from GeoIP load balancing, DNSLookup can try to complete a reverse DNS resolve for the both sets of resultant IP addresses, and then compare the reverse DNS results for matches. This only works sometimes, but enabling it does not diminish the validity of test results that would have otherwise been obtained.
......
......