There have been a huge number of stories over the last few days talking about the attempts of the Turkish government to ban all access to Twitter. While many of these stories talk about the political implications or how the Turkish people can get around the ban, I have yet to see a good description of why the ban is a technically futile effort, so I decided to pen one myself. 🙂
Domain Name System
The Domain Name System (DNS) is effectively a translator service. Humans find it easier to reference information using words like “www” or “Twitter”. Computers find it easier to reference information using Internet Protocol (IP) addresses like “199.16.156.70”. When you type into your browser the name of a Web site you wish to visit, DNS takes care of quickly and silently translating that name into an IP address so your computer connects to the correct Web site. This is all done in the background, so most people are not even aware it takes place.
Filtering With DNS
As mentioned above, DNS takes care of translating between words and IP addresses. Most networks run one or more local domain name servers to perform this task. One of the ways you can attempt to filter a domain is to corrupt how these name servers process their requests.
For example, if I type “www.twitter.com” into my Web browser, a local name server takes care of translating that name into an IP address. If someone programs that name server to think its authoritative for all hosts within “twitter.com”, and then tell it that “www.twitter.com” does not exist or is located at a different IP address, they can effectively block all users on the local network from accessing Twitter. Each computer using that name server inherently trusts the information it gets back, so no one is the wiser. You’ve effectively hijacked the domain from the perspective of all of the local users relying on that name server.
I’ve seen a number of companies implement domain hijacking as a “feature”. For example they may not want employees using corporate resources to visit “www.facebook.com” during work hours, so they program all of their corporate name servers to redirect users to a policy page explaining that Facebook use is not permitted. I’ve seen others that have done similar to block access to banner ad or known malware sites, in an effort to protect local computers.
In the case of Turkey, the government does not necessarily run all of the name servers within the country. They do however have legal jurisdiction over the Internet Services Providers (ISPs) operating within the country’s borders. So Turkey’s first attempt at blocking Twitter was to hijack the twitter.com domain on name servers running within their borders.
Circumventing DNS Filters
The first method of circumventing DNS filtering is probably pretty obvious, simply do not use the name servers that are returning corrupted information. Many individuals within Turkey figured this out and started using Google’s public DNS service. This permitted them to continue to find the correct IP addresses for hosts within twitter.com. Dyn’s Internet Guide and OpenDNS offer similar services, thus making them valid alternatives as well.
Turkey’s next response was somewhat expected. When the Turkish government learned that people were using alternate name servers, they began implementing an IP block against those servers. While this will certainly block people in Turkey from accessing those alternate name servers, it had the undesired effect of blocking those alternate name servers from finding servers located inside of Turkey. So imagine you are located in the UK and you are using Google’s public DNS service. Let’s further assume that you wish to access a site using name servers located within Turkey. Since Turkey was blocking Google’s DNS service, this lookup would most likely fail. So while the intent was to block Twitter, the result was that they also blocked access to many sites within Turkey itself. For this reason Turkey quickly backed off from this type of filtering.
Another alternative is to simply store the needed IP address information on the user’s local system. Most computers that communicate using IP have an alternative means of resolving system names via a local “hosts” file. In fact this file is usually referenced to look for required IP address information prior to checking with the local name server. So if you know the IP addresses Twitter is using, you can store them in your local hosts file and circumvent any problems introduced by the local name server.
The hosts file has long been a popular way of circumventing DNS when required. For example there are many projects that release a hosts file designed to block sites delivering banner ads. There are others that help keep you away from known malware sites.
Filtering by IP Address
Filtering by IP address is the “big stick” used to block Internet communications. Think of this as being analogous to a roadblock preventing traffic moving from point “A” to “B”. Once Turkey realized that DNS filtering was not working, their next step was to attempt to block access to the IP addresses being used by Twitter’s servers. This granted access to outsiders attempting to reach servers in Turkey, while at the same time prevented people from within Turkey’s from accessing Twitter’s servers.
Circumventing IP Address Filtering
For the average person, IP address filtering is extremely effective. For the tech savvy however, its a mere bump in the road. As an example, consider the Great Firewall of China. The Chinese government has devoted a huge amount of resources to control what information crosses their borders, and yet citizens continually find a way to circumvent it.
One possibility is to use a public Virtual Private Network (VPN) service. There are both free and commercial alternatives available. A VPN effectively tunnels all of your traffic to a remote location before sending it to whatever server you wished to visit. So if I’m trying to get to Twitter but there is an IP filter in the way, I simply first head out to the VPN server, and then bounce over to Twitter. So long as the VPN server is located on the other side of the filter (say outside the borders of Turkey), I can now access the site in question.
Still another alternative is to use a public proxy server. While a VPN will tunnel all of your traffic to a remote location, a proxy server focuses on just your Web browser traffic. A VPN can produce some tell tale forensics of what you are doing, for those who know what to look for. A public proxy server, if implemented correctly, can be indistinguishable from normal Web traffic. The Tor (anonymity network) is one of the best well known public proxy networks, and provides access via thousands of servers spread out across the world.
So why doesn’t a country simply create an IP filter for each of these alternative options? As an analogy, consider trying to solve a mole problem on an 18 hole golf course with a shovel. As quickly as you can locate and block one hole, three others open up someplace else. So while a country could attempt to block access to all of these alternatives, more than likely they will never find all the possibilities in a timely enough fashion to stop people from using them.
Summary
While both DNS and IP filter can be successfully implemented at the corporate level, they start to break down as the network and user base grows exponentially in size. Attempting to implement filtering at a country level is problematic, as the increased size of the topology introduces additional opportunities for circumventing these controls. From the beginning the Internet was designed to resiliently facilitate the free flow of information.
Chris Brenton, Director of Security, Dyn
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.