The DNS filtering apparatus of China's Great Firewall (GFW) has evolved considerably over the past two decades. However, most prior studies of China's DNS filtering were performed over short time periods, leading to unnoticed changes in the GFW's behavior. In this study, we introduce GFWatch, a large-scale, longitudinal measurement platform capable of testing hundreds of millions of domains daily, enabling continuous monitoring of the GFW's DNS filtering behavior. We present the results of running GFWatch over a nine-month period, during which we tested an average of 411M domains per day and detected a total of 311K domains censored by GFW's DNS filter. To the best of our knowledge, this is the largest number of domains tested and censored domains discovered in the literature. We further reverse engineer regular expressions used by the GFW and find 41K innocuous domains that match these filters, resulting in overblocking of their content. We also observe bogus IPv6 and globally routable IPv4 addresses injected by the GFW, including addresses owned by US companies, such as Facebook, Dropbox, and Twitter. Using data from GFWatch, we studied the impact of GFW blocking on the global DNS system. We found 77K censored domains with DNS resource records polluted in popular public DNS resolvers, such as Google and Cloudflare. Finally, we propose strategies to detect poisoned responses that can (1) sanitize poisoned DNS records from the cache of public DNS resolvers, and (2) assist in the development of circumvention tools to bypass the GFW's DNS censorship.
翻译:在过去二十年中,中国大火墙DNS过滤器(GFW)已经发生了相当大的变化。然而,以往对中国DNS过滤器的大部分研究都是在短短的时间内进行的,导致GFW行为发生无人注意的变化。在本研究中,我们引入了GFW观察,这是一个大型纵向测量平台,每天能够测试数亿个域,能够不断监测GFW的DNS过滤行为。我们展示了在九个月的时期内运行GFW的GFW结果,在此期间,我们测试了平均每天411M域,并检测了由GFW的DNS过滤器检查的总共311K域。据我们所知,这是在文献中发现的最大数目的测试和审查域。我们进一步改变GFW的常规表达方式,发现41K的与这些过滤器相匹配的领域,导致其内容受到过度阻塞。我们还观察到,在GFOFS的Servi6和IPv4中,我们从GOW所输入的GO(包括美国GF公司拥有的地址、DBOR的GFS、我们所研究的GFOD的GOD数据库数据库等数据库数据库数据库数据库数据库,我们可以对DBLOLOD的系统的影响。