
DNS results now being manipulated in Turkey - makmanalp
Here is a valid reason for adopting DNSSEC or DNSCrypt. It&#x27;s likely they&#x27;re
using deep packet inspection. Using VPNs seems like the only valid solution
here for now.<p>Result from &quot;dig youtube.com&quot;:<p><pre><code>  ; &lt;&lt;&gt;&gt; DiG 9.8.3-P1 &lt;&lt;&gt;&gt; youtube.com
  ;; global options: +cmd
  ;; Got answer:
  ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 21333
  ;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
  ;; WARNING: recursion requested but not available
  
  ;; QUESTION SECTION:
  ;youtube.com.           IN  A
  
  ;; ANSWER SECTION:
  youtube.com.        86091   IN  A   195.175.254.2
  
  ;; Query time: 25 msec
  ;; SERVER: 8.8.4.4#53(8.8.4.4)
  ;; WHEN: Sat Mar 29 13:59:52 2014
  ;; MSG SIZE  rcvd: 45

</code></pre>
Result from &quot;dig youtube.com @4.2.2.2&quot;:<p><pre><code>  ; &lt;&lt;&gt;&gt; DiG 9.8.3-P1 &lt;&lt;&gt;&gt; youtube.com @4.2.2.2
  ;; global options: +cmd
  ;; Got answer:
  ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 61182
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
  
  ;; QUESTION SECTION:
  ;youtube.com.           IN  A
  
  ;; ANSWER SECTION:
  youtube.com.        197 IN  A   173.194.113.38
  youtube.com.        197 IN  A   173.194.113.40
  youtube.com.        197 IN  A   173.194.113.33
  youtube.com.        197 IN  A   173.194.113.35
  youtube.com.        197 IN  A   173.194.113.41
  youtube.com.        197 IN  A   173.194.113.37
  youtube.com.        197 IN  A   173.194.113.39
  youtube.com.        197 IN  A   173.194.113.36
  youtube.com.        197 IN  A   173.194.113.34
  youtube.com.        197 IN  A   173.194.113.32
  youtube.com.        197 IN  A   173.194.113.46
  
  ;; Query time: 78 msec
  ;; SERVER: 4.2.2.2#53(4.2.2.2)
  ;; WHEN: Sat Mar 29 14:33:53 2014
  ;; MSG SIZE  rcvd: 205

</code></pre>
Clip from the whois result on 195.175.254.2:<p><pre><code>  inetnum:        195.174.0.0 - 195.175.255.255
  netname:        TR-TELEKOM-960902
  descr:          Turk Telekomunikasyon Anonim Sirketi
  country:        TR</code></pre>
======
alex1
Can you do a traceroute to 8.8.4.4? If it's actually reaching Google's
network, then yeah, they're doing deep packet inspection on DNS traffic. If
not, they're probably just routing 8.8.4.4 to a DNS server they control.

If their goal is to manipulate traffic to www.youtube.com (probably to block
access to certain videos), another solution would be for YouTube to require
SSL for all connections coming from Turkish IPs. Of course, this wouldn't work
if they got some Turkish (or other) CA to sign a bogus www.youtube.com
certificate.

EDIT: As lawl points out, trying to require SSL on www.youtube.com won't work
either, since they could just do an sslstrip type attack.

EDIT 2: Proof that they are in fact messing with routes to Google Public DNS
anycast addresses (they're doing to same to OpenDNS):
[https://twitter.com/esesci/status/449902883933126659](https://twitter.com/esesci/status/449902883933126659)

~~~
lawl
> _another solution would be for YouTube to require SSL for all connections
> coming from Turkish IPs._

What? NO! They are messing with the DNS results from 8.8.4.4 (Google DNS)

Too early for TLS to do anything. Maybe with HSTS, but I still doubt that HSTS
is any effective against state level MITM.

~~~
alex1
You're right. Maybe if they turned on and required SSL for everyone visiting
www.youtube.com _and_ added www.youtube.com to Chrome's preloaded HSTS list
_and_ somehow got everyone to use Chrome. Sadly, this probably won't happen,
but DNSSEC adoption probably won't happen either. Even with DNSSEC, they could
still do deep packet inspection on HTTP traffic going to YouTube IPs and
initiate MITM attacks that way.

~~~
psykovsky
Why not ditch the current DNS system and use Namecoin? If you have to force
some piece of software into users computers, let's do it right at least...

------
bayesianhorse
Seems like Erdogan is hell-bent on restricting free speech in Turkey.

Somehow it is comforting how abysmally bad he is at doing that though...

~~~
mrtksn
The elections are tomorrow and it's prohibited by law to broadcast political
rallies on the last day.

The pro-government TV channels are broadcasting Erdogan's rallies while other
TV channels respect the law(and they are afraid of disproportional penalties
if they do the same).

So today only Erdogan is on national TV.

~~~
bayesianhorse
So every voter in Turkey essentially knows what Erdogan is doing. So nobody
who understands democracy should vote for Erdogan.

If however not enough people understand democracy ...

~~~
mrtksn
Erdogan claims that there is a "global conspiracy to stop the rise of Turkey"
and people who believe him don't care much about the unlawful things he is
doing because you know, Turkey is under attack and extraordinary measures
should be taken to protect the country.

Polls show that %77 of the population believe the corruption case against the
government is real.

However the situation is really complicated. Without going into details, I
have to say that probably there is a real conspiracy orchestrated by the
Gulen(islamic cleric allegedly with big influence on the judiciary & law
enforcement) movement because some of the leaked tapes seems to be collected
illegally.

The Gulen movement was close ally with the government till recently. They
probably collected evidence about the corruption in the government since years
and waited until the right moment comes to start the criminal case. The PM
responded by demonizing the whole movement and suspending the rule of law.

The allegations against the Gulen movement are not proven at all but few years
ago the same prosecutors started a case against the military and lot's of
unlawful things took place during the whole trail process. That time the PM
Erdogan strongly supported the case but today he claims that this was a
conspiracy against the Turkish army.

Many lawyers agree that lots of the evidence against the military was
fabricated and many people were imprisoned for political reasons.

Back then a sex tape of the main opposition party leader was leaked and PM
Erdogan used it as a political tool. Today the same PM claims that these leaks
about corruption are invasion of his privacy. Another leak shows that the PM
was involved in the filming and distribution of the sex tape of the opposition
party.

It's just huge mess here.

~~~
mercurial
Yes, it's really nasty. Three groups with different agendas and none of them
interested in democracy or the rule of law.

------
ttflee
[sarcasm] Having been enduring this kind of shit for years in mainland China,
I am glad to see that it migrated to the (sort of) 'free' world, eventually!
[/sarcasm]

BTW, I have to manoeuvre some IP addresses of the CDNs in /etc/hosts in order
to get access to github.com today, and some others for stack overflow.com last
week. Interference from those who have power really sucks!

CDNs nowadays are so vulnerable to political issues, and some CDNs seems to be
hurt by extended non-specific attacks/blocks to some other sites sharing the
same IP addresses, due to some unrelated reasons, which makes me feel
nostalgic to the web before CDNs.

------
davidu
DNSSEC wouldn't stop this... unless the resolver knew to require DNSSEC and
ignored unsigned responses (which is unlikely).

DNSCrypt could help here... but chances are their middleware would just barf
on it.

You need something more evasive.

~~~
axaxs
It wouldn't prevent getting the wrong answer, sure. But a smart resolver would
see DS records at the parent and recognize it as an unsigned, thereby invalid,
response.

~~~
nahlio
Thus, DNSSEC doesn't protect against censorship.

It's hilarious that people are saying DNSSEC can be used in Turkey (or
anywhere else) to defend against censorship. Either they don't know what
they're talking about or don't care about having an honest discussion. Or
both.

------
sanqui
I didn't see this posted on HN yet - Turekey is also blocking the Tor
Project's website: [https://www.eff.org/deeplinks/2014/03/when-tor-block-not-
tor...](https://www.eff.org/deeplinks/2014/03/when-tor-block-not-tor-block)

------
mrtksn
I can confirm NS lookup to Google DNS, when done using the national cable ISP
network, returns spoofed results.

here: [http://i.imgur.com/jfZS31C.png](http://i.imgur.com/jfZS31C.png)

------
wila
Google also offers IPv6 public DNS servers, maybe that helps? (probably not
though as they might not yet have turned on ipv6)

2001:4860:4860::8888 and 2001:4860:4860::8844

Also look at the other links that user lemonade posted here.

------
vijayp
Too bad DNSSEC isn't widely used; signing the records would prevent this from
working. The government could still block the DNS requests, though.

~~~
davidu
As I pointed out above, DNSSEC doesn't stop this.

I am not just a DNSSEC hater, but the level of misunderstanding on DNSSEC is
quite large.

When victim issues a query for youtube.com, I can intercept that query and
hand back whatever response I want. Unless the victim KNOWS IN ADVANCE (which
DNSSEC doesn't offer) that the response should be DNSSEC signed, they will
accept my forged response.

DNSSEC solves problems we don't really have, and ignores the ones we do.

~~~
wtallis
Can't you say the same thing about users who don't know to expect their
connection to use TLS? What you're claiming as the problem isn't a problem
with DNSSEC, but with the absence of DNSSEC. If DNSSEC were the default, then
this attack couldn't happen.

------
gaoshan
"Using VPNs seems like the only valid solution"

But a government like China interferes with even VPNs (more so outside of the
greater Shanghai and Beijing metro areas, in case anyone is sitting in those
areas saying "My VPN works great"... they permit it and can block or interfere
with it anytime they like) so I don't think they are really a solution. In
China, nothing really works if the authorities don't want it to. VPNs are
degraded to the point of being unusable, SOCKs proxy over SSH is the same, TOR
is unusably slow, etc. Unfortunately, I don't think there really IS a solution
in the face of determined governmental interference.

~~~
rahimnathwani
Yes, the Chinese government can interfere with or block VPNs whenever they
want.

However, don't discount the impact of bandwidth/peering issues on VPN
performance. In most cases, I've found that VPN throughput over TCP (either
PPTP or OpenVPN) is similar to HTTP throughput to the same host.

You can test this yourself. Put a file on your VPN server, and try to retrieve
it over HTTP. If you're worried that the latency is limiting the throughput,
use wget to make several connections at the same time, and sum up the transfer
speeds.

Finally, you're right - there is no (technical) solution in the face of
determined governmental interference.

------
roeme
Please correct your second query, asking for the A RR of
"youtube.com\@4.2.2.2." is needlessy wrong

~~~
makmanalp
Ooops, missed a space there. Fixed, thanks!

------
Jugurtha
SSH tunneling also works. It's cheap and easy to set up.

~~~
michh
By default using a SOCKS proxy (which, using ssh -D is probably the easiest
and most common way to do this) in most browsers doesn't solve this problem as
DNS resolving is still done locally.

As they're messing with DNS, you'll still be connecting to their evil version
of YouTube through your SSH tunnel. In Firefox this behaviour can be changed
by toggling network.proxy.socks_remote_dns in about:config.

Of course, setting up an actual tunnel (i.e. on a lower network layer) would
be better but that's a bit more complicated to do.

~~~
alyxr
Why isn't it default behavior to route dns through socks?

~~~
michh
AFAIK it's a legacy thing. SOCKS4 didn't support it, SOCKS5 did but using that
functionality changes behaviour depending on which SOCKS version the remote
end happens to use.

------
cryptologics
this is what I get with VPN and without VPN
[http://i.imgur.com/XNtDGYq.png](http://i.imgur.com/XNtDGYq.png)

------
acd
Wont stop tor or onion addresses

You can do the same setup as
[http://piratebrowser.com/](http://piratebrowser.com/)

------
M4v3R
Excuse my ignorance, but does anybody knows why they are doing it? Is there
any piece of news I missed?

~~~
higherpurpose
Yes, you missed quite a bit. They tried to block Twitter and Youtube, and then
people started using Google DNS, OpenDNS or others to circumvent the block.

Some leaks about Erdogan's corruption and false flag attack in Turkey to blame
Syria and go to war with it came out in those channels, and he wanted people
to stop talking about it or see the leaks. I think some elections are in
Turkey soon, too.

------
lemonade
There are many more public DNS servers out there, too many to block.There is a
nice comprehensive list here:

[http://public-dns.tk/](http://public-dns.tk/)

You might also be interested in [https://dnscrypt.eu](https://dnscrypt.eu).

~~~
est
They mangle all udp port 53 data.

~~~
leath
Actually not all port 53 as there are some DNS servers still accessible and
actually resolves stuff fine.

------
bohm
namecoin would fix this:
[https://www.namecoin.org/](https://www.namecoin.org/)

------
STSW
Hide my ass will do a good job here..

~~~
Jugurtha
Yeah, tried that. It's really slow most of the time, plus many websites will
warn you or delay you (Google will display a message). Plus I wouldn't trust
my data going through those machines.

As I said, I much rather get my own hosting (even shared hosting) for as cheap
as 4 bucks a month, and tunnel my traffic through that machine.

But HMA is a valid solution for someone who's not willing to pay.

------
Fasebook
It's about time Turkey took a step towards US in controlling the flow of
information. I mean, how long has this been going on here, undetected? The
obvious solution, Turkey, is to target specific individuals after digging into
their background, confirming that they are not computer experts before
attacking them via their computer.

------
hadoukenio
The NSA and GCHQ have been doing this for years, so why complain about Turkey
doing this? The only difference I can see is targeting individuals vs
targeting the general population.

~~~
javajosh
Your tacit assertion is that if something wrong is done for years, and you
find out it's done one more time, you shouldn't bother complaining about it.
People like you have existed for all time, and will always exist, but your
views truly don't matter: change comes because people continue to fight for
what is right, despite the balance of years. Slavery on US soil had been legal
and "normal" for hundreds of years, but that didn't stop people from
"complaining" about it, and eventually changing it. Women's suffrage, same
story. Wanton violation of our 4th Amendment rights in the digital age will
proceed accordingly.

~~~
hadoukenio
See my reply to the other comment.

