Hacker News new | comments | ask | show | jobs | submit login
Turkey Blocked The Google DNS
44 points by drac89 on Mar 22, 2014 | hide | past | web | favorite | 25 comments
After blocking the Twitter, people started to use Google DNSes and now they also blocked.



A number of ISPs over here (PK) preposterously block gDNS (as well as OpenDNS). What's rather ironic is that they only block UDP requests to gDNS, and not TCP (`dig @8.8.8.8 google.com +tcp`). It's ludicrous, but that's how it is.



I think this may be the effect of the entire Turkish internet-going population hammering the google DNS servers.

More importantly, does anyone know about the potential of man-in-the-middle DNS attacks? There is no https-like certificate based 3rd part validation for DNS, is there?


Firstly, MitM attacks on DNS: totally free. Nothing is authenticated, all is plain text in UDP. Just intercept packet and change the answer.

Secondly, no, there is no third-part validation for DNS. There is better.

DNSSEC [1,2] takes advantage of the hierarchical nature of DNS to build a chain of trust. It does so by authenticating subdomain delegations, and signing resource records.

Keep in mind, even though all DNS root servers now do DNSSEC, Internet-wide deployment is still ongoing and coverage is far from satisfying.

[1] http://tools.ietf.org/html/rfc4033 [2] http://en.wikipedia.org/wiki/Domain_Name_System_Security_Ext...


About the MITM attack: TurkTrust, the only ssl certificate authority in Turkey, was recently involved in a huge scandal: http://nakedsecurity.sophos.com/2013/01/08/the-turktrust-ssl...

Do you think that it's possible for the government to force TurkTrust to generate fake certificates for Google & Twitter and intercept the SSL traffic using TTNET?

They did that, apparently by mistake, on the EGO(government company in Ankara) network by generating fake Google certificates.

Is there something to stop them from doing this on national level? I don't think the ISP's would reject cooperation.



I don't know much about Turkish ISPs but the path they have taken seems even worse than a global internet blackout. After all those who only need to do their business can ignore the blockage.

Of course 8.8.8.8 was a bad shortcut: exactly like Twitter, it is a textbook example of SPOF. So while I sympathize with the protests, I hope this episode will teach a few at least the importance of decentralized services.


ve been using Tor both on desktop and mobile with no problems since problems started.


Welcome to the cat-mouse game:

1. government blocks something

2. People posting workarounds online

3. government block circumvention methods again

4. network activity goes underground.

You are not at stage 3 of the first cycle.


The government should have blocked the ip of Twitter to make the ban effective!


No, they should've hired Cisco and IBM to build 'em a copy of the Great Firewall of China. US, EU should do the same and start building squads of execution drones.


I am not sure about OpenDNS but Yandex DNS works fine, I can use twitter


Twitter has numerous IPs and they are buying more..


Lets see if this is true.

traceroute output for google dns: traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 192.168.1.1 (192.168.1.1) 1.916 ms 1.885 ms 1.872 ms

2 81.212.171.79.static.turktelekom.com.tr (81.212.171.79) 6.546 ms 6.548 ms 7.746 ms

3 93.155.0.130 (93.155.0.130) 8.952 ms 8.962 ms 9.998 ms

4 * * *

5 gayrettepe-t2-2-gayrettepe-t3-6.turktelekom.com.tr.119.156.212.in-addr.arpa (212.156.119.143) 11.529 ms 12.833 ms 13.350 ms

6 72.14.223.21 (72.14.223.21) 22.117 ms 23.176 ms 23.174 ms

7 64.233.175.188 (64.233.175.188) 45.687 ms 44.425 ms 44.377 ms

8 216.239.48.117 (216.239.48.117) 44.844 ms 216.239.48.125 (216.239.48.125) 59.738 ms 50.628 ms

9 209.85.254.114 (209.85.254.114) 50.647 ms 50.649 ms 51.616 ms

10 * * *

11 google-public-dns-a.google.com (8.8.8.8) 53.117 ms 53.809 ms 51.228 ms

--

traceroute output for twitter.com:

1 P-2812HNUL-F1.P-2812HNUL-F1 (192.168.1.1) 27.282 ms 27.520 ms 27.748 ms

2 81.212.171.79.static.turktelekom.com.tr (81.212.171.79) 32.212 ms 32.926 ms 33.018 ms

3 93.155.0.130 (93.155.0.130) 34.917 ms 34.817 ms 40.507 ms

4 * * *

5 gayrettepe-t2-3-gayrettepe-t3-6.turktelekom.com.tr.25.212.81.in-addr.arpa (81.212.25.72) 42.955 ms * 3174.208 ms

6 ulus-t2-3-gayrettepe-t2-3.turktelekom.com.tr.204.212.81.in-addr.arpa (81.212.204.205) 56.691 ms 21.201 ms 20.673 ms

7 * * ulus-t2-1-ulus-t2-3.turktelekom.com.tr.197.212.81.in-addr.arpa (81.212.197.197) 2853.324 ms

8 ulus-t3-6-ulus-t2-1.turktelekom.com.tr.29.212.81.in-addr.arpa (81.212.29.99) 22.575 ms 22.747 ms 19.829 ms

9 * * *

10 * * *

11 * * *

(It looks like 8th node drops all the packages)

--

just to be on the safe side, this is for the yandex dns:

traceroute to 77.88.8.8 (77.88.8.8), 30 hops max, 60 byte packets

1 P-2812HNUL-F1.P-2812HNUL-F1 (192.168.1.1) 4.234 ms 4.725 ms 5.196 ms

2 81.212.171.79.static.turktelekom.com.tr (81.212.171.79) 9.674 ms 10.857 ms 11.185 ms

3 93.155.0.130 (93.155.0.130) 12.008 ms 12.007 ms 13.069 ms

4 * * *

5 gayrettepe-t2-2-gayrettepe-t3-6.turktelekom.com.tr.119.156.212.in-addr.arpa (212.156.119.143) 15.934 ms 18.825 ms 15.887 ms

6 ams-col-1-gayrettepe-t2-2.turktelekom.com.tr.102.156.212.in-addr.arpa (212.156.102.69) 70.412 ms * * 7 ams-ix.retn.net (195.69.145.216) 101.343 ms 101.304 ms 101.318 ms

8 GW-Yandex.retn.net (87.245.246.14) 65.985 ms 62.182 ms 63.166 ms

9 tulip-ae1.yndx.net (87.250.239.46) 79.653 ms 78.998 ms 63.158 ms

10 dns.yandex.ru (77.88.8.8) 73.809 ms 67.510 ms 67.868 ms

It is pure hoax. I'm also very discontended these very recent restrictive movements, probably the authors at webrazzi are feeling the same way, but by publishing such news without verification, the media becomes more and more a tool for propaganda.

Seriously, there is so much bullcrap going on, I don't know what to believe anymore.


It was inaccessible in the morning, appears to be back now, so cut the government crap and shut up.

This is from around 09:00

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  192.168.1.1
  2     8 ms     6 ms     6 ms  81.212.171.62
  3     9 ms     9 ms    13 ms  93.155.0.146
  4    10 ms     9 ms     9 ms  81.212.108.162
  5    15 ms    16 ms    26 ms  81.212.201.254
  6    22 ms    14 ms    13 ms  81.212.208.145
  7     *        *        *     Request timed out.
  8  ^C
This is after I changed my dns to 4.2.2.1, again in the morning:

  1     1 ms     1 ms     1 ms  192.168.1.1
  2    88 ms     7 ms     7 ms  81.212.171.62.static.turktelekom.com.tr [81.212.171.62]
  3     9 ms     9 ms     8 ms  93.155.0.146
  4  3481 ms  2804 ms  2210 ms  81.212.108.162.static.turktelekom.com.tr [81.212.108.162]
  5    10 ms     9 ms     9 ms  bursa-t2-2-bursa-t3-3.turktelekom.com.tr.201.212.81.in-addr.arpa [81.212.201.254]
  6    12 ms    15 ms    12 ms  gayrettepe-t2-2-bursa-t2-2.turktelekom.com.tr.208.212.81.in-addr.arpa [81.212.208.145]
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.


So you suggest at every little internet hiccup I should blame someone and rant about my freedom being restricted?


Our freedom is already being restricted, you idiot. Access to Twitter is blocked by the government, without a court order.

Hiccup my ass.


You cannot discuss anything without name-calling, do you?


And this is coming from a person who called the news "bullcrap".

This is a very sensitive issue and people have good reason to believe every hiccup is intentional.


> And this is coming from a person who called the news "bullcrap".

Please read the definition of name calling.

> This is a very sensitive issue and people have good reason to believe every hiccup is intentional.

True, yet I still don't see any reason for me getting insulted.


>> True, yet I still don't see any reason for me getting insulted.

Being a government shill is good enough reason for me.


You know that the Turkish government is currently playing with the routing for the internet in Turkey. It seems likely given that the google DNS is spraypainted over downtown Istanbul and being shown all over the world on the news, that if the routing from Turkey for the very same DNS goes down for a while, that it is probably something to do with an annoyed politician not realising that the google DNS is used for a lot more than just rogue twitterati.


I am very aware of what the government is messing with lately, maybe this scenario is outcome of an incompetent politician's actions (it probably is), but this could very well be some kind of technical fault. Either way no one knows what is really going on and everyone gone absolutely nuts about someone blocking the dns and thats what I'm not OK with.


It was blocked, got a screenshot this morning: http://d.pr/xuwh


it's back now.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: