Hacker News new | comments | ask | show | jobs | submit login
DNS results now being manipulated in Turkey
123 points by makmanalp on Mar 29, 2014 | hide | past | web | favorite | 70 comments
Here is a valid reason for adopting DNSSEC or DNSCrypt. It's likely they're using deep packet inspection. Using VPNs seems like the only valid solution here for now.

Result from "dig youtube.com":

  ; <<>> DiG 9.8.3-P1 <<>> youtube.com
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21333
  ;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
  ;; WARNING: recursion requested but not available
  ;youtube.com.           IN  A
  youtube.com.        86091   IN  A
  ;; Query time: 25 msec
  ;; SERVER:
  ;; WHEN: Sat Mar 29 13:59:52 2014
  ;; MSG SIZE  rcvd: 45

Result from "dig youtube.com @":

  ; <<>> DiG 9.8.3-P1 <<>> youtube.com @
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61182
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
  ;youtube.com.           IN  A
  youtube.com.        197 IN  A
  youtube.com.        197 IN  A
  youtube.com.        197 IN  A
  youtube.com.        197 IN  A
  youtube.com.        197 IN  A
  youtube.com.        197 IN  A
  youtube.com.        197 IN  A
  youtube.com.        197 IN  A
  youtube.com.        197 IN  A
  youtube.com.        197 IN  A
  youtube.com.        197 IN  A
  ;; Query time: 78 msec
  ;; SERVER:
  ;; WHEN: Sat Mar 29 14:33:53 2014
  ;; MSG SIZE  rcvd: 205

Clip from the whois result on

  inetnum: -
  netname:        TR-TELEKOM-960902
  descr:          Turk Telekomunikasyon Anonim Sirketi
  country:        TR

Can you do a traceroute to If it's actually reaching Google's network, then yeah, they're doing deep packet inspection on DNS traffic. If not, they're probably just routing to a DNS server they control.

If their goal is to manipulate traffic to www.youtube.com (probably to block access to certain videos), another solution would be for YouTube to require SSL for all connections coming from Turkish IPs. Of course, this wouldn't work if they got some Turkish (or other) CA to sign a bogus www.youtube.com certificate.

EDIT: As lawl points out, trying to require SSL on www.youtube.com won't work either, since they could just do an sslstrip type attack.

EDIT 2: Proof that they are in fact messing with routes to Google Public DNS anycast addresses (they're doing to same to OpenDNS): https://twitter.com/esesci/status/449902883933126659

Actually this seems likely, hmmm:

  traceroute to (, 64 hops max, 52 byte packets
   1 (  4.260 ms  0.969 ms  0.865 ms
   2  host-92-44-0-42.reverse.superonline.net (  7.465 ms  7.903 ms  7.384 ms
   3  host-82-222-174-177.reverse.superonline.net (  8.772 ms  13.703 ms  8.482 ms
   4  host-85-29-17-234.reverse.superonline.net (  7.736 ms  7.830 ms
      host-82-222-35-54.reverse.superonline.net (  11.449 ms
   5 (  30.518 ms  17.123 ms  8.674 ms
   6  inkilap-t2-1-kartal-t3-1.turktelekom.com.tr.220.212.81.in-addr.arpa (  9.945 ms *  15.140 ms
   7  * * *
   8  ulus-t3-4-ulus-t2-2.turktelekom.com.tr.223.212.81.in-addr.arpa (  18.020 ms  17.709 ms  15.444 ms
   9  * * *
  10  * * *
  11  * * *
  12  * * *
  13  * * *

Yeah, looks like they're mucking with the routes for Google Public DNS anycast IPs.

EDIT: More evidence that this is what's happening (they're doing to same to OpenDNS's anycast addresses): https://twitter.com/esesci/status/449902883933126659

> another solution would be for YouTube to require SSL for all connections coming from Turkish IPs.

What? NO! They are messing with the DNS results from (Google DNS)

Too early for TLS to do anything. Maybe with HSTS, but I still doubt that HSTS is any effective against state level MITM.

You're right. Maybe if they turned on and required SSL for everyone visiting www.youtube.com and added www.youtube.com to Chrome's preloaded HSTS list and somehow got everyone to use Chrome. Sadly, this probably won't happen, but DNSSEC adoption probably won't happen either. Even with DNSSEC, they could still do deep packet inspection on HTTP traffic going to YouTube IPs and initiate MITM attacks that way.

Why not ditch the current DNS system and use Namecoin? If you have to force some piece of software into users computers, let's do it right at least...

Are you suggesting the government compromised a trusted SSL CA? Or are you just saying they blocked HTTPS?

Huh? The government of Turkey itself is a trusted CA http://www.mozilla.org/en-US/about/governance/policies/secur... Ctrl+F "Government of Turkey"

What application is this?

Seems like Erdogan is hell-bent on restricting free speech in Turkey.

Somehow it is comforting how abysmally bad he is at doing that though...

The elections are tomorrow and it's prohibited by law to broadcast political rallies on the last day.

The pro-government TV channels are broadcasting Erdogan's rallies while other TV channels respect the law(and they are afraid of disproportional penalties if they do the same).

So today only Erdogan is on national TV.

So every voter in Turkey essentially knows what Erdogan is doing. So nobody who understands democracy should vote for Erdogan.

If however not enough people understand democracy ...

Erdogan claims that there is a "global conspiracy to stop the rise of Turkey" and people who believe him don't care much about the unlawful things he is doing because you know, Turkey is under attack and extraordinary measures should be taken to protect the country.

Polls show that %77 of the population believe the corruption case against the government is real.

However the situation is really complicated. Without going into details, I have to say that probably there is a real conspiracy orchestrated by the Gulen(islamic cleric allegedly with big influence on the judiciary & law enforcement) movement because some of the leaked tapes seems to be collected illegally.

The Gulen movement was close ally with the government till recently. They probably collected evidence about the corruption in the government since years and waited until the right moment comes to start the criminal case. The PM responded by demonizing the whole movement and suspending the rule of law.

The allegations against the Gulen movement are not proven at all but few years ago the same prosecutors started a case against the military and lot's of unlawful things took place during the whole trail process. That time the PM Erdogan strongly supported the case but today he claims that this was a conspiracy against the Turkish army.

Many lawyers agree that lots of the evidence against the military was fabricated and many people were imprisoned for political reasons.

Back then a sex tape of the main opposition party leader was leaked and PM Erdogan used it as a political tool. Today the same PM claims that these leaks about corruption are invasion of his privacy. Another leak shows that the PM was involved in the filming and distribution of the sex tape of the opposition party.

It's just huge mess here.

Yes, it's really nasty. Three groups with different agendas and none of them interested in democracy or the rule of law.

There are lots of voters believe in Erdogan because he said he's clean. It's all about uneducated public being manipulated through religion and patriotism. He talks about Islam and national flag. He's reading national anthem's lyrics in ads on TV.

>* It's all about uneducated public being manipulated through religion and patriotism.*

So, not much unlike the so-called educated public, being manipulated by anti-clericalism and globalisation!

In this case the choice is between one ideal that encourages you to think for yourself, and one that discourages you.

One ideal which emphasizes the need for science and rational thought and one that needs conspiracy theories to survive.

One ideal which has proven to bring peace and prosperity, while the other is failing miserably, comparatively speaking.

The best democracy money can buy!

Actually, whereas I don't think Turkey is that far "gone" on the antidemocratic spectrum, but it has one thing in common with more severe cases of "border-line" democracy, like Russia: It's not the money that rigs the government, it's the government that rigs the money.

In some sense, the US with their absurdly high campaign spending, avoid this kind of corruption either way just by competition.

Even if a single interest group/company would try to outright "buy" a presidential campaign (which hardly works anyway), all the other interest groups combined have an incentive to "buy" it back. Which is why politicians can't be controlled through donations as often as TV Shows might want you to believe.

Erdogan however just rigs the regulation in a way that benefits his reelection and accumulation of wealth. No competition, no problem...

The US elections are equally rigged - you vote for which faction of the mil-ind complex you like, and whether planned parenthood is funded - but not anything like wars, which simple continue as scheduled.

Rigged? I don't think so. But if you accept that you can't vote for every single decision because of practical reasons (and because multiple single-issue-votes tend to contradict each other), you can only vote for the general direction, and in the US this means you have a choice of about two directions. In other democracies you might have three or four directions but those countries tend to have more issues with incompetency and corruption.

However the "axis" of these two directions is aligned by the general public. If people care about wars, the parties would align towards "war" and "no war" for an election. But they don't, because beginning and ending a war isn't something that works well with elections or any arbitrarily timed decision process for that matter.

Governments have to be able to start a war or not end it at the wrong time, otherwise you might as well let non-democratic countries take you to the cleaners...

> In other democracies you might have three or four directions but those countries tend to have more issues with incompetency and corruption.

That's a joke, right? Germany is more corrupt and less competent than the US? Sweden is? The UK is? On almost every metric of government efficiency, the US is behind most european countries.

> If people care about wars, the parties would align towards "war" and "no war" for an election. But they don't,

This is a stupid assertion. Why would they align towards "war" and "no war" when they don't have to? They have enough divisive things like Row vs. Wade, Planned Parenthood, Food Stamps, ACA, etc to make sure that every single-issue voter is accounted for in one camp or the other.

Do you remember that Obama campaigned on the "Close Gitmo" promise?

> But they don't, because beginning and ending a war isn't something that works well with elections or any arbitrarily timed decision process for that matter. Governments have to be able to start a war or not end it at the wrong time, otherwise you might as well let non-democratic countries take you to the cleaners...

I will assume you are naive, because otherwise I would have to assign malice to your argument. The US has been, for years, opening a new front every couple of years. Regardless of timing, "more military action around the world" and "less military action around the world" are things you can base policy on. In fact, Ron Paul campaigned for the latter. But in a two party system, anything except the big two parties is meaningless, and the big parties like it that way - it means they don't have to align with anything the public at large might actually want.

[sarcasm] Having been enduring this kind of shit for years in mainland China, I am glad to see that it migrated to the (sort of) 'free' world, eventually! [/sarcasm]

BTW, I have to manoeuvre some IP addresses of the CDNs in /etc/hosts in order to get access to github.com today, and some others for stack overflow.com last week. Interference from those who have power really sucks!

CDNs nowadays are so vulnerable to political issues, and some CDNs seems to be hurt by extended non-specific attacks/blocks to some other sites sharing the same IP addresses, due to some unrelated reasons, which makes me feel nostalgic to the web before CDNs.

DNSSEC wouldn't stop this... unless the resolver knew to require DNSSEC and ignored unsigned responses (which is unlikely).

DNSCrypt could help here... but chances are their middleware would just barf on it.

You need something more evasive.

It wouldn't prevent getting the wrong answer, sure. But a smart resolver would see DS records at the parent and recognize it as an unsigned, thereby invalid, response.

Thus, DNSSEC doesn't protect against censorship.

It's hilarious that people are saying DNSSEC can be used in Turkey (or anywhere else) to defend against censorship. Either they don't know what they're talking about or don't care about having an honest discussion. Or both.

I didn't see this posted on HN yet - Turekey is also blocking the Tor Project's website: https://www.eff.org/deeplinks/2014/03/when-tor-block-not-tor...

I can confirm NS lookup to Google DNS, when done using the national cable ISP network, returns spoofed results.

here: http://i.imgur.com/jfZS31C.png

Google also offers IPv6 public DNS servers, maybe that helps? (probably not though as they might not yet have turned on ipv6)

2001:4860:4860::8888 and 2001:4860:4860::8844

Also look at the other links that user lemonade posted here.

Too bad DNSSEC isn't widely used; signing the records would prevent this from working. The government could still block the DNS requests, though.

Sure, they wouldn't be able to proxy all HTTP requests through their own servers like they're doing now, but they'd still be able to do MITM attacks at the IP level. They're already messing with routes to Google Public DNS IPs so they could just as easily mess with routes to YouTube's IPs. I don't think DNSSEC is the solution in cases like this. Somehow getting everyone to use SSL for everything is a much better solution in my opinion.

As I pointed out above, DNSSEC doesn't stop this.

I am not just a DNSSEC hater, but the level of misunderstanding on DNSSEC is quite large.

When victim issues a query for youtube.com, I can intercept that query and hand back whatever response I want. Unless the victim KNOWS IN ADVANCE (which DNSSEC doesn't offer) that the response should be DNSSEC signed, they will accept my forged response.

DNSSEC solves problems we don't really have, and ignores the ones we do.

Can't you say the same thing about users who don't know to expect their connection to use TLS? What you're claiming as the problem isn't a problem with DNSSEC, but with the absence of DNSSEC. If DNSSEC were the default, then this attack couldn't happen.

"Using VPNs seems like the only valid solution"

But a government like China interferes with even VPNs (more so outside of the greater Shanghai and Beijing metro areas, in case anyone is sitting in those areas saying "My VPN works great"... they permit it and can block or interfere with it anytime they like) so I don't think they are really a solution. In China, nothing really works if the authorities don't want it to. VPNs are degraded to the point of being unusable, SOCKs proxy over SSH is the same, TOR is unusably slow, etc. Unfortunately, I don't think there really IS a solution in the face of determined governmental interference.

Yes, the Chinese government can interfere with or block VPNs whenever they want.

However, don't discount the impact of bandwidth/peering issues on VPN performance. In most cases, I've found that VPN throughput over TCP (either PPTP or OpenVPN) is similar to HTTP throughput to the same host.

You can test this yourself. Put a file on your VPN server, and try to retrieve it over HTTP. If you're worried that the latency is limiting the throughput, use wget to make several connections at the same time, and sum up the transfer speeds.

Finally, you're right - there is no (technical) solution in the face of determined governmental interference.

Choose an expensive VPN. Those free ones are the ones got quickly blocked as more people would be using them which in turn results in the blockage.

Please correct your second query, asking for the A RR of "youtube.com\@" is needlessy wrong

Ooops, missed a space there. Fixed, thanks!

SSH tunneling also works. It's cheap and easy to set up.

By default using a SOCKS proxy (which, using ssh -D is probably the easiest and most common way to do this) in most browsers doesn't solve this problem as DNS resolving is still done locally.

As they're messing with DNS, you'll still be connecting to their evil version of YouTube through your SSH tunnel. In Firefox this behaviour can be changed by toggling network.proxy.socks_remote_dns in about:config.

Of course, setting up an actual tunnel (i.e. on a lower network layer) would be better but that's a bit more complicated to do.

If you're on *nix, sshuttle is the tool you want. It's ssh tunnel on steroids, and it works with every program even if they're not configured to use a SOCKS proxy (such as Flash). It's also faster because it avoids the TCP-over-TCP problem that the usual SOCKS proxy entails.

    sshuttle --dns -v -r username@servername 0/0

That's going to come in useful, bookmarked, thanks!

What happens when you change the default DNS on the router level to OpenDNS or Google.

(i.e: Telnet to the router, and change DNS there).

That's the whole point: they seem to be using deep packet inspection to mess with all DNS traffic regardless of the DNS server being used.

Aha, I see. I'll look this up in addition to what kijin said (sshuttle).

It's not like our government is blocking anything (there were rumors it was blocking Facebook in 2011, but it wasn't true as I was able to log in without any issue. It was just slow, but it's not like we have the fastest internet here).

But it's nice to know. Thanks for the clarification.

Were you logging in on the actual facebook? how can you tell? Logging in isn't a proof that that is the real facebook, dude. And doesn't "It was just slow" ring any bell?

It wasn't slower than many times where nothing was happening. Internet here just sucks. Whether it's peace and birds are singing, or scortched earth, it's all the same.

Plus how can you tell it isn't the actual Facebook if everything is there, status, etc, comments, pictures. I can chat with other users, send messages, etc.

Why isn't it default behavior to route dns through socks?

AFAIK it's a legacy thing. SOCKS4 didn't support it, SOCKS5 did but using that functionality changes behaviour depending on which SOCKS version the remote end happens to use.

There are decent reasons for either way, the real question is why isn't there a visible option for it.

this is what I get with VPN and without VPN http://i.imgur.com/XNtDGYq.png

Wont stop tor or onion addresses

You can do the same setup as http://piratebrowser.com/

Excuse my ignorance, but does anybody knows why they are doing it? Is there any piece of news I missed?

Yes, you missed quite a bit. They tried to block Twitter and Youtube, and then people started using Google DNS, OpenDNS or others to circumvent the block.

Some leaks about Erdogan's corruption and false flag attack in Turkey to blame Syria and go to war with it came out in those channels, and he wanted people to stop talking about it or see the leaks. I think some elections are in Turkey soon, too.

There have been some sound recording leaks in Turkey, exposing high ranking government officials' and Erdogan's private conversations, which is absolutely scandalous. This sunday, there will be an election, and the ruling party doesn't want people to listen to these records prior to the election. As you can guess, this material was primarily published through YouTube, hence the blockage.

There are many more public DNS servers out there, too many to block.There is a nice comprehensive list here:


You might also be interested in https://dnscrypt.eu.

They mangle all udp port 53 data.

Actually not all port 53 as there are some DNS servers still accessible and actually resolves stuff fine.

No, there's no mangling of data (apart from HTTP which gets injected with a RST flagged packet once in a while)

namecoin would fix this: https://www.namecoin.org/

Hide my ass will do a good job here..

Yeah, tried that. It's really slow most of the time, plus many websites will warn you or delay you (Google will display a message). Plus I wouldn't trust my data going through those machines.

As I said, I much rather get my own hosting (even shared hosting) for as cheap as 4 bucks a month, and tunnel my traffic through that machine.

But HMA is a valid solution for someone who's not willing to pay.

It's about time Turkey took a step towards US in controlling the flow of information. I mean, how long has this been going on here, undetected? The obvious solution, Turkey, is to target specific individuals after digging into their background, confirming that they are not computer experts before attacking them via their computer.

The NSA and GCHQ have been doing this for years, so why complain about Turkey doing this? The only difference I can see is targeting individuals vs targeting the general population.

Your tacit assertion is that if something wrong is done for years, and you find out it's done one more time, you shouldn't bother complaining about it. People like you have existed for all time, and will always exist, but your views truly don't matter: change comes because people continue to fight for what is right, despite the balance of years. Slavery on US soil had been legal and "normal" for hundreds of years, but that didn't stop people from "complaining" about it, and eventually changing it. Women's suffrage, same story. Wanton violation of our 4th Amendment rights in the digital age will proceed accordingly.

See my reply to the other comment.

Maybe because it's the wrong thing to do regardless of who's doing it?

When I see messages like this, I start to think... who is this person. What are their agenda? What's the chance they are turkish?

After all, if you cannot see the difference between the alleged single person targeting and the blanket targeting of an entire population, I'm not really sure you deserve to be here.

I guess I'll leave you with that Stalin quote "Death of one man is a tragedy. Death of a million is a statistic".

Wow, a bit harsh.

What I was trying to say was that Governments do shit like this, regardless of if they are China, North Korea, Turkey or America. In terms of doing things against their citizens, every country is in the Axis of Evil, so STOP complaining and instead get behind projects that will fix this shit by making the internet bulletproof.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact