If anyone is in Turkey and can configure their system to use Google Public DNS IPs / OpenDNS IPs as their resolvers, I'd be interested to learn what you see on: http://whatsmyresolver.stdlib.net/
It's clear that addresses such as 8.8.8.8 are being intercepted. But it's unclear if the interceptor is passing on the uninteresting queries to the "real" Google Public DNS / OpenDNS, or if they are acting as standalone resolvers. The above website records what IP address the resolver uses to communicate with authoritative DNS servers.
I didn't know this could be done. I am using powerdns on my own server at home, and it displays correctly my ip address.
Can you give me some pointers to understand how this works?
Disclaimer: I don't know with absolute certainly that this is correct but based on a quick look at the page and what I already know I think it's probably correct.
Look at the the source for that page and you'll see:
When your browser loads that, it'll return a reference to a resource with a unique hostname. Open that URL in your browser, for example, and you'll likely see something like the following in the address bar (this is what I received, with a few characters changed):
Thus, your browser will do a DNS lookup for that hostname. Because that URL is unique to you, the DNS server knows that it is you making the DNS request. It makes a note of what IP address the request came from and returns that to you as the IP of your resolver.
Similar to you, I have a pair of resolvers running here at home and I am returned the IP address of one of them.
Nope, this is not an ISP. Turk Telekom is stated-owned broadband internet (infrastructure) company. All of the ISPs are having the same peering. I checked your link through TTNet. We also have Superonline and Smile as main ISPs.
Details courtesy of Wikipedia: Privatized in 2005. "55% of the shares of Turk Telekom belongs to Oger Telekomünikasyon A.Ş. and 30% of the shares belongs to Undersecretariat of Treasure of Turkey. The remaining 15% of shares has been offered to the public." Oger Telekom is apparently 100% privately owned by the Hariri family.
So, still 30% state owned. As one point of reference, the German government still holds 15% directly plus 17% indirectly of Deutsche Telekom. France and Orange (nee France Telecom) are similar.
Would you mind posting a traceroute to 8.8.8.8? I'm curious as to the "how", e.g. if they're announcing the IP/subnet into BGP or (assuming traffic flows through them) if they're just transparently redirecting (DNAT, in effect) it to their own DNS servers.
traceroute to 208.67.222.222 (208.67.222.222), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 2.525 ms 3.372 ms 8.410 ms
2 78.180.240.1.dynamic.ttnet.com.tr (78.180.240.1) 26.861 ms 28.677 ms 30.683 ms
3 81.212.78.13.static.turktelekom.com.tr (81.212.78.13) 32.834 ms 33.887 ms 34.726 ms
4 gayrettepe-t2-3-gayrettepe-t3-5.turktelekom.com.tr.205.212.81.in-addr.arpa (81.212.205.105) 36.738 ms 37.718 ms 39.747 ms
5 ulus-t2-3-gayrettepe-t2-3.turktelekom.com.tr.204.212.81.in-addr.arpa (81.212.204.205) 48.947 ms 49.867 ms 51.937 ms
6 ulus-t3-4-ulus-t2-3.turktelekom.com.tr.204.212.81.in-addr.arpa (81.212.204.149) 56.001 ms 27.122 ms 29.496 ms
7 * * *
...
30 * * *
8.8.8.8 gives similar (indeed identical if I've good eye-diff skills) output.
Interestingly enough, it throws an error ("Please enter a valid IPv4/IPv6 address!") when I ask it for the routes it has for 8.8.4.0/24 or 8.8.8.0/24. If I ask for 8.8.33.0/24 (the "closest" subnet I see in my own BGP tables), it responds normally.
Right, I'm sure they are (they pretty much have to, unless they want to make it harder on themselves)... there's no reason they'd need to filter the /24s out, unless they're afraid that maybe Google would start using other IPs in the same /24 to help the Turks bypass it or something.
Hey, OP, I'm from Pakistan, but I thought you might like some comparative info, esp. since we are blocking youtube too.
----
Your resolver's source IP1 is:
58.27.204.243
1: Technically it's at least one of your resolver's IPv4 source addresses.
----
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\>tracert 8.8.8.8
Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
1 2 ms 1 ms 3 ms 192.168.0.1
2 59 ms 64 ms 69 ms 10.204.0.1
3 77 ms 99 ms * 58-27-174-122.wateen.net [58.27.174.122]
4 75 ms 84 ms 44 ms 58-27-174-65.wateen.net [58.27.174.65]
5 75 ms 78 ms 59 ms 58-27-180-190.wateen.net [58.27.180.190]
6 66 ms 63 ms 63 ms 58-27-174-26.wateen.net [58.27.174.26]
7 95 ms 104 ms 125 ms tw130-static117.tw1.com [119.63.130.117]
8 90 ms 104 ms 114 ms tw255-static233.tw1.com [110.93.255.233]
9 200 ms 219 ms 209 ms 72.14.222.151
10 229 ms 194 ms 225 ms 72.14.235.67
11 215 ms 228 ms 229 ms 72.14.232.78
12 194 ms 224 ms 224 ms 209.85.254.116
13 * * * Request timed out.
14 225 ms 234 ms 224 ms google-public-dns-a.google.com [8.8.8.8]
Yep, and it would appear that's what they're doing:
A:34_acibadem_lg# ping 8.8.4.4 source 195.175.239.100
64 bytes from 8.8.4.4: icmp_seq=1 ttl=250 time=6.58ms.
64 bytes from 8.8.4.4: icmp_seq=2 ttl=250 time=6.55ms.
64 bytes from 8.8.4.4: icmp_seq=3 ttl=250 time=6.52ms.
64 bytes from 8.8.4.4: icmp_seq=4 ttl=250 time=6.93ms.
64 bytes from 8.8.4.4: icmp_seq=5 ttl=250 time=6.57ms.
---- 8.8.4.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 6.52ms, avg = 6.63ms, max = 6.93ms, stddev = 0.154ms
A:34_acibadem_lg# ping 8.8.8.8 source 195.175.239.100
PING 8.8.8.8 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=1 ttl=250 time=6.58ms.
64 bytes from 8.8.8.8: icmp_seq=2 ttl=250 time=6.51ms.
64 bytes from 8.8.8.8: icmp_seq=3 ttl=250 time=6.54ms.
64 bytes from 8.8.8.8: icmp_seq=4 ttl=250 time=6.52ms.
64 bytes from 8.8.8.8: icmp_seq=5 ttl=250 time=6.51ms.
---- 8.8.8.8 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 6.51ms, avg = 6.53ms, max = 6.58ms, stddev = 0.044ms
A:34_acibadem_lg# traceroute 8.8.4.4 source 195.175.239.100
traceroute to 8.8.4.4 from 195.175.239.100, 30 hops max, 40 byte packets
1 acbdm-2-1-acbdm-bgp-1.turktelekom.com.tr (212.156.120.49) 7.03 ms 3.57 ms 10.3 ms
2 0.0.0.0 * * *
3 195.175.166.207.static.turktelekom.com.tr (195.175.166.207) 10.3 ms 9.31 ms 12.0 ms
4 cagis-ess1-t4-1-balikesir-t3-2.turktelekom.com.tr.252.156.212.in-addr.arpa (212.156.252.89) 10.4 ms 18.9 ms 12.6 ms
5 ulus-t3-4-ulus-t2-1.turktelekom.com.tr.203.212.81.in-addr.arpa (81.212.203.78) 11.2 ms 10.8 ms 29.7 ms
6 0.0.0.0 * * *
7 0.0.0.0 * * *
...
On a side note, it looks like TT does very little, if any, filtering of announcements they receive from peers so it'd be pretty trivial for one of their peers to do BGP hijacking. :/
Added: Interestingly enough, if I ask TT's LG for the routes it has for 8.8.4.0/24 or 8.8.8.0/24, it throws an error ("Please enter a valid IPv4/IPv6 address!"). I get the same result if I ask for a subnet that doesn't exist in BGP. That makes me guess that they're filtering out the routes from their peers.
considering that 8.8.8.8 was widely graffiti'd across Turkey, it stands to reason that informing people about alternative dnss might be a labourious task.
I’m curious about how all this seams reactive and not creative… Isn’t the reason for this an audio recording of officials suggesting to make-up a casus belli? Sounds easy enough to share as an e-mail attachement, is it? Or USB memory dongle, or in pirate radios…
I don’t mean to downplay the overall technical side, it’s… well quite exactly it is on of Jon Zittrain’s nightmare happening live, so that’s wonderful in an incredibly scary and nerdy way, but… My question is: Why isn’t the cat out of the bag a thousand times, yet?
Let me confess upfront to being ignorant when it comes to demographics and statistics about Turkey... but it looks like TT is a pretty big player WRT Internet in Turkey.
As of a few moments ago, I see ~5,363 prefixes in BGP originating from TT or one of their downstream peers, of which there appear to be ~307 (my numbers are approximate and almost certainly not exact, due to the way I came up with them). That's a whole lotta people that are affected by this.
It's fucked up in a morbidly fascinating way how everyone here is just going through the technical details of how this particular variety of oppression works, instead of seeing the oppression itself.
What's going on is that a government's subjects are saying things it doesn't want them to say, and the government has decided to "prevent" it by force. You're right in that it's a bit of a losing game.. up to the point where the oppression gets so severe that the population stops resisting out of fear.
The root problem here, again, is that people believe they should have rulers. They should not, and Turkey is helpfully providing yet another example of why.
I'm not sure it is a losing game. It depends on the goals the government wishes to achieve.
Certainly this filtering has made access more difficult for segments of the population, it has sent a message that the government is willing to employ outright censorship. If I worked at a newspaper or ran a social network inside Turkish boarders I would be very worried.
Governments use censorship because they believe it will allow them to achieve their goals, often they are right. Consider: "If Erdogan's party manages to sustain its early lead as the ballot count continues, it would suggest such troubles have been largely shrugged off by many of Turkey's over 50 million eligible voters." http://news.yahoo.com/turkeys-embattled-pm-faces-key-test-lo...
It's clear that addresses such as 8.8.8.8 are being intercepted. But it's unclear if the interceptor is passing on the uninteresting queries to the "real" Google Public DNS / OpenDNS, or if they are acting as standalone resolvers. The above website records what IP address the resolver uses to communicate with authoritative DNS servers.