Extended Abstract: I’ll Shake Your Hand: What Happens After DNS Poisoning
Authors: Jade Sheffey (UMass Amherst), Ali Zohaib (UMass Amherst), Dayeon Kang (UMass Amherst), Dayeon Kang (Stanford University), Amir Houmansadr (UMass Amherst), Qiang Wu (GFW Report)
Year: 2025
Issue: 2
Pages: 60–63
Abstract: When a DNS request for a censored domain travels across China’s network boundary, the Great Firewall (GFW) will inject DNS responses pointing to bogus IP addresses. While packets sent to these IP addresses are often believed to be dropped or null-routed, in this report, we show that for unknown reasons, some of these IP addresses will actually accept TCP handshakes from clients. We characterize this behavior and fingerprint the infrastructure that accepts these client connections. Additionally, we analyze the malformed Teredo addresses sent in response to AAAA queries for censored domains. Finally, we suggest that users encrypt their DNS queries and block all outgoing traffic to these injected IP addresses.
Copyright in FOCI articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
