Extended Abstract: I’ll Shake Your Hand: What Happens After DNS Poisoning

Jade Sheffey; Ali Zohaib; Dayeon Kang; Zakir Durumeric; Amir Houmansadr; Qiang Wu

Extended Abstract: I’ll Shake Your Hand: What Happens After DNS Poisoning

Authors: Jade Sheffey (UMass Amherst), Ali Zohaib (UMass Amherst), Dayeon Kang (UMass Amherst), Zakir Durumeric (Stanford University), Amir Houmansadr (UMass Amherst), Qiang Wu (GFW Report)

Year: 2025
Issue: 2
Pages: 60–63

Download PDF

Abstract: When a DNS request for a censored domain travels across China’s network boundary, the Great Firewall (GFW) will inject DNS responses pointing to bogus IP addresses. While packets sent to these IP addresses are often believed to be dropped or null-routed, in this report, we show that for unknown reasons, some of these IP addresses will actually accept TCP handshakes from clients. We characterize this behavior and fingerprint the infrastructure that accepts these client connections. Additionally, we analyze the malformed Teredo addresses sent in response to AAAA queries for censored domains. Finally, we suggest that users encrypt their DNS queries and block all outgoing traffic to these injected IP addresses.

Copyright in FOCI articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.