DNS based censorship and domain blocking in Indonesia is very inconsistent among ISPs. There’s a government mandated black list which the ISPs operating in the country should enforce. However, Indonesia lacks centralised internet infrastructure and has many separate ISPs. In addition, the Indonesian government granted ISPs the authority to block content at their own discretion. All of this leads to a very inconsistent DNS blocking in Indonesia.
Official DNS domain blacklist in Indonesia
The Government mandated DNS blacklist is published in a redacted form and can be downloaded here: https://trustpositif.kominfo.go.id/. This is where the blocked domains get redirected to. We can search the database and check if a domain is blocked.
In the screenshot below we can see that a popular cryptocurrency exchange is blocked (Ada) and that wikipedia.org is not (Tidak Ada) - thanks to Google Translate.
Examples of blocked DNS queries
dig binance.com @182.253.45.122
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28994
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;binance.com. IN A
;; ANSWER SECTION:
binance.com. 3600 IN CNAME trustpositif.kominfo.go.id.
trustpositif.kominfo.go.id. 1 IN A 27.54.116.70
When we try to resolve binance.com we receive a redirected response with the following attributes:
- CNAME pointing to trustpositif.kominfo.go.id.
- A record for the above CNAME pointing to 27.54.116.70
- the response is not-authoritative
- the TTL for the A record is 1 sec
This is what it looks like at the packet level.
The A record’s TTL of 1 second is notable. Let’s query few more servers and see if it’s a coincidence:
dig binance.com @103.122.33.19 | grep -A 1 trustpositif
dig binance.com @139.255.115.163 | grep -A 1 trustpositif
dig binance.com @202.58.200.38 | grep -A 1 trustpositif
dig binance.com @103.83.100.65 | grep -A 1 trustpositif
dig binance.com @182.253.45.122 | grep -A 1 trustpositif
binance.com. 3600 IN CNAME trustpositif.kominfo.go.id.
trustpositif.kominfo.go.id. 1 IN A 27.54.116.70
binance.com. 3600 IN CNAME trustpositif.kominfo.go.id.
trustpositif.kominfo.go.id. 1 IN A 27.54.116.70
binance.com. 3600 IN CNAME trustpositif.kominfo.go.id.
trustpositif.kominfo.go.id. 1 IN A 27.54.116.70
binance.com. 3600 IN CNAME trustpositif.kominfo.go.id.
trustpositif.kominfo.go.id. 1 IN A 27.54.116.70
binance.com. 3600 IN CNAME trustpositif.kominfo.go.id.
trustpositif.kominfo.go.id. 1 IN A 27.54.116.70
The TTL in all the responses is the same.
Blocking pattern
Now we’ll analyse and infer the pattern used to redirect the requests.
We’ll try another popular crypto currency exchange.
dig gemini.com @182.253.45.122 | grep -A 1 trustpositif
gemini.com. 3600 IN CNAME trustpositif.kominfo.go.id.
trustpositif.kominfo.go.id. 1 IN A 202.89.117.64
This also resolves to the block page IP so the gemini.com domain is censored.
Firstly we’ll query a nonexistent domain name.
dig nonexistent.gemini.com @8.8.8.8
; <<>> DiG 9.10.6 <<>> nonexistent.gemini.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6988
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
Google resolver returns NXDOMAIN confirming this record doesn’t exist. However when we query a censoring DNS resolver in Indonesia we get a reply.
dig nonexistent.gemini.com @182.253.45.122
; <<>> DiG 9.10.6 <<>> nonexistent.gemini.com @182.253.45.122
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53311
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;nonexistent.gemini.com. IN A
;; ANSWER SECTION:
nonexistent.gemini.com. 3600 IN CNAME trustpositif.kominfo.go.id.
trustpositif.kominfo.go.id. 1 IN A 202.89.117.64
Let’s try prepending and appending to the domain:
dig aagemini.com @182.253.45.122 | grep status
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6177
dig geminiaa.com @182.253.45.122 | grep status
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25577
dig gemini.com.aa @182.253.45.122 | grep status
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53728
dig gemini.aa @182.253.45.122 | grep status
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36503
dig aa.aa.gemini.com @182.253.45.122 | grep status
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9125
All queries return a NXDOMAIN response.
Based on this basic exercise we can infer that the blocking pattern is:
(example.com OR *example.com)
Differences among ISPs
; <<>> DiG 9.10.6 <<>> binance.com @182.23.44.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8753
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 7
;; QUESTION SECTION:
;binance.com. IN A
;; ANSWER SECTION:
binance.com. 0 IN CNAME dnsfilter2.idola.net.id.
dnsfilter2.idola.net.id. 1604 IN A 103.169.16.2
dnsfilter2.idola.net.id. 1604 IN A 202.152.4.67
; <<>> DiG 9.10.6 <<>> binance.com @139.255.13.185
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57748
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 1
;; QUESTION SECTION:
;binance.com. IN A
;; ANSWER SECTION:
binance.com. 3600 IN CNAME internetpositif3.firstmedia.com.
internetpositif3.firstmedia.com. 80870 IN A 202.137.1.74
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60700
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
;; QUESTION SECTION:
;binance.com. IN A
;; ANSWER SECTION:
binance.com. 900 IN A 202.62.8.232
Blocking pages
This sections shows examples of the blocking pages used by different DNS operators in Indonesia.
Biznet Networks
Indonesia Network Information Center
Linknet
PT Aplikanusa Lintasarta
PT Centrin Utama
PT Fiber Networks Indonesia
PT Jaringanku Sarana Nusantara
PT Mitra Lintas Multimedia
This is a high-level introduction to the DNS censorship in Indonesia. For a detailed research on the effectiveness of the blocking using a much larger sample of DNS servers check our DNS Poisoning in Indonesia deep dive article.
Comments
Post a Comment