Skip to main content

DNS poisoning in Indonesia - deep dive

DNS blocking in Indonesia article was an introduction to DNS based censorship in Indonesia. This article will be a deep dive into the DNS censorship landscape in Indonesia based on a defined research methodology.

This post covers:
  • Overview of our large scale DNS research methodology
  • Statistics on Indonesian DNS servers
  • List of blocking IP addresses used by various ISPs in Indonesia

Large scale DNS research methodology

DNS servers

To facilitate the research we have scanned the Indonesian IP space and collected the list of IP addresses responding to recursive DNS queries on port 53 UDP. We have collected over 10000 IP addresses. 6935 of them have been consistently responding to our queries. 474 of those have been classified as located outside of Indonesia based on geoip lookup during data post processing. In the end we have tested 6461 DNS servers.

Test domains

In the course of our research we have tested 9 public domain second level domains (SLDs). In addition we pre-fixed each domain with:

  • www. - this subdomain exists in the DNS zones of the tested domains
  • nonexistent. - this subdomain does not exist in any of the tested zones

Using SLDs and the www. subdomains allowed us to compare the blocking behaviour and effectiveness for the same SLD. Using the “nonexistent.” subdomain enabled us to test and verify if the resolvers block only specific records or any subdomains.

We have tested the following categories of domains:

Benign domains:


Censored domains:

  • - Cryptocurrency exchange
  • - Human rights
  • - Gambling
  • - Anonymizing proxy
  • - Dating
  • - Alcohol 

We have confirmed that our censored domains are included in the official blacklist which can be accesses here

Testing process

Using our custom developed DNS intelligence software, we have queried the set of our test domains against the target servers and logged the resolution results. Subsequently we have enriched the data with geoip information and fed the data into ElasticSearch for analysis. We calculated the effectiveness of blocking by calculating the percentage of queries that were censored out of the total queries. 

DNS server details

For better context, this section provides details on the tested DNS servers.  

The top 5 ISPs (note for the purpose of this article ISP means organization that the DNS server belongs to based on the geoip lookup, a DNS Server operator would be more accurate) that we have queried are:

  • PT Telkom Indonesia
  • PT Mora Telematika Indonesia
  • PT Indonesia Comnets Plus
  • Biznet Networks
  • Linknet
Figure 1
The chart above (Figure 1) shows the percentage break down of the DNS server operators (ISPs). The table (Table 1) shows the number of servers for the top 5 ISPs. The majority of the DNS servers are owned by PT Telekom Indonesia.

Top 5 ISP

Server count

PT Telkom Indonesia


PT Mora Telematika Indonesia


PT Indonesia Comnets Plus


Biznet Networks




Table 1
Breaking down the DNS servers location by region of the country the top 5 geographical regions are shown below. Figure 2 shows top regions where the tested DNS servers are located. 

Figure 2

Table 2 below shows the count of the servers in the top 5 regions.

Top 5 Regions

Server count



West Java


East Java


Central Java




Table 2

 Figure 3 below overlays the DNS servers on map.

 Figure 3

Fake IP addresses

This section focuses on the IP addresses returned in censored DNS responses.  

Section summary:

  • The blocking page is inconsistent, each ISP hosts their own
  • In most cases ISPs redirect to the self-hosted block page
  • In some cases ISPs redirect to block page hosted by a different ISP
  • The top fake IP address is, it belongs to PT Telekom Indonesia (as does most of the tested DNS servers)
  • Some blocking pages contain ads, some show a webserver error

In our research we observed and verified that each ISP implements their own blocking page. This means that each ISP returns a different set of IP addresses in the redirected responses. The table 3 below lists the 15 top IP addresses that we observed in the censored DNS responses. It should be noted that the composition of the IP addresses will correspond to the DNS servers queried (ISPs usually redirect to their own IPs).

Top 15 Fake IPs

IP address owner

Number or responses

PT Telkom Indonesia


Departemen Komunikasi dan Informasi Republik Indon


Biznet Networks


PT Aplikanusa Lintasarta


PT Aplikanusa Lintasarta




PT Telkom Indonesia


PT Indonesia Comnets Plus


Indonesia Network Information Center


Indonesia Network Information Center


PT Fiber Networks Indonesia


PT. Eka Mas Republik


PT. Eka Mas Republik


PT Indonesia Comnets Plus


PT. Eka Mas Republik


Table 3

Figure 4 below better shows the diversity of the blocking IPs.

Figure 4

Blocking pages

The block page is not unified across ISPs. Each ISP implements their own. My favourite is the blocking page used by PT Mitra Lintas Multimedia which you can see below (Figure 5). Most blocking pages refer to the official Government website, and some include commercial ads.

Figure 5

Table 4 below summarizes types of blocking pages per ISP. 


Blocking page type

Biznet Networks

Blocking page with ads


Blocking page with ads

PT Indonesia Comnets Plus

Hosting provider

PT Aplikanusa Lintasarta

Blocking page

PT. Eka Mas Republik

Error page

PT Fiber Networks Indonesia

Blocking page

PT Remala Abadi


PT Solnet Indonesia

Blocking page

PT Jembatan Citra Nusantara

Blocking page with ads

Varnion Technology Semesta

Blocking page

PT Centrin Utama

Blocking page

PT Jaringanku Sarana Nusantara

Blocking page

Indonesia Network Information Center

Blocking page

PT Julia Multimedia Nusantara

Error page

Table 4
Screenshots of the blocking pages can be seen in the DNS blocking in Indonesia post. 

Blocking effectiveness

This section analyses the effectiveness of Indonesian ISP censorship. We derive the effectiveness by calculating the percentage of DNS responses that have been redirected to the blocking pages.

Section summary

  • Country-wide blocking effectiveness is inconsistent
  • some ISPs are more effective in blocking SLDs and some subdomains
  • Overall www. subdomain has a higher percentage of blocking
  • There hasn’t been any false positives (bening domain blocked)

Country wide blocking effectiveness

The blocking is very inconsistent. The most censored domain was in the Gambling category  and the least censored domain was in the online dating category. The blocking percentage ranged from 62.41% to 16%. The average percentage of blocking was 38.45% for SLD and 43.24% for www. subdomain. The table 5 below shows the breakdown of the blocking.


Percentage of blocked requests












Human rights



Anonymizing proxy










Table 5

ISP blocking effectiveness

The effectiveness of blocking varies widely among ISPs. Moreover it varies between the second level domain and their subdomains within a single ISP. The table 6 below breaks this down for the top 3 ISPs based on


Percentage of blocked requests

All ISPs

PT Telekom Indonesia

Biznet Networks

PT Mora Telematika









Table 6


DNS Errors

Based on the collected data we have identified that some ISPs respond with an error instead of redirecting to a block page. Only 0.09% of all responses fall into this category.

For example:
  • Prime Link Communication, PT return SERVFAIL error
  • INDO Internet, PT return NODATA error


Popular posts from this blog

x.509 Certificates - Critical vs non-critical extensions

Extensions are used to associate additional information with the user or the key.  Each certificate extension has three attributes - extnID, critical, extnValue extnID - Extension ID - an OID that specifies the format and definitions of the extension critical - Critical flag - Boolean value extnValue - Extension value  Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application. In Windows, critical extensions are marked with a yellow exclamation mark,  View certificate extensions using OpenSSL: # openssl x509 -inform pem -in cert.pem -text -noout (output abbreviated)         X509v3 extensions:             X509v3 Key Usage: critical                 Digital Signature, Key Encipherment             X509v3 Subject Key Identifier

DNS response and error types

In this post we explore common DNS response codes. We will cover the following responses: NOERROR SERVFAIL NXDOMAIN NODATA REFUSED Throughout article we’ll refer to the following RFCs: RFC 1034 - DOMAIN NAMES - CONCEPTS AND FACILITIES RFC 2308 - Negative Caching of DNS Queries (DNS NCACHE) RFC 2136 - Dynamic Updates in the Domain Name System (DNS UPDATE) RFC 8914 - Extended DNS Errors Response Codes - RCODEs The DNS RCODES are best defined in RFC2316 .  They signify what type of response was sent by the server. “RCODE   Response code - this four bit field is undefined in requests and set in responses.”   The table below shows the summary of the currently defined RCODEs. Mnemonic Val Description NOERROR 0 No error condition.

DNS blocking in Indonesia

DNS based censorship and domain blocking in Indonesia is very inconsistent among ISPs. There’s a government mandated black list which the ISPs operating in the country should enforce. However, Indonesia lacks centralised internet infrastructure and has many separate ISPs. In addition, the Indonesian government granted ISPs the authority to block content at their own discretion. All of this leads to a very inconsistent DNS blocking in Indonesia. Official DNS domain blacklist in Indonesia The Government mandated DNS blacklist is published in a redacted form and can be downloaded here: . This is where the blocked domains get redirected to. We can search the database and check if a domain is blocked. In the screenshot below we can see that a popular cryptocurrency exchange is blocked (Ada) and that is not (Tidak Ada) - thanks to Google Translate. Examples of blocked DNS queries dig @ ;; global options: +cmd ;; Got