DNS blocking in Indonesia article was an introduction to DNS based censorship in Indonesia. This article will be a deep dive into the DNS censorship landscape in Indonesia based on a defined research methodology.
This post covers:- Overview of our large scale DNS research methodology
- Statistics on Indonesian DNS servers
- List of blocking IP addresses used by various ISPs in Indonesia
Large scale DNS research methodology
DNS servers
To facilitate the research we have scanned the Indonesian IP space and collected the list of IP addresses responding to recursive DNS queries on port 53 UDP. We have collected over 10000 IP addresses. 6935 of them have been consistently responding to our queries. 474 of those have been classified as located outside of Indonesia based on geoip lookup during data post processing. In the end we have tested 6461 DNS servers.
Test domains
In the course of our research we have tested 9 public domain second level domains (SLDs). In addition we pre-fixed each domain with:
- www. - this subdomain exists in the DNS zones of the tested domains
- nonexistent. - this subdomain does not exist in any of the tested zones
Using SLDs and the www. subdomains allowed us to compare the blocking behaviour and effectiveness for the same SLD. Using the “nonexistent.” subdomain enabled us to test and verify if the resolvers block only specific records or any subdomains.
We have tested the following categories of domains:
Benign domains:
- securesenses.net
- wikipedia.org
- indonesia.travel
Censored domains:
- gemini.com - Cryptocurrency exchange
- freespeech.org - Human rights
- bet365.com - Gambling
- anonymouse.org - Anonymizing proxy
- date.com - Dating
- budweiser.com - Alcohol
We have confirmed that our censored domains are included in the official blacklist which can be accesses here https://trustpositif.kominfo.go.id/
Testing process
Using our custom developed DNS intelligence software, we have queried the set of our test domains against the target servers and logged the resolution results. Subsequently we have enriched the data with geoip information and fed the data into ElasticSearch for analysis. We calculated the effectiveness of blocking by calculating the percentage of queries that were censored out of the total queries.
DNS server details
For better context, this section provides details on the tested DNS servers.
The top 5 ISPs (note for the purpose of this article ISP means organization that the DNS server belongs to based on the geoip lookup, a DNS Server operator would be more accurate) that we have queried are:
- PT Telkom Indonesia
- PT Mora Telematika Indonesia
- PT Indonesia Comnets Plus
- Biznet Networks
- Linknet
Table 2 below shows the count of the servers in the top 5 regions.
Table 2
Figure 3 below overlays the DNS servers on map.
Figure 3
Fake IP addresses
This section focuses on the IP addresses returned in censored DNS responses.
Section summary:
- The blocking page is inconsistent, each ISP hosts their own
- In most cases ISPs redirect to the self-hosted block page
- In some cases ISPs redirect to block page hosted by a different ISP
- The top fake IP address is 36.86.63.185, it belongs to PT Telekom Indonesia (as does most of the tested DNS servers)
- Some blocking pages contain ads, some show a webserver error
In our research we observed and verified that each ISP implements their own blocking page. This means that each ISP returns a different set of IP addresses in the redirected responses. The table 3 below lists the 15 top IP addresses that we observed in the censored DNS responses. It should be noted that the composition of the IP addresses will correspond to the DNS servers queried (ISPs usually redirect to their own IPs).
Blocking pages
The block page is not unified across ISPs. Each ISP implements their own. My favourite is the blocking page used by PT Mitra Lintas Multimedia which you can see below (Figure 5). Most blocking pages refer to the official Government website https://trustpositif.kominfo.go.id/, and some include commercial ads.
Table 4 below summarizes types of blocking pages per ISP.
Blocking effectiveness
This section analyses the effectiveness of Indonesian ISP censorship. We derive the effectiveness by calculating the percentage of DNS responses that have been redirected to the blocking pages.
Section summary
- Country-wide blocking effectiveness is inconsistent
- some ISPs are more effective in blocking SLDs and some subdomains
- Overall www. subdomain has a higher percentage of blocking
- There hasn’t been any false positives (bening domain blocked)
Country wide blocking effectiveness
The blocking is very inconsistent. The most censored domain was in the Gambling category and the least censored domain was in the online dating category. The blocking percentage ranged from 62.41% to 16%. The average percentage of blocking was 38.45% for SLD and 43.24% for www. subdomain. The table 5 below shows the breakdown of the blocking.ISP blocking effectiveness
The effectiveness of blocking varies widely among ISPs. Moreover it varies between the second level domain and their subdomains within a single ISP. The table 6 below breaks this down for the top 3 ISPs based on budweiser.com.DNS Errors
Based on the collected data we have identified that some ISPs respond with an error instead of redirecting to a block page. Only 0.09% of all responses fall into this category.For example:
- Prime Link Communication, PT return SERVFAIL error
- INDO Internet, PT return NODATA error
Comments
Post a Comment