Skip to main content

DNS poisoning in Indonesia - deep dive

DNS blocking in Indonesia article was an introduction to DNS based censorship in Indonesia. This article will be a deep dive into the DNS censorship landscape in Indonesia based on a defined research methodology.

This post covers:
  • Overview of our large scale DNS research methodology
  • Statistics on Indonesian DNS servers
  • List of blocking IP addresses used by various ISPs in Indonesia

Large scale DNS research methodology

DNS servers

To facilitate the research we have scanned the Indonesian IP space and collected the list of IP addresses responding to recursive DNS queries on port 53 UDP. We have collected over 10000 IP addresses. 6935 of them have been consistently responding to our queries. 474 of those have been classified as located outside of Indonesia based on geoip lookup during data post processing. In the end we have tested 6461 DNS servers.

Test domains

In the course of our research we have tested 9 public domain second level domains (SLDs). In addition we pre-fixed each domain with:

  • www. - this subdomain exists in the DNS zones of the tested domains
  • nonexistent. - this subdomain does not exist in any of the tested zones

Using SLDs and the www. subdomains allowed us to compare the blocking behaviour and effectiveness for the same SLD. Using the “nonexistent.” subdomain enabled us to test and verify if the resolvers block only specific records or any subdomains.

We have tested the following categories of domains:

Benign domains:

  • securesenses.net
  • wikipedia.org
  • indonesia.travel

Censored domains:

  • gemini.com - Cryptocurrency exchange
  • freespeech.org - Human rights
  • bet365.com - Gambling
  • anonymouse.org - Anonymizing proxy
  • date.com - Dating
  • budweiser.com - Alcohol 

We have confirmed that our censored domains are included in the official blacklist which can be accesses here https://trustpositif.kominfo.go.id/

Testing process

Using our custom developed DNS intelligence software, we have queried the set of our test domains against the target servers and logged the resolution results. Subsequently we have enriched the data with geoip information and fed the data into ElasticSearch for analysis. We calculated the effectiveness of blocking by calculating the percentage of queries that were censored out of the total queries. 

DNS server details

For better context, this section provides details on the tested DNS servers.  

The top 5 ISPs (note for the purpose of this article ISP means organization that the DNS server belongs to based on the geoip lookup, a DNS Server operator would be more accurate) that we have queried are:

  • PT Telkom Indonesia
  • PT Mora Telematika Indonesia
  • PT Indonesia Comnets Plus
  • Biznet Networks
  • Linknet
Figure 1
 
The chart above (Figure 1) shows the percentage break down of the DNS server operators (ISPs). The table (Table 1) shows the number of servers for the top 5 ISPs. The majority of the DNS servers are owned by PT Telekom Indonesia.
 

Top 5 ISP

Server count

PT Telkom Indonesia

1092

PT Mora Telematika Indonesia

307

PT Indonesia Comnets Plus

302

Biznet Networks

279

Linknet

178

Table 1
 
Breaking down the DNS servers location by region of the country the top 5 geographical regions are shown below. Figure 2 shows top regions where the tested DNS servers are located. 



Figure 2

Table 2 below shows the count of the servers in the top 5 regions.

Top 5 Regions

Server count

Jakarta

1743

West Java

1359

East Java

770

Central Java

447

Banten

414

Table 2

 Figure 3 below overlays the DNS servers on map.

 Figure 3

Fake IP addresses

This section focuses on the IP addresses returned in censored DNS responses.  

Section summary:

  • The blocking page is inconsistent, each ISP hosts their own
  • In most cases ISPs redirect to the self-hosted block page
  • In some cases ISPs redirect to block page hosted by a different ISP
  • The top fake IP address is 36.86.63.185, it belongs to PT Telekom Indonesia (as does most of the tested DNS servers)
  • Some blocking pages contain ads, some show a webserver error


In our research we observed and verified that each ISP implements their own blocking page. This means that each ISP returns a different set of IP addresses in the redirected responses. The table 3 below lists the 15 top IP addresses that we observed in the censored DNS responses. It should be noted that the composition of the IP addresses will correspond to the DNS servers queried (ISPs usually redirect to their own IPs).

Top 15 Fake IPs

IP address owner

Number or responses

36.86.63.185

PT Telkom Indonesia

23458

202.89.117.64

Departemen Komunikasi dan Informasi Republik Indon

11779

202.169.44.80

Biznet Networks

5053

202.152.4.67

PT Aplikanusa Lintasarta

4222

103.169.16.2

PT Aplikanusa Lintasarta

4178

202.137.1.74

Linknet

3243

36.86.63.182

PT Telkom Indonesia

2348

202.62.8.232

PT Indonesia Comnets Plus

1992

203.119.13.75

Indonesia Network Information Center

1418

203.119.13.76

Indonesia Network Information Center

1418

27.123.220.197

PT Fiber Networks Indonesia

1362

158.140.186.3

PT. Eka Mas Republik

1288

103.47.132.195

PT. Eka Mas Republik

1002

202.62.8.233

PT Indonesia Comnets Plus

943

103.47.134.195

PT. Eka Mas Republik

928

Table 3

Figure 4 below better shows the diversity of the blocking IPs.

Figure 4

Blocking pages

The block page is not unified across ISPs. Each ISP implements their own. My favourite is the blocking page used by PT Mitra Lintas Multimedia which you can see below (Figure 5). Most blocking pages refer to the official Government website https://trustpositif.kominfo.go.id/, and some include commercial ads.

Figure 5

Table 4 below summarizes types of blocking pages per ISP. 


ISP

Blocking page type

Biznet Networks

Blocking page with ads

Linknet

Blocking page with ads

PT Indonesia Comnets Plus

Hosting provider

PT Aplikanusa Lintasarta

Blocking page

PT. Eka Mas Republik

Error page

PT Fiber Networks Indonesia

Blocking page

PT Remala Abadi

Error

PT Solnet Indonesia

Blocking page

PT Jembatan Citra Nusantara

Blocking page with ads

Varnion Technology Semesta

Blocking page

PT Centrin Utama

Blocking page

PT Jaringanku Sarana Nusantara

Blocking page

Indonesia Network Information Center

Blocking page

PT Julia Multimedia Nusantara

Error page

Table 4
 
 
Screenshots of the blocking pages can be seen in the DNS blocking in Indonesia post. 

Blocking effectiveness

This section analyses the effectiveness of Indonesian ISP censorship. We derive the effectiveness by calculating the percentage of DNS responses that have been redirected to the blocking pages.

Section summary

  • Country-wide blocking effectiveness is inconsistent
  • some ISPs are more effective in blocking SLDs and some subdomains
  • Overall www. subdomain has a higher percentage of blocking
  • There hasn’t been any false positives (bening domain blocked)

Country wide blocking effectiveness

The blocking is very inconsistent. The most censored domain was in the Gambling category  and the least censored domain was in the online dating category. The blocking percentage ranged from 62.41% to 16%. The average percentage of blocking was 38.45% for SLD and 43.24% for www. subdomain. The table 5 below shows the breakdown of the blocking.

Domain

Percentage of blocked requests



SLD

www.

Category

bet365.com

62.41%

60.39%

Gambling

budweiser.com

46.01%

61.44%

Alcohol

freespeech.org

46.46%

43.01%

Human rights

anonymouse.org

34.22%

42.75%

Anonymizing proxy

gemini.com

23.38%

35.84%

Cryptocurrency

date.com

18.19%

16%

Dating 

average

38.45%

43.24%


Table 5

ISP blocking effectiveness

The effectiveness of blocking varies widely among ISPs. Moreover it varies between the second level domain and their subdomains within a single ISP. The table 6 below breaks this down for the top 3 ISPs based on budweiser.com.

Domain

Percentage of blocked requests


All ISPs

PT Telekom Indonesia

Biznet Networks

PT Mora Telematika

budweiser.com

46.01%

91.06%

73%

83.67%

www.budweiser.com

61.44%

95.25%

85.77%

91.46%

Table 6

 

DNS Errors

Based on the collected data we have identified that some ISPs respond with an error instead of redirecting to a block page. Only 0.09% of all responses fall into this category.

For example:
  • Prime Link Communication, PT return SERVFAIL error
  • INDO Internet, PT return NODATA error





Comments

Popular posts from this blog

x.509 Certificates - Critical vs non-critical extensions

Extensions are used to associate additional information with the user or the key.  Each certificate extension has three attributes - extnID, critical, extnValue extnID - Extension ID - an OID that specifies the format and definitions of the extension critical - Critical flag - Boolean value extnValue - Extension value  Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application. In Windows, critical extensions are marked with a yellow exclamation mark,  View certificate extensions using OpenSSL: # openssl x509 -inform pem -in cert.pem -text -noout (output abbreviated)         X509v3 extensions:             X509v3 Key Usage: critical                 Digital Signature, Key Encipherment             X509v3 Subject Key Identifier

Cisco ASA Certificate Revocation Checking

ASA supports status verification using CRLs and OCSP. CRL can be retrieved using HTTP, LDAP or SCEP. Revocation checking using CRL: Over HTTP: ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2 ciscoasa(config-ca-trustpoint)# revocation-check crl ciscoasa(config-ca-crl)# protocol http By default ASA will use address listed in CDP extension of the certificate that is being validated.  To override default behaviour we need to add the following in the CRL configuration context. ciscoasa(config-ca-crl)# policy static ciscoasa(config-ca-crl)# url 1 http://cdpurl.kp.local/crl.crl Over LDAP: Certificate I'm using for this lab, doesn't have LDAP address in its CDP extension. Therefore I'm using "policy static"  to specify LDAP URL where CRL can be retrieved.  ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2 ciscoasa(config-ca-trustpoint)# revocation-check crl ciscoasa(config-ca-trustpoint)# crl configure ciscoasa

Count number of lines - 'findstr'

How do I count number of lines in a command output? findstr /r/n "^" | find /c ":" Above commands will display number of lines output by whatever command (well, nearly whatever) you specify in the front.  For example:  C:\>ping localhost | findstr /r/n "^" | find /c ":" FINDSTR: // ignored 12 This comes handy if you want to find out how many OUs you have in Active Directory: dsquery ou  -limit 0 | findstr /r/n "^" | find /c ":" How many user accounts there are: dsquery user -limit 0 | findstr /r/n "^" | find /c ":" Computers: dsquery computer -limit | findstr /r/n "^" | find /c ":"