tag:blogger.com,1999:blog-1038972930489542452024-02-19T15:39:39.744+00:00#SecureSenses --verboseCensorship is the suppression of speech, public communication, or other information. <br>
Source: WikipediaUnknownnoreply@blogger.comBlogger59125tag:blogger.com,1999:blog-103897293048954245.post-83949529844160943952023-04-12T09:36:00.003+01:002023-04-12T09:36:40.631+01:00Automating Ethereum node management tasks using Ansible<p>SlingNode has released a new Ansible role. The role is designed to automate Ethereum node management tasks. The first release of the role supports the following tasks:</p><p></p><ul style="text-align: left;"><li>Validator keystore import using command line </li><li>Validator keystore import using the standard Ethereum key manager API</li><li>Slashing protection DB import and export</li></ul><div>The following Validator clients are supported:</div><div><ul style="text-align: left;"><li>Lighthouse</li><li>Prysm</li><li>Teku</li><li>Nimbus</li></ul><div>slingnode.ethereum_node_mgmt Ansible role seamlessly works with <a href="https://github.com/SlingNode/slingnode-ansible-ethereum" target="_blank">slingnode.ethereum </a>role enabling full node deployment in a single playbook!</div></div><div><br /></div><p></p><p>The best place to start is by reading the comprehensive documentation:</p><div>
<p><a href="https://docs.slingnode.com/slingnode.ethereum_node_mgmt/">https://docs.slingnode.com/slingnode.ethereum_node_mgmt/</a></p>
<p>View the role on Ansible-Galaxy:</p>
<p><a href="https://galaxy.ansible.com/slingnode/ethereum_node_mgmt">https://galaxy.ansible.com/slingnode/ethereum_node_mgmt</a></p>
<p>Review the source code and contribute on GitHub:</p>
<p><a href="https://github.com/SlingNode/slingnode-ansible-ethereum-node-mgmt">https://github.com/SlingNode/slingnode-ansible-ethereum-node-mgmt</a></p>
<p>Check out examples:</p>
<p><a href="https://github.com/SlingNode/slingnode-ethereum-examples" rel="nofollow">https://github.com/SlingNode/slingnode-ethereum-examples</a></p><p><br /></p></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-85753622242927759842023-03-27T09:44:00.007+01:002023-03-27T13:43:12.620+01:00Managing Ethereum nodes using Ansible<p>Our friends as SlingNode have just released their first Open Source project. We know how much work goes into projects like this and wanted to share this on our blog.</p><p>The slingnode.ethereum Ansible role, can be used to deploy and configure Ethereum nodes. The role utilizes Docker Compose to deploy the Ethereum Clients. </p><p>The first release supports the following clients:</p><p dir="auto">Execution clients:</p><ul dir="auto">
<li>Geth</li>
<li>Nethermind</li>
<li>Besu</li>
<li>Erigon</li>
</ul><p dir="auto">Consensus clients:</p><ul dir="auto">
<li>Lighthouse</li>
<li>Prysm</li>
<li>Teku</li>
<li>Nimbus </li>
</ul><p dir="auto">Validator clients:</p><p>
</p><ul dir="auto">
<li>Lighthouse</li>
<li>Prysm</li>
<li>Teku</li>
<li>Nimbus</li></ul><div>From what we can tell this is the first and only Open Source project that allows for deploying Ethereum servers using Ansible with a focus towards DevOps Teams managing hundreds of servers. </div><div><br /></div><div>Check out the documentation:</div><div>
<!--/wp:paragraph-->
<!--wp:paragraph-->
<p><a href="https://docs.slingnode.com/slingnode.ethereum/">https://docs.slingnode.com/slingnode.ethereum/</a></p>
<!--/wp:paragraph-->
<!--wp:paragraph-->
<p>View the role on Ansible-Galaxy:</p>
<!--/wp:paragraph-->
<!--wp:paragraph-->
<p><a href="https://galaxy.ansible.com/slingnode/ethereum">https://galaxy.ansible.com/slingnode/ethereum</a></p>
<!--/wp:paragraph-->
<!--wp:paragraph-->
<p>Contribute on GitHub:</p>
<!--/wp:paragraph-->
<!--wp:paragraph-->
<p><a href="https://github.com/SlingNode/slingnode-ansible-ethereum">https://github.com/SlingNode/slingnode-ansible-ethereum</a></p><p>They have a comprehensive set of example playbooks showing how to deploy Ethereum nodes at scale:</p><p><a href="https://github.com/SlingNode/slingnode-ethereum-examples">https://github.com/SlingNode/slingnode-ethereum-examples</a></p><p>Good luck to SlingNode Team!</p>
<!--/wp:paragraph--></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-32882001752211322032022-09-17T08:31:00.008+01:002022-09-17T09:42:50.252+01:00DNS response and error types<p>In this post we explore common DNS response codes. <br /><br />We will cover the following responses:</p>
<ul style="text-align: left;">
<li>NOERROR</li>
<li>SERVFAIL</li>
<li>NXDOMAIN</li>
<li>NODATA</li>
<li>REFUSED<br /></li>
</ul>
<p style="text-align: left;">Throughout article we’ll refer to the following RFCs:</p>
<ul style="text-align: left;">
<li><a href="https://datatracker.ietf.org/doc/html/rfc1034" target="_blank">RFC 1034 - DOMAIN NAMES - CONCEPTS AND
FACILITIES</a></li>
<li><a href="https://datatracker.ietf.org/doc/html/rfc2308" target="_blank">RFC 2308 - Negative Caching of DNS
Queries (DNS NCACHE)</a></li>
<li><a href="https://datatracker.ietf.org/doc/rfc2136/" target="_blank">RFC 2136 - Dynamic Updates in the Domain
Name System (DNS UPDATE)</a></li>
<li><a href="https://datatracker.ietf.org/doc/rfc8914/" target="_blank">RFC 8914 - Extended DNS Errors </a><br />
</li>
</ul>
<h2 style="text-align: left;">Response Codes - RCODEs</h2>
<p style="text-align: left;">The DNS RCODES are best defined in <a href="https://datatracker.ietf.org/doc/rfc2136/"
target="_blank">RFC2316</a>. They signify what type of response was sent by the server.<i><br /></i></p>
<p style="text-align: left;"><i>“RCODE Response code - this four bit field is undefined in requests and set
in responses.” </i></p>
<p style="text-align: left;">The table below shows the summary of the currently defined RCODEs.</p>
<!-- CSS Code: Place this code in the document's head (between the 'head' tags) -->
<style>
table.GeneratedTable {
width: 100%;
background-color: #ffffff;
border-collapse: collapse;
border-width: 2px;
border-color: #f34d14;
border-style: solid;
color: #000000;
}
table.GeneratedTable td, table.GeneratedTable th {
border-width: 2px;
border-color: #f34d14;
border-style: solid;
padding: 3px;
}
table.GeneratedTable thead {
background-color: #f34d14;
}
</style>
<!-- HTML Code: Place this code in the document's body (between the 'body' tags) where the table should appear -->
<table class="GeneratedTable">
<thead>
<tr>
<th nowrap>Mnemonic</th>
<th nowrap>Val</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>NOERROR</td>
<td >0</td>
<td>No error condition.</td>
</tr>
<tr>
<td>FORMERR</td>
<td>1</td>
<td>The name server was unable to interpret the request due to a format error.</td>
</tr>
<tr>
<td>SERVFAIL</td>
<td>2</td>
<td>The name server encountered an internal failure while processing this request, for example an operating system error or a forwarding timeout.</td>
</tr>
<tr>
<td nowrap>NXDOMAIN</td>
<td>3</td>
<td>Some name that ought to exist, does not exist.</td>
</tr>
<tr>
<td>NOTIMP</td>
<td>4</td>
<td>The name server does not support the specified Opcode.</td>
</tr>
<tr>
<td>REFUSED</td>
<td>5</td>
<td>The name server refuses to perform the specified operation for policy or security reasons.</td>
</tr>
<tr>
<td>YXDOMAIN</td>
<td>6</td>
<td>Some name that ought not to exist, does exist.</td>
</tr>
<tr>
<td>YXRRSET</td>
<td>7</td>
<td>Some RRset that ought not to exist, does exist.</td>
</tr>
<tr>
<td>NXRRSET</td>
<td>8</td>
<td>
Some RRset that ought to exist, does not exist.</td>
</tr>
<tr>
<td>NOTAUTH</td>
<td>9</td>
<td>The server is not authoritative for the zone named in the Zone Section.</td>
</tr>
<tr>
<td>NOTZONE</td>
<td>10</td>
<td>A name used in the Prerequisite or Update Section is not within the zone denoted by the Zone Section.</td>
</tr>
</tbody>
</table>
<!-- Codes by Quackit.com -->
<div style="text-align: center;"><br /></div><br />
<p style="text-align: left;">Extended DNS Errors</p>
<p><a href="https://datatracker.ietf.org/doc/rfc8914/" target="_blank">RFC8914</a> proposes to implement more specific
error codes. The existing SERVFAIL and REFUSED error responses are vague and in many cases don’t indicate what is
the actual reason for the error.</p>
<h2 style="text-align: left;">NOERROR - RCODE 0</h2>
<p>No error simply means that the handling DNS server did not encounter any errors and that the requested domain name
exists. This however doesn’t mean that the requested resource record exists as we will see in the section on NODATA
responses. <br /><br />As we can see in the sample dig output below, the status is NOERROR , the ANSWER is 4 and the
response in fact contains 4 A records. <br /><br /><span style="font-size: small;"><span
style="font-family: courier;">dig A securesenses.net @8.8.8.8<br />; <<>> DiG 9.10.6
<<>> A securesenses.net @8.8.8.8<br />;; global options: +cmd<br />;; Got answer:<br />;;
->>HEADER<<- opcode: QUERY, <span style="color: red;">status: NOERROR</span>, id: 46189<br />;;
flags: qr rd ra ad; QUERY: 1, <span style="color: red;">ANSWER: 4</span>, AUTHORITY: 0, ADDITIONAL:
1<br />;; OPT PSEUDOSECTION:<br />; EDNS: version: 0, flags:; udp: 512<br />;; QUESTION
SECTION:<br />;securesenses.net. IN A<br />;;
ANSWER SECTION:<br />securesenses.net. 1800 IN
A 216.239.36.21<br />securesenses.net. 1800
IN A 216.239.38.21<br />securesenses.net.
1800 IN A
216.239.34.21<br />securesenses.net. 1800 IN
A 216.239.32.21</span></span><br /><br />Examining the response packet we can see that the
RCODE - in Wireshark called Reply Code - is 0. <br /></p>
<div class="separator" style="clear: both; text-align: center;"><a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjymFvWdfVZgOaAswtCCrDINI2Ad9mDW3gnnDD1GV_IbhJy5IRE1ouGyUZXwJpJi0FK-Aj3YIPiBM6tVoVGE_to7nMvX3XxTXLwHtmAzKbt3qZQ8iL5TYrAS5Q_mLzF4X1Pskl6PT_YxjJ8JZzuNAmFu4NCPzH4XQJcEYturHEvp2-deYhVn-bi3UVW/s1708/dns_rcodes_noerror.png"
style="margin-left: 1em; margin-right: 1em;"><img alt="DNS Error types noerror" border="0"
data-original-height="962" data-original-width="1708" height="360"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjymFvWdfVZgOaAswtCCrDINI2Ad9mDW3gnnDD1GV_IbhJy5IRE1ouGyUZXwJpJi0FK-Aj3YIPiBM6tVoVGE_to7nMvX3XxTXLwHtmAzKbt3qZQ8iL5TYrAS5Q_mLzF4X1Pskl6PT_YxjJ8JZzuNAmFu4NCPzH4XQJcEYturHEvp2-deYhVn-bi3UVW/w640-h360/dns_rcodes_noerror.png"
title="DNS Error types noerror" width="640" /></a></div>
<h2 style="text-align: left;">SERVFAIL - RCODE 2</h2>
<p>This response type indicates some unidentified error on the server side. For example some recursive resolvers
(potentially incorrectly) return SERVFAIL response when handling an iterative query. We can easily simulate it using
dig with the +norecurse flag.<br /><span style="font-family: courier;"><span style="font-size: small;"><br />dig
www.securesenses.net @8.8.8.8 +norecurse <br />; <<>> DiG 9.10.6
<<>> www.securesenses.net @8.8.8.8 +norecurse<br />;; global options: +cmd<br />;; Got
answer:<br />;; ->>HEADER<<- opcode: QUERY, <span style="color: red;">status: SERVFAIL</span>,
id: 33028<br />;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</span></span><br /><br />As
seen above the status is SERVFAIL. We can confirm the same in the response packet. <br /></p>
<div class="separator" style="clear: both; text-align: center;"><a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinquwa6p3DtbzJbrt6gYLg5osPirBLRV-TxqHGxK-aqBiQVpcFYDcFPPq1oqYShZf6PRjFhEhfKRxOlEZyDEyw__U_25dTxaRpSTCkj5Ctl-7ymWWV-RXmFj6S7t-YvbuXf9tferDUkBUwV38bSuseEekNlaNb1J0E95HoKq61vYTlFeORAWRkriBV/s1204/error_serverfailure.png"
style="margin-left: 1em; margin-right: 1em;"><img alt="DNS Error types Servfail" border="0"
data-original-height="380" data-original-width="1204" height="202"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinquwa6p3DtbzJbrt6gYLg5osPirBLRV-TxqHGxK-aqBiQVpcFYDcFPPq1oqYShZf6PRjFhEhfKRxOlEZyDEyw__U_25dTxaRpSTCkj5Ctl-7ymWWV-RXmFj6S7t-YvbuXf9tferDUkBUwV38bSuseEekNlaNb1J0E95HoKq61vYTlFeORAWRkriBV/w640-h202/error_serverfailure.png"
title="DNS Error types Servfail" width="640" /></a></div>
<h2 style="text-align: left;">NXDOMAIN - RCODE 3</h2>
<p>This response code is very common. It signifies that the requested domain name does not exist in the zone. In the
example dig output below, we can see that the status is NXDOMAIN and the ANSWER is 0.<br /><span
style="font-family: courier;"><span style="font-size: small;"><br />dig A nonexistent.securesenses.net
@8.8.8.8<br />; <<>> DiG 9.10.6 <<>> A nonexistent.securesenses.net @8.8.8.8<br />;;
global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, <span
style="color: red;">status: NXDOMAIN</span>, id: 4073<br />;; flags: qr rd ra ad; QUERY: 1, <span
style="color: red;">ANSWER: 0</span>, AUTHORITY: 1, ADDITIONAL: 1<br />;; OPT PSEUDOSECTION:<br />;
EDNS: version: 0, flags:; udp: 512<br />;; QUESTION
SECTION:<br />;nonexistent.securesenses.net. IN A<br />;; AUTHORITY
SECTION:<br />securesenses.net. 300 IN
SOA ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 6 21600 3600 259200
300</span></span><br /><br />By examining the received response packet we confirm the reply code is 3 and
the resource record count is 0.<br /></p>
<div class="separator" style="clear: both; text-align: left;">
<h2 style="text-align: left;"><a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqYABeyJS1uTDKUkAfU2Xg2QDhG-neRb6ZJSgnFfG7hbA817Xtva_T6ODtcMCAXmH-UuAmbo3cnUdaaUMHL7fWwzjim5vOX9v-VzZjgeIVT29_x2SfScuCaiZqx1wNGcMtr--Hr8aCv8_rNPcrEFaYaNmdl0Cg9C6Edykh-_treUw3Sh6SBcs8C0DS/s1700/dns_errors_nxdomain.png"
style="margin-left: 1em; margin-right: 1em;"><img alt="DNS Error types nxdomain" border="0"
data-original-height="846" data-original-width="1700" height="318"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqYABeyJS1uTDKUkAfU2Xg2QDhG-neRb6ZJSgnFfG7hbA817Xtva_T6ODtcMCAXmH-UuAmbo3cnUdaaUMHL7fWwzjim5vOX9v-VzZjgeIVT29_x2SfScuCaiZqx1wNGcMtr--Hr8aCv8_rNPcrEFaYaNmdl0Cg9C6Edykh-_treUw3Sh6SBcs8C0DS/w640-h318/dns_errors_nxdomain.png"
title="DNS Error types nxdomain" width="640" /></a></h2>
<h2 style="text-align: left;">NODATA<br /></h2>
</div>
<p>Server returns NODATA response when a DNS client requests a domain name that exists but is of a different type than
the requested one. NODATA is not a real response type. It does not have its own RCODE. The RCODE in NODATA
responses is set to NOERROR. This type of response it best defined in <a
href="https://datatracker.ietf.org/doc/html/rfc2308" target="_blank">RFC2308</a>. The RFC defines it as
follows:<br /><br /><i>"NODATA" - a pseudo RCODE which indicates that the name is valid, for the given class, but
are no records of the given type. A NODATA response has to be inferred from the answer.</i><br /><br />In
the example below, we use dig to explicitly request A record for nodata-test.securesenses.net record. The
nodata-test.securesenses.net record exists but the record type is AAAA and not A as requested.
<br /><br /><span style="font-family: courier;"><span style="font-size: small;">dig A
nodata-test.securesenses.net @8.8.8.8<br />; <<>> DiG 9.10.6 <<>> A
nodata-test.securesenses.net @8.8.8.8<br />;; global options: +cmd<br />;; Got answer:<br />;;
->>HEADER<<- opcode: QUERY, <span style="color: red;">status: NOERROR</span>, id: 32128<br />;;
flags: qr rd ra ad; QUERY: 1, <span style="color: red;">ANSWER: 0</span>, AUTHORITY: 1, ADDITIONAL:
1<br />;; OPT PSEUDOSECTION:<br />; EDNS: version: 0, flags:; udp: 512<br />;; QUESTION
SECTION:<br />;nodata-test.securesenses.net. IN A<br />;; AUTHORITY
SECTION:<br />securesenses.net. 300 IN
SOA ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 6 21600 3600 259200
300</span></span><br /><br />As seen above the status is NOERROR and ANSWER is 0. Reviewing the response
packet we can confirm the answer doesn’t contain any resource records. <br /></p>
<div class="separator" style="clear: both; text-align: center;"><a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB7Rg-MHARzgPWoaEJREOrBojAPfavXZ_fQJXCzKbX2y6_sOkvAxHlqNuuajEvrzoXHJrblj_vQSaJABLIveCr_TjCxV1XauoQQgvsy0sRyOxYryqmQxENN6DLoZClnj31U8QRcmXAF1FjaEpdLHXUVMDjKTox8iwJffICRmFoTt8aI6UL-EqPGgiU/s1704/dns_errors_nodata.png"
style="margin-left: 1em; margin-right: 1em;"><img alt="DNS Error types nodata" border="0"
data-original-height="854" data-original-width="1704" height="320"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB7Rg-MHARzgPWoaEJREOrBojAPfavXZ_fQJXCzKbX2y6_sOkvAxHlqNuuajEvrzoXHJrblj_vQSaJABLIveCr_TjCxV1XauoQQgvsy0sRyOxYryqmQxENN6DLoZClnj31U8QRcmXAF1FjaEpdLHXUVMDjKTox8iwJffICRmFoTt8aI6UL-EqPGgiU/w640-h320/dns_errors_nodata.png"
title="DNS Error types nodata" width="640" /></a></div>
<p>There is nothing in dig or Wireshark to explicitly tell us this is a NODATA response. We infer it based on the status
being 0 and answers being 0 . <br /></p>
<h3 style="text-align: left;">Difference between NXDOMAIN and NODATA DNS responses</h3>
<p>To summarise these two response types:<br /></p>
<ul style="text-align: left;">
<li>NXDOMAIN means the requested name does not exists</li>
<li>NODATA means the requested domain exists but is of a different RTYPE<br /></li>
</ul>
<h2 style="text-align: left;">REFUSED - RCODE 5</h2>
<p>DNS servers use REFUSED response code to indicate that they are not allowed to perform the requested operation based
on policy. The examples include:<br /></p>
<ul style="text-align: left;">
<li>Query received from a network range that is not allowed </li>
<li>Query received from a blacklisted IP address</li>
<li>Query for a blacklisted DNS record</li>
<li>Recursive query sent to a non-recursive server<br /></li>
</ul>
<p>We can again simulate it by issuing an iteraritve query to a deifferent recursive resolver. <br /><br /><span
style="font-family: courier;"><span style="font-size: small;">dig www.securesenses.net @88.156.64.21
+norecurse<br />; <<>> DiG 9.10.6 <<>> www.securesenses.net @88.156.64.21
+norecurse<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY,
<span style="color: red;">status: REFUSED</span>, id: 22875<br />;; flags: qr; QUERY: 1, ANSWER: 0,
AUTHORITY: 0, ADDITIONAL: 1 </span></span></p>
<p style="text-align: center;"><span style="font-family: courier;"><span style="font-size: small;"></span></span></p>
<div class="separator" style="clear: both; text-align: center;"><span style="font-size: small;"><a
href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-xul4ALu71OyPm9rkzICeDuoIvW2fQzYYGfbctXDiO1gmbkUufyPAAUGPaWZ58ZnlUcoCLKFynvN2HxB_ycZMVqY4tjikVzFVH3Cn7EzTIoIcCSNniMaT2Ct2TsVN4vVJfRSMQsm6Um84OccK3DTT5EL3Td1TcUyWpkczJbiaNV00ztUR6eAJePyD/s1158/error_refused.png"
style="margin-left: 1em; margin-right: 1em;"><img alt="DNS Error types refused" border="0"
data-original-height="266" data-original-width="1158" height="148"
src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-xul4ALu71OyPm9rkzICeDuoIvW2fQzYYGfbctXDiO1gmbkUufyPAAUGPaWZ58ZnlUcoCLKFynvN2HxB_ycZMVqY4tjikVzFVH3Cn7EzTIoIcCSNniMaT2Ct2TsVN4vVJfRSMQsm6Um84OccK3DTT5EL3Td1TcUyWpkczJbiaNV00ztUR6eAJePyD/w640-h148/error_refused.png"
title="DNS Error types refused" width="640" /></a></span></div><br />
<p></p>
<p>As we can see different servers return different responses for the same type of queries. In the above example the
server returned REFUSED - as it should. In the example in the SERVFAIL section, the server returned the failure
response for the same type of condition (iterative query against a recursive resolver).<br /></p>
<p></p>
<script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-34964553986104668722022-09-10T11:54:00.029+01:002022-09-10T12:10:14.839+01:00DNS poisoning in Indonesia - deep dive<div><div><p><a href="https://www.securesenses.net/2022/08/dns-blocking-in-indonesia.html">DNS blocking in Indonesia article</a> was an introduction to DNS based censorship in Indonesia. This article will be a deep dive into the DNS censorship landscape in Indonesia based on a defined research methodology. </p>This post covers: <br /><ul style="text-align: left;"><li>Overview of our large scale DNS research methodology</li><li>Statistics on Indonesian DNS servers</li><li>List of blocking IP addresses used by various ISPs in Indonesia</li></ul><h2 style="text-align: left;">Large scale DNS research methodology <br /></h2><h3 style="text-align: left;">DNS servers</h3><p>To facilitate the research we have scanned the Indonesian IP space and collected the list of IP addresses responding to recursive DNS queries on port 53 UDP. We have collected over 10000 IP addresses. 6935 of them have been consistently responding to our queries. 474 of those have been classified as located outside of Indonesia based on geoip lookup during data post processing. In the end we have tested 6461 DNS servers. <br /></p><h3 style="text-align: left;">Test domains</h3><p>In the course of our research we have tested 9 public domain second level domains (SLDs). In addition we pre-fixed each domain with:</p><ul style="text-align: left;"><li>www. - this subdomain exists in the DNS zones of the tested domains </li><li>nonexistent. - this subdomain does not exist in any of the tested zones</li></ul><p>Using SLDs and the www. subdomains allowed us to compare the blocking behaviour and effectiveness for the same SLD. Using the “nonexistent.” subdomain enabled us to test and verify if the resolvers block only specific records or any subdomains. <br /><br />We have tested the following categories of domains: <br /><br />Benign domains:<br /></p><ul style="text-align: left;"><li>securesenses.net</li><li>wikipedia.org</li><li>indonesia.travel<br /></li></ul><p>Censored domains: <br /></p><ul style="text-align: left;"><li>gemini.com - Cryptocurrency exchange </li><li>freespeech.org - Human rights </li><li>bet365.com - Gambling</li><li>anonymouse.org - Anonymizing proxy</li><li>date.com - Dating </li><li>budweiser.com - Alcohol </li></ul><p>We have confirmed that our censored domains are included in the official blacklist which can be accesses here <a href="https://trustpositif.kominfo.go.id/">https://trustpositif.kominfo.go.id/</a> <br /></p><p></p><h3 style="text-align: left;">Testing process</h3><p>Using our custom developed DNS intelligence software, we have queried the set of our test domains against the target servers and logged the resolution results. Subsequently we have enriched the data with geoip information and fed the data into ElasticSearch for analysis. We calculated the effectiveness of blocking by calculating the percentage of queries that were censored out of the total queries. <br /></p><h2 style="text-align: left;">DNS server details<br /></h2><p>For better context, this section provides details on the tested DNS servers. </p><p>The top 5 ISPs (note for the purpose of this article ISP means organization that the DNS server belongs to based on the geoip lookup, a DNS Server operator would be more accurate) that we have queried are:<br /></p><ul style="text-align: left;"><li>PT Telkom Indonesia</li><li>PT Mora Telematika Indonesia</li><li>PT Indonesia Comnets Plus</li><li>Biznet Networks</li><li>Linknet <br /></li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjeirN1FS1gC88C03TnS_3K_uqNiXJYcuV2d-Tp2cotfIZ8b3eqW0umIeV50MogbUpzxSAdFtRy374ryJZi60XdqOaf3rBOUTSVbP91C9g2k1BgMgFVwt7UR7GzON-Ul-uxuOYGGrwrtAnYrfrqFiI0hSKqcS06F0h3NhEpA3v2UsTB1u-ouCkZaQ8/s552/indonesia_dns_censorship_top5_servers_by_isp.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="539" data-original-width="552" height="390" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjeirN1FS1gC88C03TnS_3K_uqNiXJYcuV2d-Tp2cotfIZ8b3eqW0umIeV50MogbUpzxSAdFtRy374ryJZi60XdqOaf3rBOUTSVbP91C9g2k1BgMgFVwt7UR7GzON-Ul-uxuOYGGrwrtAnYrfrqFiI0hSKqcS06F0h3NhEpA3v2UsTB1u-ouCkZaQ8/w400-h390/indonesia_dns_censorship_top5_servers_by_isp.png" width="400" /> </a></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-small;"><i>Figure 1 </i></span><br /></div><div class="separator" style="clear: both; text-align: center;"> </div><div class="separator" style="clear: both; text-align: left;">The chart above (Figure 1) shows the percentage break down of the DNS server operators (ISPs). The table (Table 1) shows the number of servers for the top 5 ISPs. The majority of the DNS servers are owned by PT Telekom Indonesia. <br /></div><div class="separator" style="clear: both; text-align: center;"> </div><div class="separator" style="clear: both; text-align: center;"><div id="docs-internal-guid-77b5ed21-7fff-904c-c56a-b2045aa43db2" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: medium none; margin-left: auto; margin-right: auto; text-align: left;"><colgroup><col width="186"></col><col width="71"></col></colgroup><tbody><tr style="height: 16.5pt;"><td style="background-color: #b0b3b2; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Top 5 ISP<span style="background-color: #ff00fe;"><span></span></span></span></p></td><td style="background-color: #b0b3b2; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Server count</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Telkom Indonesia</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1092</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Mora Telematika Indonesia</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">307</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Indonesia Comnets Plus</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">302</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Biznet Networks</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">279</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Linknet</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">178</span></p></td></tr></tbody></table></div><span style="font-size: x-small;"><i>Table 1</i></span></div><div class="separator" style="clear: both; text-align: center;"> <br /></div><div class="separator" style="clear: both; text-align: left;">Breaking down the DNS servers location by region of the country the top 5 geographical regions are shown below. Figure 2 shows top regions where the tested DNS servers are located. <br /></div></div><div style="text-align: center;"><br /></div></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWkqcBg5PwcBlp7ScTQcFrDSPoNZwVc33D5hcHAuCp-euBRLvqS6zrPjXhxtF-B9KPUHkMOWM6cwmV_XXLriaSoN4uyN59YMlJqZGRMlPYbZvGBLaeAivnmUquVGhFYFiblHLdjpplLpnVH0t-_yQXPNOuoAAfN3-E2aYhpme8HbdlRGn7SlVVHY57/s541/indonesia_dns_censorship_servers_by_region.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="486" data-original-width="541" height="359" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWkqcBg5PwcBlp7ScTQcFrDSPoNZwVc33D5hcHAuCp-euBRLvqS6zrPjXhxtF-B9KPUHkMOWM6cwmV_XXLriaSoN4uyN59YMlJqZGRMlPYbZvGBLaeAivnmUquVGhFYFiblHLdjpplLpnVH0t-_yQXPNOuoAAfN3-E2aYhpme8HbdlRGn7SlVVHY57/w400-h359/indonesia_dns_censorship_servers_by_region.png" width="400" /></a></div><br /><div style="text-align: center;"><span style="font-size: x-small;"><i>Figure 2</i></span><br /></div><p></p><p style="text-align: left;">Table 2 below shows the count of the servers in the top 5 regions.</p><div><div><div><div id="docs-internal-guid-03939f99-7fff-d377-5aee-1c1fd8e86622" style="margin-left: 0pt; text-align: center;"><table style="border-collapse: collapse; border: medium none; margin-left: auto; margin-right: auto; text-align: left;"><colgroup><col width="89"></col><col width="70"></col></colgroup><tbody><tr style="height: 16.5pt;"><td style="background-color: #b0b3b2; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Top 5 Regions</span></p></td><td style="background-color: #b0b3b2; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Server count</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Jakarta</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1743</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">West Java</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1359</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">East Java</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">770</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Central Java</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">447</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Banten</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">414</span></p></td></tr></tbody></table></div><p style="text-align: center;"><span style="font-size: x-small;"><i>Table 2 </i></span><br /></p><p style="text-align: left;"> Figure 3 below overlays the DNS servers on map. <br /></p><h2 style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR_pz78gz5ZbU8djJZpU70B5fekk1BSD6XB78lM1DLjMOQ2rZ_A6WdRbBiTNEcDJ8fJywE-0BIYwfwc_zHLz-its_UaNEgxddpigeKKRUwv5oLyAsXhTIcaYggsJEMzEz4wggXhnTK5u8JaVxZWfiBlFi0OmFHUjY1N1p_YCvPmRerjasHJ4njE9ov/s1056/indonesia_dns_servers_location.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="418" data-original-width="1056" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR_pz78gz5ZbU8djJZpU70B5fekk1BSD6XB78lM1DLjMOQ2rZ_A6WdRbBiTNEcDJ8fJywE-0BIYwfwc_zHLz-its_UaNEgxddpigeKKRUwv5oLyAsXhTIcaYggsJEMzEz4wggXhnTK5u8JaVxZWfiBlFi0OmFHUjY1N1p_YCvPmRerjasHJ4njE9ov/s16000/indonesia_dns_servers_location.png" /></a></div><span style="font-weight: normal;"> <span style="font-size: x-small;"><i>Figure 3</i></span></span></h2><h2 style="text-align: left;">Fake IP addresses</h2><p style="text-align: left;">This section focuses on the IP addresses returned in censored DNS responses. <br /></p><h3 style="text-align: left;">Section summary: </h3><ul style="text-align: left;"><li>The blocking page is inconsistent, each ISP hosts their own</li><li>In most cases ISPs redirect to the self-hosted block page</li><li>In some cases ISPs redirect to block page hosted by a different ISP</li><li>The top fake IP address is 36.86.63.185, it belongs to PT Telekom Indonesia (as does most of the tested DNS servers)</li><li>Some blocking pages contain ads, some show a webserver error</li></ul><p style="text-align: left;"><br />In our research we observed and verified that each ISP implements their own blocking page. This means that each ISP returns a different set of IP addresses in the redirected responses. The table 3 below lists the 15 top IP addresses that we observed in the censored DNS responses. It should be noted that the composition of the IP addresses will correspond to the DNS servers queried (ISPs usually redirect to their own IPs).<br /></p><div id="docs-internal-guid-3e61da00-7fff-8b9b-213c-e3df608c427d" style="margin-left: -3.75pt; text-align: center;"><table style="border-collapse: collapse; border: medium none; margin-left: auto; margin-right: auto; text-align: left;"><colgroup><col width="146"></col><col width="253"></col><col width="126"></col></colgroup><tbody><tr style="height: 16.5pt;"><td style="background-color: #b0b3b2; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Top 15 Fake IPs</span></p></td><td style="background-color: #b0b3b2; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">IP address owner</span></p></td><td style="background-color: #b0b3b2; border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Number or responses</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">36.86.63.185</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Telkom Indonesia</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">23458</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">202.89.117.64</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Departemen Komunikasi dan Informasi Republik Indon</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">11779</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">202.169.44.80</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Biznet Networks</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">5053</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">202.152.4.67</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Aplikanusa Lintasarta</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">4222</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">103.169.16.2</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Aplikanusa Lintasarta</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">4178</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">202.137.1.74</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Linknet</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">3243</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">36.86.63.182</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Telkom Indonesia</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">2348</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">202.62.8.232</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Indonesia Comnets Plus</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1992</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">203.119.13.75</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Indonesia Network Information Center</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1418</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">203.119.13.76</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Indonesia Network Information Center</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1418</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">27.123.220.197</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Fiber Networks Indonesia</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1362</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">158.140.186.3</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT. Eka Mas Republik</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1288</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">103.47.132.195</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT. Eka Mas Republik</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1002</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">202.62.8.233</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Indonesia Comnets Plus</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">943</span></p></td></tr><tr style="height: 16.5pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">103.47.134.195</span></p></td><td style="border-bottom: solid #000000 0.75pt; border-color: rgb(0, 0, 0); border-left: solid #000000 0.75pt; border-right: solid #000000 0.75pt; border-style: solid; border-top: solid #000000 0.75pt; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT. Eka Mas Republik</span></p></td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 3pt; text-align: center; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">928</span></p></td></tr></tbody></table></div><div style="text-align: center;"><span style="font-size: x-small;"><i>Table 3</i></span><br /></div><div style="text-align: center;"><br /></div><div style="text-align: left;"></div><div style="text-align: left;">Figure 4 below better shows the diversity of the blocking IPs. <br /></div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVfUYj_CMDuXyQqATpqDaRU90Z16Ajui20_M8TTf7n5bu67omXR4BQAUVTafuCHYK63QiWTJQ4BP_0AX6snwpasbat_bsGx1Gz5OgCvaFqdsJSy-v0zvzum6s5QTtWZKkQyRB-KV8sTIPlcvIpImK35xPE7KPqeST9PWfL9YiQcXj_Bn8q24kTvU0f/s1011/indonesia_dns_censorship_block_ips.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="539" data-original-width="1011" height="341" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVfUYj_CMDuXyQqATpqDaRU90Z16Ajui20_M8TTf7n5bu67omXR4BQAUVTafuCHYK63QiWTJQ4BP_0AX6snwpasbat_bsGx1Gz5OgCvaFqdsJSy-v0zvzum6s5QTtWZKkQyRB-KV8sTIPlcvIpImK35xPE7KPqeST9PWfL9YiQcXj_Bn8q24kTvU0f/w640-h341/indonesia_dns_censorship_block_ips.png" width="640" /></a></div><div style="text-align: center;"><span style="font-size: x-small;"><i>Figure 4</i></span><br /></div><p style="text-align: center;"></p><p style="text-align: center;"></p><h3 style="text-align: left;">Blocking pages</h3><div style="text-align: left;"><p style="text-align: left;">The block page is not unified across ISPs. Each ISP implements their own. My favourite is the blocking page used by PT Mitra Lintas Multimedia which you can see below (Figure 5). Most blocking pages refer to the official Government website https://trustpositif.kominfo.go.id/, and some include commercial ads. <br /></p></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5ooOmycl19WB4Y-Ci6pF0TdeQWIBSR9AnLiODVMy3fGjQGr63hdYxJVKGVhw3ZNf3EmUSaTyEiCvnQWqbX_fhALZ8tc4Dvo_ou7BPdGhXM5nx-yxrhRRVKRKGcvVJOdCjbiyaMmAQ84kSO5gRVZj0NGeipKCgXzgi4o0pirwlqYqMmUolNrBxCwga/s1071/indonesia_blockpage_pt_mitra_lintas_multimedia.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="705" data-original-width="1071" height="422" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5ooOmycl19WB4Y-Ci6pF0TdeQWIBSR9AnLiODVMy3fGjQGr63hdYxJVKGVhw3ZNf3EmUSaTyEiCvnQWqbX_fhALZ8tc4Dvo_ou7BPdGhXM5nx-yxrhRRVKRKGcvVJOdCjbiyaMmAQ84kSO5gRVZj0NGeipKCgXzgi4o0pirwlqYqMmUolNrBxCwga/w640-h422/indonesia_blockpage_pt_mitra_lintas_multimedia.png" width="640" /></a></div></div><div style="text-align: center;"><span style="font-size: x-small;"><i>Figure 5</i></span><br /></div><div style="text-align: left;"><p style="text-align: left;">Table 4 below summarizes types of blocking pages per ISP. </p><div style="text-align: right;"><br /></div><div id="docs-internal-guid-14a19751-7fff-a27f-b94c-6cc35e7320fb" style="margin-left: 0pt; text-align: center;"><table style="border-collapse: collapse; border: medium none; margin-left: auto; margin-right: auto; text-align: left;"><colgroup><col width="301"></col><col width="174"></col></colgroup><tbody><tr style="height: 22.3989pt;"><td style="background-color: #b7b7b7; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">ISP</span></p></td><td style="background-color: #b7b7b7; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Blocking page type</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Biznet Networks</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Blocking page with ads</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Linknet</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Blocking page with ads</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Indonesia Comnets Plus</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Hosting provider</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Aplikanusa Lintasarta</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Blocking page</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT. Eka Mas Republik</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Error page</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Fiber Networks Indonesia</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Blocking page</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Remala Abadi</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Error</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Solnet Indonesia</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Blocking page</span></p></td></tr><tr style="height: 22.3989pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Jembatan Citra Nusantara</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Blocking page with ads</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Varnion Technology Semesta</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Blocking page</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Centrin Utama</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Blocking page</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Jaringanku Sarana Nusantara</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Blocking page</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Indonesia Network Information Center</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Blocking page</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #cccccc; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Julia Multimedia Nusantara</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Error page</span></p></td></tr></tbody></table></div><div style="text-align: center;"><span style="font-size: x-small;"><i>Table 4</i></span></div><div style="text-align: center;"> </div><div style="text-align: center;"> </div><div style="text-align: left;">Screenshots of the blocking pages can be seen in the <a href="https://www.securesenses.net/2022/08/dns-blocking-in-indonesia.html">DNS blocking in Indonesia</a> post. <br /></div><h2 style="text-align: left;">Blocking effectiveness</h2><p style="text-align: left;">This section analyses the effectiveness of Indonesian ISP censorship. We derive the effectiveness by calculating the percentage of DNS responses that have been redirected to the blocking pages. <br /></p><h3 style="text-align: left;">Section summary </h3><ul><li>Country-wide blocking effectiveness is inconsistent</li><li>some ISPs are more effective in blocking SLDs and some subdomains</li><li>Overall www. subdomain has a higher percentage of blocking </li><li>There hasn’t been any false positives (bening domain blocked)</li></ul><h3 style="text-align: left;">Country wide blocking effectiveness</h3>The blocking is very inconsistent. The most censored domain was in the Gambling category and the least censored domain was in the online dating category. The blocking percentage ranged from 62.41% to 16%. The average percentage of blocking was 38.45% for SLD and 43.24% for www. subdomain. The table 5 below shows the breakdown of the blocking.<br /></div><div style="text-align: right;"><br /></div><div style="text-align: left;"><div id="docs-internal-guid-7b0ebb4b-7fff-d7e2-fd9b-daa810d8bda7" style="margin-left: 0pt; text-align: center;"><table style="border-collapse: collapse; border: medium none; margin-left: auto; margin-right: auto; text-align: left;"><colgroup><col width="152"></col><col width="130"></col><col width="138"></col><col width="148"></col></colgroup><tbody><tr style="height: 22.3989pt;"><td style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Domain</span></p></td><td colspan="2" style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Percentage of blocked requests</span></p></td><td style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><br /></td></tr><tr style="height: 0pt;"><td style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><br /></td><td style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">SLD</span></p></td><td style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">www.</span></p></td><td style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Category</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">bet365.com</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">62.41%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">60.39%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Gambling</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">budweiser.com</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">46.01%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">61.44%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Alcohol</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">freespeech.org</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">46.46%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">43.01%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Human rights</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">anonymouse.org</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">34.22%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">42.75%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Anonymizing proxy</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">gemini.com</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">23.38%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">35.84%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Cryptocurrency</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">date.com</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">18.19%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">16%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Dating </span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">average</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">38.45%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">43.24%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><br /></td></tr></tbody></table></div><div style="text-align: center;"><span style="font-size: x-small;"><i>Table 5</i></span> <br /></div></div><div style="text-align: left;"><h3 style="text-align: left;">ISP blocking effectiveness </h3>The effectiveness of blocking varies widely among ISPs. Moreover it varies between the second level domain and their subdomains within a single ISP. The table 6 below breaks this down for the top 3 ISPs based on budweiser.com.<br /></div><div style="text-align: center;"><br /></div><div style="text-align: left;"><div id="docs-internal-guid-e1c33bba-7fff-0345-38d2-eb5057edb748" style="margin-left: 0pt; text-align: center;"><table style="border-collapse: collapse; border: medium none; margin-left: auto; margin-right: auto; text-align: left;"><colgroup><col width="141"></col><col width="93"></col><col width="112"></col><col width="112"></col><col width="143"></col></colgroup><tbody><tr style="height: 23.25pt;"><td style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Domain</span></p></td><td colspan="4" style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Percentage of blocked requests</span></p></td></tr><tr style="height: 23.8989pt;"><td style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><br /></td><td style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">All ISPs</span></p></td><td style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Telekom Indonesia</span></p></td><td style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Biznet Networks</span></p></td><td style="background-color: #b0b3b2; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Mora Telematika</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">budweiser.com</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">46.01%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">91.06%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">73%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">83.67%</span></p></td></tr><tr style="height: 0pt;"><td style="background-color: #d4d4d4; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">www.budweiser.com</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">61.44%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">95.25%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">85.77%</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">91.46%</span></p></td></tr></tbody></table></div></div><div style="text-align: center;"><span style="font-size: x-small;"><i>Table 6</i></span><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><h3 style="text-align: left;"> </h3><h3 style="text-align: left;">DNS Errors</h3>Based on the collected data we have identified that some ISPs respond with an error instead of redirecting to a block page. Only 0.09% of all responses fall into this category. <br /><br />For example:<br /><ul style="text-align: left;"><li>Prime Link Communication, PT return SERVFAIL error</li><li>INDO Internet, PT return NODATA error</li></ul><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div></div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-35007811864282991002022-08-24T16:37:00.012+01:002022-09-10T12:11:12.332+01:00DNS blocking in Indonesia<div><p>DNS based censorship and domain blocking in Indonesia is very inconsistent among ISPs. There’s a government mandated black list which the ISPs operating in the country should enforce. However, Indonesia lacks centralised internet infrastructure and has many separate ISPs. In addition, the Indonesian government granted ISPs the authority to block content at their own discretion. All of this leads to a very inconsistent DNS blocking in Indonesia. <br /></p><h2 style="text-align: left;">Official DNS domain blacklist in Indonesia</h2><p>The Government mandated DNS blacklist is published in a redacted form and can be downloaded here: <a href="https://trustpositif.kominfo.go.id/">https://trustpositif.kominfo.go.id/</a>. This is where the blocked domains get redirected to. We can search the database and check if a domain is blocked.<br /><br />In the screenshot below we can see that a popular cryptocurrency exchange is blocked (Ada) and that wikipedia.org is not (Tidak Ada) - thanks to Google Translate. </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmUblVBiSbQRDFyDwnszmD9yZoAyJ1IcePnTpSSiDQHhI9IkLOEl9bZ_TONQ4uFvPl-QDegzwmAN_wabSJkRqBOy2v-Ci-XIK_g_eRIkTXzWE5SvnVuJBqGPwRuUPkaSRr7l9rNP8AcAzcfH80T0B8T9i5VuCuFMdvQAoxKUmVRM-bjIHV7FMpawGM/s998/indonesia_blockpage_search.png" style="margin-left: 1em; margin-right: 1em;"><img alt="DNS block page Indonesia" border="0" data-original-height="561" data-original-width="998" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmUblVBiSbQRDFyDwnszmD9yZoAyJ1IcePnTpSSiDQHhI9IkLOEl9bZ_TONQ4uFvPl-QDegzwmAN_wabSJkRqBOy2v-Ci-XIK_g_eRIkTXzWE5SvnVuJBqGPwRuUPkaSRr7l9rNP8AcAzcfH80T0B8T9i5VuCuFMdvQAoxKUmVRM-bjIHV7FMpawGM/w640-h360/indonesia_blockpage_search.png" title="DNS block page Indonesia" width="640" /></a></div><h2 style="text-align: left;">Examples of blocked DNS queries</h2><p style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">dig binance.com @182.253.45.122<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28994<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0<br />;; QUESTION SECTION:<br />;binance.com. IN A<br />;; ANSWER SECTION:<br />binance.com. 3600 IN CNAME trustpositif.kominfo.go.id.<br />trustpositif.kominfo.go.id. 1 IN A 27.54.116.70</span></span><br /><br />When we try to resolve binance.com we receive a redirected response with the following attributes: <br /></p><ul style="text-align: left;"><li>CNAME pointing to trustpositif.kominfo.go.id.</li><li>A record for the above CNAME pointing to 27.54.116.70</li><li>the response is not-authoritative </li><li>the TTL for the A record is 1 sec</li></ul><p>This is what it looks like at the packet level. <br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLVnwruhxkN5TECB3T9uu-cdf8zsr903vXFQyhOVPvyWDgN4wZEPy_rOGxAw-7vRKlK4_at578xP4rJuXGOvV56jpuS8vBR-Ouonh62DzMglU7H7UkXLNYCaiFYxXpmZ6AwfKhgeErbdT6y67TQOggY3EOSRb-rY6bd4gtQftrj6lgh_MewtgncxVc/s892/indonesia_redirected_dns_response.png" style="margin-left: 1em; margin-right: 1em;"><img alt="DNS blocking in Indonesia" border="0" data-original-height="657" data-original-width="892" height="472" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLVnwruhxkN5TECB3T9uu-cdf8zsr903vXFQyhOVPvyWDgN4wZEPy_rOGxAw-7vRKlK4_at578xP4rJuXGOvV56jpuS8vBR-Ouonh62DzMglU7H7UkXLNYCaiFYxXpmZ6AwfKhgeErbdT6y67TQOggY3EOSRb-rY6bd4gtQftrj6lgh_MewtgncxVc/w640-h472/indonesia_redirected_dns_response.png" title="DNS blocking in Indonesia" width="640" /></a></div><p><br />The A record’s TTL of 1 second is notable. Let’s query few more servers and see if it’s a coincidence: <br /><br /><span style="font-family: courier;"><span style="font-size: small;">dig binance.com @103.122.33.19 | grep -A 1 trustpositif <br />dig binance.com @139.255.115.163 | grep -A 1 trustpositif<br />dig binance.com @202.58.200.38 | grep -A 1 trustpositif<br />dig binance.com @103.83.100.65 | grep -A 1 trustpositif<br />dig binance.com @182.253.45.122 | grep -A 1 trustpositif<br /><br />binance.com. 3600 IN CNAME trustpositif.kominfo.go.id.<br />trustpositif.kominfo.go.id. 1 IN A 27.54.116.70<br />binance.com. 3600 IN CNAME trustpositif.kominfo.go.id.<br />trustpositif.kominfo.go.id. 1 IN A 27.54.116.70<br />binance.com. 3600 IN CNAME trustpositif.kominfo.go.id.<br />trustpositif.kominfo.go.id. 1 IN A 27.54.116.70<br />binance.com. 3600 IN CNAME trustpositif.kominfo.go.id.<br />trustpositif.kominfo.go.id. 1 IN A 27.54.116.70<br />binance.com. 3600 IN CNAME trustpositif.kominfo.go.id.<br />trustpositif.kominfo.go.id. 1 IN A 27.54.116.70</span></span><br /><br />The TTL in all the responses is the same. <br /></p><p></p><p></p><h2 style="text-align: left;">Blocking pattern </h2><p>Now we’ll analyse and infer the pattern used to redirect the requests. <br /><br />We’ll try another popular crypto currency exchange. <br /><br /><span style="font-family: courier;"><span style="font-size: small;">dig gemini.com @182.253.45.122 | grep -A 1 trustpositif <br />gemini.com. 3600 IN CNAME trustpositif.kominfo.go.id.<br />trustpositif.kominfo.go.id. 1 IN A 202.89.117.64</span></span><br /><br />This also resolves to the block page IP so the gemini.com domain is censored. <br /><br />Firstly we’ll query a nonexistent domain name.<br /><span style="font-size: small;"><span style="font-family: courier;"><br />dig nonexistent.gemini.com @8.8.8.8 <br />; <<>> DiG 9.10.6 <<>> nonexistent.gemini.com @8.8.8.8<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6988<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1</span></span><br /><br />Google resolver returns NXDOMAIN confirming this record doesn’t exist. However when we query a censoring DNS resolver in Indonesia we get a reply. <br /><span style="font-size: small;"><span style="font-family: courier;"><br />dig nonexistent.gemini.com @182.253.45.122 <br />; <<>> DiG 9.10.6 <<>> nonexistent.gemini.com @182.253.45.122<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53311<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0<br />;; QUESTION SECTION:<br />;nonexistent.gemini.com. IN A<br />;; ANSWER SECTION:<br />nonexistent.gemini.com. 3600 IN CNAME trustpositif.kominfo.go.id.<br />trustpositif.kominfo.go.id. 1 IN A 202.89.117.64</span></span><br /><br />Let’s try prepending and appending to the domain:<br /><span style="font-size: small;"><span style="font-family: courier;"><br />dig aagemini.com @182.253.45.122 | grep status<br />;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6177<br /><br />dig geminiaa.com @182.253.45.122 | grep status<br />;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25577<br /><br />dig gemini.com.aa @182.253.45.122 | grep status<br />;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53728<br /><br />dig gemini.aa @182.253.45.122 | grep status<br />;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36503<br /><br />dig aa.aa.gemini.com @182.253.45.122 | grep status<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9125</span></span><br /><br />All queries return a NXDOMAIN response. <br /><br />Based on this basic exercise we can infer that the blocking pattern is:<br /><br /><b>(example.com OR *example.com)</b></p><div style="text-align: left;"><h3 style="text-align: left;">Differences among ISPs <b><br /></b></h3></div>In the above examples the censored DNS queries were redirected to trustpositif.kominfo.go.id. CNAME. However, the DNS censorship varies among ISPs. Let's see some examples:</div><div><br /><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;"><span><span>dig binance.com @182.23.44.6 <br /><br />; <<>> DiG 9.10.6 <<>> binance.com @182.23.44.6<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8753<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 7<br />;; QUESTION SECTION:<br />;binance.com. IN A<br />;; ANSWER SECTION:<br />binance.com. 0 IN CNAME dnsfilter2.idola.net.id.<br />dnsfilter2.idola.net.id. 1604 IN A 103.169.16.2<br />dnsfilter2.idola.net.id. 1604 IN A 202.152.4.67 </span></span></span></span></div><span style="font-family: inherit; font-size: medium;"> </span></div><div>Linknet - another CNAME<br /><div style="text-align: left;"><span style="font-size: small;"><span style="font-family: courier;"><span><span> </span></span></span></span></div><div style="text-align: left;"><span style="font-size: small;"><span style="font-family: courier;"><span><span>dig binance.com @139.255.13.185 <br /><br />; <<>> DiG 9.10.6 <<>> binance.com @139.255.13.185<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57748<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 1<br />;; QUESTION SECTION:<br />;binance.com. IN A<br />;; ANSWER SECTION:<br />binance.com. 3600 IN CNAME internetpositif3.firstmedia.com.<br />internetpositif3.firstmedia.com. 80870 IN A 202.137.1.74</span></span></span></span></div></div><div></div><div> </div><div>PT Indonesia Comnets Plus - A record only<br /><div style="text-align: left;"><span style="font-size: small;"><span style="font-family: courier;"><span><span><br /></span></span></span></span></div><div style="text-align: left;"><span style="font-family: inherit;"><span><span style="font-size: small;"><span style="font-family: courier;">binance.com @103.144.208.134<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60700<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13<br />;; QUESTION SECTION:<br />;binance.com. IN A<br />;; ANSWER SECTION:<br />binance.com. 900 IN A 202.62.8.232</span><br /></span></span></span></div><div style="text-align: left;"><span style="font-family: inherit;"><span><span style="font-size: small;"><br /></span></span></span></div><h3 style="text-align: left;">Blocking pages<br /></h3><p></p><p></p><p></p><p></p><p></p><p></p><p></p><p></p><p></p><p></p><p>This sections shows examples of the blocking pages used by different DNS operators in Indonesia.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsWVsEhIRj2hBesoFS8KVFRKUdyzTXmyLKT6r2vlFI0KcnIatiUXyaAKIcgrspumy50A_UKitVCXFqHCYLYMcHU3o-r26JiD4k2Mdcc-riMbeHKy-3oj-tLJUswSbaMvVwcb3IqJGQB0_bSB_RqFSTHPn_Khq4STpjvP9rtWZ-wIznoYoSFglN43IQ/s1068/indonesia_blockpage_ads_pt_jembatan_citras_nusantra.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship PT Jembatan Citra Nusantara" border="0" data-original-height="787" data-original-width="1068" height="295" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsWVsEhIRj2hBesoFS8KVFRKUdyzTXmyLKT6r2vlFI0KcnIatiUXyaAKIcgrspumy50A_UKitVCXFqHCYLYMcHU3o-r26JiD4k2Mdcc-riMbeHKy-3oj-tLJUswSbaMvVwcb3IqJGQB0_bSB_RqFSTHPn_Khq4STpjvP9rtWZ-wIznoYoSFglN43IQ/w400-h295/indonesia_blockpage_ads_pt_jembatan_citras_nusantra.png" title="Indonesia internest censorship PT Jembatan Citra Nusantara" width="400" /> </a></div><div class="separator" style="clear: both; text-align: center;"><span id="docs-internal-guid-070f044e-7fff-cc2e-10c9-24d460d24459" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PT Jembatan Citra Nusantara</span></div><div class="separator" style="clear: both; text-align: center;"><span id="docs-internal-guid-070f044e-7fff-cc2e-10c9-24d460d24459" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span> <br /></div></div><div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmaKcrooji0SWO1buaBHVHTJwZyrey-8w2Ce4H1tyxE600HyyxsCYEjN0ioIh9x0af0QkLO4z6aZ_EZSk95mkQMwFjSrcqwEE8p08anLJVspXCxWUz0oK0pxW91URgeHXxwD8Tr6ex1UgtO4ADuyaiD27Sijf4FsKo5Msfyxz54TXRsYk7OSj4ACnc/s1208/indonesia_blockpage_biznet_networks.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship Biznet Networks" border="0" data-original-height="1087" data-original-width="1208" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmaKcrooji0SWO1buaBHVHTJwZyrey-8w2Ce4H1tyxE600HyyxsCYEjN0ioIh9x0af0QkLO4z6aZ_EZSk95mkQMwFjSrcqwEE8p08anLJVspXCxWUz0oK0pxW91URgeHXxwD8Tr6ex1UgtO4ADuyaiD27Sijf4FsKo5Msfyxz54TXRsYk7OSj4ACnc/w400-h360/indonesia_blockpage_biznet_networks.png" title="Indonesia internest censorship Biznet Networks" width="400" /></a></div><p></p><p style="text-align: center;"><span id="docs-internal-guid-c2dc8d73-7fff-264b-3718-ac579ffb0502" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Biznet Networks</span></p><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0LbTMIscQngZxZ7-X4YSvYg2LtgiXpiOZg-BEnMZOlep72dACG2yLHIaMsq4A1ZTadGg_ZhfoFOkozOF7pPRdRuTycxZK2dolWfz7fYoPchRHaSKDSQE_UnZfG-p4JhZBJf2WYjh9nZaCb7HEhRwoKek-3UCbZoSkGEt05OUC9oQVrUz-R38X7haY/s899/indonesia_blockpage_indonesia_network_information_center.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship Indonesia Network Information Center" border="0" data-original-height="550" data-original-width="899" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0LbTMIscQngZxZ7-X4YSvYg2LtgiXpiOZg-BEnMZOlep72dACG2yLHIaMsq4A1ZTadGg_ZhfoFOkozOF7pPRdRuTycxZK2dolWfz7fYoPchRHaSKDSQE_UnZfG-p4JhZBJf2WYjh9nZaCb7HEhRwoKek-3UCbZoSkGEt05OUC9oQVrUz-R38X7haY/w400-h245/indonesia_blockpage_indonesia_network_information_center.png" title="Indonesia internest censorship Indonesia Network Information Center" width="400" /></a></div><p></p><p style="text-align: center;"><span id="docs-internal-guid-f725bcce-7fff-2fb9-4591-659a76490546" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Indonesia Network Information Center</span> </p><p style="text-align: center;"> </p><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkNns_GkkC3pObjhw6TNoAflM1OfKSDlRZSM8wgbk-RiAHmLUyvA4yCsckFzMShIGVysWDfHmsc57Cg7sblN2ObsNvemHGyASwyQaGCIovAZj87pYPxn8PWJi3Q8qSUdQGpWKC1V5uJnK7S8htG0MEAvWr9hg8D0f3WOhQSJGB-Pd0YWaoT9_-kSa3/s770/indonesia_blockpage_linknet.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship Linknet" border="0" data-original-height="711" data-original-width="770" height="369" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkNns_GkkC3pObjhw6TNoAflM1OfKSDlRZSM8wgbk-RiAHmLUyvA4yCsckFzMShIGVysWDfHmsc57Cg7sblN2ObsNvemHGyASwyQaGCIovAZj87pYPxn8PWJi3Q8qSUdQGpWKC1V5uJnK7S8htG0MEAvWr9hg8D0f3WOhQSJGB-Pd0YWaoT9_-kSa3/w400-h369/indonesia_blockpage_linknet.png" title="Indonesia internest censorship Linknet" width="400" /></a></div><p></p><p style="text-align: center;">Linknet</p><p style="text-align: center;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEtmEQupzAYzNLEKZuoGYHe77wGRVw_PsJ7bhz458us5ITa1U29bX_PRUEcuZV-p9pTaWmJqcXk4dzzkswNhBHVe_JlKCnbekvYvvTmlgOSlIEGt31g3ZCJXbjaDSYLRtOxqJppaBYUSwRoH3oqbdm0bFbDi87wZKNZcOrWVQEg0yDYqP-dkVHjD1P/s1602/indonesia_blockpage_pt_aplikanusa_lintasarta.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship PT Aplikanusa Lintasarta" border="0" data-original-height="748" data-original-width="1602" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEtmEQupzAYzNLEKZuoGYHe77wGRVw_PsJ7bhz458us5ITa1U29bX_PRUEcuZV-p9pTaWmJqcXk4dzzkswNhBHVe_JlKCnbekvYvvTmlgOSlIEGt31g3ZCJXbjaDSYLRtOxqJppaBYUSwRoH3oqbdm0bFbDi87wZKNZcOrWVQEg0yDYqP-dkVHjD1P/w400-h186/indonesia_blockpage_pt_aplikanusa_lintasarta.png" title="Indonesia internest censorship PT Aplikanusa Lintasarta" width="400" /></a></div><p style="text-align: center;"><span id="docs-internal-guid-845d256d-7fff-ef4f-59f2-83c999c1e679" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Aplikanusa Lintasarta</span></p><p style="text-align: center;"><span id="docs-internal-guid-845d256d-7fff-ef4f-59f2-83c999c1e679" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXQHJ4P361qD-VFQ448_Ey9bqm1HATTNsTqU7mdd_Jk3vEMbiPbrQbgJnVIm_4Ejj--3Tuu3zKqWx96afow0LBBftyPRM-3Ve3WLR2tek7gTPUQD6AyBpwKj6bYG4Hs-8mcAFvWZIOY_HO3Lcul3LU31NQP-6LtiOvbdhZN2f3kjZe6rOI_gGeITUD/s619/indonesia_blockpage_pt_centrin_utama.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship PT Centrin Utama" border="0" data-original-height="383" data-original-width="619" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXQHJ4P361qD-VFQ448_Ey9bqm1HATTNsTqU7mdd_Jk3vEMbiPbrQbgJnVIm_4Ejj--3Tuu3zKqWx96afow0LBBftyPRM-3Ve3WLR2tek7gTPUQD6AyBpwKj6bYG4Hs-8mcAFvWZIOY_HO3Lcul3LU31NQP-6LtiOvbdhZN2f3kjZe6rOI_gGeITUD/w400-h248/indonesia_blockpage_pt_centrin_utama.png" title="Indonesia internest censorship PT Centrin Utama" width="400" /></a></div><p></p><p style="text-align: center;"><span id="docs-internal-guid-ebf5b37f-7fff-db0c-037f-576992a63be7" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Centrin Utama</span></p><p style="text-align: center;"><span id="docs-internal-guid-ebf5b37f-7fff-db0c-037f-576992a63be7" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj52Oy13oefq-9xYBdMo716xfzROEiR98gnAhJPU0j5kKc-mHNkWrsl95NMyFghix2qbiVM7EMMKXf46lQobYXMoAMcUYPSXY44xdQWx5fO6kJVs3bmHHxD-vwpdHzHs6rJNteQd-HfkElklEQ8jo-ARKg-5436CWvBBgxK11Wvvi1iFk77IB1LvbXK/s998/indonesia_blockpage_pt_fiber_networks_indonesia.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship PT Fiber Networks Indonesia" border="0" data-original-height="487" data-original-width="998" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj52Oy13oefq-9xYBdMo716xfzROEiR98gnAhJPU0j5kKc-mHNkWrsl95NMyFghix2qbiVM7EMMKXf46lQobYXMoAMcUYPSXY44xdQWx5fO6kJVs3bmHHxD-vwpdHzHs6rJNteQd-HfkElklEQ8jo-ARKg-5436CWvBBgxK11Wvvi1iFk77IB1LvbXK/w400-h195/indonesia_blockpage_pt_fiber_networks_indonesia.png" title="Indonesia internest censorship PT Fiber Networks Indonesia" width="400" /></a></div><p></p><p style="text-align: center;"><span id="docs-internal-guid-3c430b86-7fff-7781-2d68-b1feadc1fdf9" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Fiber Networks Indonesia</span></p><p style="text-align: center;"><span id="docs-internal-guid-3c430b86-7fff-7781-2d68-b1feadc1fdf9" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYETl4TW8JoFj41CNipQVdc-YfJLQGwyWazSg6tK7x5f-kIwhQM8k4ib8VDC5W8PvSLmhIPA_7ue-ZSBNxOP3p8YPczlvzO_P1pl6F7RLyTKuKL_DrN8zLxO3R6rTo0t62ojjQ9cTaoCIDvzc61tU19-aGvDOhFCbJC_RB4BemAYxsvATx4FmwXHiu/s902/indonesia_blockpage_pt_jaringanku_sarana_nusantara.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship PT Jaringanku Sarana Nusantara" border="0" data-original-height="597" data-original-width="902" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYETl4TW8JoFj41CNipQVdc-YfJLQGwyWazSg6tK7x5f-kIwhQM8k4ib8VDC5W8PvSLmhIPA_7ue-ZSBNxOP3p8YPczlvzO_P1pl6F7RLyTKuKL_DrN8zLxO3R6rTo0t62ojjQ9cTaoCIDvzc61tU19-aGvDOhFCbJC_RB4BemAYxsvATx4FmwXHiu/w400-h265/indonesia_blockpage_pt_jaringanku_sarana_nusantara.png" title="Indonesia internest censorship PT Jaringanku Sarana Nusantara" width="400" /></a></div><p></p><p style="text-align: center;"><span id="docs-internal-guid-d62ac0ee-7fff-3184-7d04-398099860b8a" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Jaringanku Sarana Nusantara</span><span id="docs-internal-guid-d62ac0ee-7fff-3184-7d04-398099860b8a" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span></p><p style="text-align: center;"><span id="docs-internal-guid-d62ac0ee-7fff-3184-7d04-398099860b8a" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span></p><p style="text-align: center;"><span id="docs-internal-guid-d62ac0ee-7fff-3184-7d04-398099860b8a" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNWEbSMUN8WbvhT5kYOmbd28WXRenf3WH36Xm3hZgiWtMWAMTctyl1OxaAKuJGdQBJNREanvTmfPYrLdD4H_Wc9SrgXDrQeLDPZmVn8t1Bm_Emc_tSyx6FbpIHfd7gODka5Z_IIrHnlWo0ICHaSYR5Y0YnMu3YW8YYna0f4gMCkkGhXPLWJNP0M3G2/s1071/indonesia_blockpage_pt_mitra_lintas_multimedia.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship PT Mitra Lintas Multimedia" border="0" data-original-height="705" data-original-width="1071" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNWEbSMUN8WbvhT5kYOmbd28WXRenf3WH36Xm3hZgiWtMWAMTctyl1OxaAKuJGdQBJNREanvTmfPYrLdD4H_Wc9SrgXDrQeLDPZmVn8t1Bm_Emc_tSyx6FbpIHfd7gODka5Z_IIrHnlWo0ICHaSYR5Y0YnMu3YW8YYna0f4gMCkkGhXPLWJNP0M3G2/w400-h264/indonesia_blockpage_pt_mitra_lintas_multimedia.png" title="Indonesia internest censorship PT Mitra Lintas Multimedia" width="400" /></a></p><p></p><p style="text-align: center;"><span id="docs-internal-guid-8e10c609-7fff-77c7-2210-959a4e570571" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Mitra Lintas Multimedia</span></p><p style="text-align: center;"><span id="docs-internal-guid-8e10c609-7fff-77c7-2210-959a4e570571" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span></p><p style="text-align: center;"><span id="docs-internal-guid-8e10c609-7fff-77c7-2210-959a4e570571" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbBuWqd7aZXUeodGATEmlgO9xrE4MeS2cjQFNU8ZqTBM4lAesabdifa_vlaUWwMxRbONgAHWBzj45UnwxmbQnSjUrCYTTxggr58gWDPn2E8h-Y7YjVwOGI045hKW6_eB4iJClUU2pq_cbPSVsVtxUdmgjILAMGSSvgmJK6YVr9YXY6xcxjmNEIIehE/s1066/indonesia_blockpage_pt_solnet_indonesia.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship PT Solnet Indoonesia" border="0" data-original-height="657" data-original-width="1066" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbBuWqd7aZXUeodGATEmlgO9xrE4MeS2cjQFNU8ZqTBM4lAesabdifa_vlaUWwMxRbONgAHWBzj45UnwxmbQnSjUrCYTTxggr58gWDPn2E8h-Y7YjVwOGI045hKW6_eB4iJClUU2pq_cbPSVsVtxUdmgjILAMGSSvgmJK6YVr9YXY6xcxjmNEIIehE/w400-h246/indonesia_blockpage_pt_solnet_indonesia.png" title="Indonesia internest censorship PT Solnet Indoonesia" width="400" /></a></div><br /></div><div><div style="text-align: center;"> PT Solnet Indoonesia</div><p></p><p></p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkEb9twbo_C1KL38NaIjbSb3YqXjGYLLMeu9vlmms4fnJdzMTgMuQBGq3Z-F3M3kL9s7RCmjYnl5Gwr3wkU5Fvn7u1SM6AdT2OUDSsXunaWaPgKkzc043IJjV1Ok-e5WjBfgYAwGlWDJZVZhbbNqVWVHRtsSoZHko37XOC5Q-kUNp6-qLBocW32suG/s1114/indonesia_blockpage_qiandra_information_technology.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship Qiandra Information Technology" border="0" data-original-height="643" data-original-width="1114" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkEb9twbo_C1KL38NaIjbSb3YqXjGYLLMeu9vlmms4fnJdzMTgMuQBGq3Z-F3M3kL9s7RCmjYnl5Gwr3wkU5Fvn7u1SM6AdT2OUDSsXunaWaPgKkzc043IJjV1Ok-e5WjBfgYAwGlWDJZVZhbbNqVWVHRtsSoZHko37XOC5Q-kUNp6-qLBocW32suG/w400-h231/indonesia_blockpage_qiandra_information_technology.png" title="Indonesia internest censorship Qiandra Information Technology" width="400" /></a></div><p></p><p style="text-align: center;">Qiandra Information Technology<br /></p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwoUMLcvEcssY7DsVF8U7V2kd35veW-waxGgkwUZnehfoNPpe57cG1h1mYD5dOyDG3Cjun4QSKyHMAo4gOjG6XOSmLbLGr7qMYrsdGkcwjDRm_q5ZJjTDAS6YhWX8szGNxuqPIzI46CKVHFsFgP8gfhwXUYYUhovP4UFCixKxJOnpTW83LRYDo_waW/s1371/indonesia_blockpage_services_pt_indonesia_comnets_plus.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship PT Indonesia Comnets Plus" border="0" data-original-height="957" data-original-width="1371" height="279" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwoUMLcvEcssY7DsVF8U7V2kd35veW-waxGgkwUZnehfoNPpe57cG1h1mYD5dOyDG3Cjun4QSKyHMAo4gOjG6XOSmLbLGr7qMYrsdGkcwjDRm_q5ZJjTDAS6YhWX8szGNxuqPIzI46CKVHFsFgP8gfhwXUYYUhovP4UFCixKxJOnpTW83LRYDo_waW/w400-h279/indonesia_blockpage_services_pt_indonesia_comnets_plus.png" title="Indonesia internest censorship PT Indonesia Comnets Plus" width="400" /></a></div><p></p><p style="text-align: center;"><span id="docs-internal-guid-8ffa55ec-7fff-e7ac-1c0c-a1dc425c0417" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">PT Indonesia Comnets Plus</span></p><p style="text-align: center;"><span id="docs-internal-guid-8ffa55ec-7fff-e7ac-1c0c-a1dc425c0417" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBdQX9sRVz6oIhGuEN4AXFR5yWK7OC3vYSknICyJ2gV6cOsiG4aoEpAY_rJmLDkKCCy9NU3wuunBSGwOB12bwESVeaKsXiCU1ZBu8UIWi8pDoLvXZrBDdhB4VIDOK6JWdDu3RvdY_rYmhT8BMG6af_xuRWbtWCq0dvdmTUrMDWKRHtVkGqlpaoU5dB/s622/indonesia_blockpage_varnion_technology_semasta.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Indonesia internest censorship Varnion Technology Semesta" border="0" data-original-height="373" data-original-width="622" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBdQX9sRVz6oIhGuEN4AXFR5yWK7OC3vYSknICyJ2gV6cOsiG4aoEpAY_rJmLDkKCCy9NU3wuunBSGwOB12bwESVeaKsXiCU1ZBu8UIWi8pDoLvXZrBDdhB4VIDOK6JWdDu3RvdY_rYmhT8BMG6af_xuRWbtWCq0dvdmTUrMDWKRHtVkGqlpaoU5dB/w400-h240/indonesia_blockpage_varnion_technology_semasta.png" title="Indonesia internest censorship Varnion Technology Semesta" width="400" /></a></div></div><div style="text-align: center;"><span id="docs-internal-guid-2226e897-7fff-6917-fb54-a32fb5ef8d93" style="background-color: transparent; color: black; font-family: Arial; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Varnion Technology Semesta</span></div><div><p><br /></p><p>This is a high-level introduction to the DNS censorship in Indonesia. For a detailed research on the effectiveness of the blocking using a much larger sample of DNS servers check our <a href="https://www.securesenses.net/2022/09/dns-poisoning-indonesia-deep-dive.html">DNS Poisoning in Indonesia deep dive</a> article. <br /></p><p></p><p></p><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script></div><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-65454719009447434712022-08-21T07:48:00.002+01:002022-08-21T07:48:57.620+01:00Rogue DNS serverIn the Rogue DNS Server attack, a malicious actor configures a DNS server to act as the Authoritative Name Server for the targeted domain name. In simple terms he creates a DNS zone on a server and inserts DNS records of his choosing. <br /><br />This can be accomplished in the following ways: <br /><ul><li>A legitimate DNS server gets compromised </li><li>A DNS client gets pointed to a malicious DNS server (using DNS changer malware or by changing the router's DNS settings)</li><li>By a malicious actor at an ISP or DNS provider (using his access to make unauthorized changes)<br /></li></ul><p><br />With the Rogue DNS server in place, the original DNS query never reaches the legitimate Authoritative Name server. In fact it never reaches any server other than the compromised DNS resolver (that may not be exactly correct since usually any sizable recursive DNS infrastructure will have multiple layers of resolvers, forwarders and caching servers).<br /><br />Let’s look at an example.<br /><br />For this purpose we will spin up a simple Unbound DNS server instance that will act as a recursive resolver. Later we will configure it with static entries of our choosing. <br /><br />I have used unbound-docker image and exposed the service on localhost.<br /><br />Let’s confirm it works.<br /><span style="font-size: small;"><span style="font-family: courier;"><br />dig www.securesenses.net @127.0.0.1<br />; <<>> DiG 9.10.6 <<>> www.securesenses.net @127.0.0.1<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54715<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1<br />;; OPT PSEUDOSECTION:<br />; EDNS: version: 0, flags:; udp: 1232<br />;; QUESTION SECTION:<br />;www.securesenses.net. IN A<br />;; ANSWER SECTION:<br />www.securesenses.net. 1736 IN CNAME ghs.google.com.<br />ghs.google.com. 236 IN A 172.217.16.51</span></span></p><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwVP5MeLXHHJ91e5ESr11ypjIfHqOguOkmEMkf2siLwvGeE3EDvMfTVV-y6jpDlDa0CkazgmrC5N2Zc8yrSY63aE4vFPzh174Bs3RhtMJ-709DC26WWC4WfTq7KNcLauXRQZSjBC8SRDXl_xMs4Aks3MD2AyMYnIdXr57ZpJ7huLug3zuPEhX0Dm7m/s878/localhost_dns_query_valid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Valid DNS response packet" border="0" data-original-height="449" data-original-width="878" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwVP5MeLXHHJ91e5ESr11ypjIfHqOguOkmEMkf2siLwvGeE3EDvMfTVV-y6jpDlDa0CkazgmrC5N2Zc8yrSY63aE4vFPzh174Bs3RhtMJ-709DC26WWC4WfTq7KNcLauXRQZSjBC8SRDXl_xMs4Aks3MD2AyMYnIdXr57ZpJ7huLug3zuPEhX0Dm7m/w640-h328/localhost_dns_query_valid.png" title="Valid DNS response packet" width="640" /></a></div><p>We've confirmed we got the correct response and that the response is not authoritative. Our local DNS server works as expected. Now we’ll make it turn rogue…<br /><br />To configure Unbound with a static entry we simply add the following line to the configuration: <br /><span style="font-family: courier;"><br />local-data: "www.securesenses.net. IN A 1.2.3.4"</span><br /><br />When we retry the query again, we receive an authoritative answer for the targeted domain name.<br /><br /><span style="font-family: courier;"><span style="font-size: small;">dig www.securesenses.net @127.0.0.1<br />; <<>> DiG 9.10.6 <<>> www.securesenses.net @127.0.0.1<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40437<br />;; flags: qr <span style="color: red;">aa</span> rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<br />;; OPT PSEUDOSECTION:<br />; EDNS: version: 0, flags:; udp: 1232<br />;; QUESTION SECTION:<br />;www.securesenses.net. IN A<br />;; ANSWER SECTION:<br />www.securesenses.net. 3600 IN A 1.2.3.4</span></span></p><p></p><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0qhNsDKXFVuR7y2iUdcyrPhRJBisZonCyP1u-bry7ek7hzjnBGmi4VOeZnANfIurUaVZTPwPgnVmM0Lgi-fyoAQvAYGSc_PEZq_D_WkBTOYTquvkx7KWqoFGGS9rvw_Bo5Fj00lLWTeUygNs-U9rfFhLi8x0zXz61dxtKOUeGirscGV1F_5-Bh502/s1028/localhost_dns_query_rogue_response.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Rogue DNS response packet" border="0" data-original-height="528" data-original-width="1028" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0qhNsDKXFVuR7y2iUdcyrPhRJBisZonCyP1u-bry7ek7hzjnBGmi4VOeZnANfIurUaVZTPwPgnVmM0Lgi-fyoAQvAYGSc_PEZq_D_WkBTOYTquvkx7KWqoFGGS9rvw_Bo5Fj00lLWTeUygNs-U9rfFhLi8x0zXz61dxtKOUeGirscGV1F_5-Bh502/w640-h328/localhost_dns_query_rogue_response.png" title="Rogue DNS response packet" width="640" /></a></div><p>As seen above we turned our local DNS server into an illegitimate authoritative name server for securesenses.net. domain. </p><p>Anyone can setup a local DNS server and make it authoritative for any domain. A DNS server becomes rogue when someone either sets one up and then points unsuspecting DNS clients to it or compromises an existing legitimate server that is in use and re-configures it. <br /></p><p><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-31426542756322461642022-08-20T11:17:00.002+01:002022-08-20T11:23:07.218+01:00Authoritative DNS server<p>Authoritative Name Server also referred to as NS, is a DNS server that is responsible for a particular DNS zone (domain). This is where the domain administrator configures DNS records in the zone. <br /><br />Authoritative Name Servers are defined using NS (Name Server) resource record type. NS record type is described in RFC1035 - <a href="https://datatracker.ietf.org/doc/html/rfc1035#page-12">https://datatracker.ietf.org/doc/html/rfc1035#page-12</a></p><p>As depicted in the figure below, in a normal DNS resolution flow, a DNS client doesn't directly receive authoritative responses. It is a <a href="https://www.securesenses.net/2022/08/whats-recuresive-dns-query.html" target="_blank">recursive resolver</a> that iteratively queries the authoritative server on behalf of the client. For testing purposes we can query it directly.<br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4AdHpn7iGEjijM5G2IyLn0u0ikMRiJnm2CTvcqGClyJkirAJ2WiJTJSce5SMkbI-pz-Hf2F1gPbbwm-1LBcmQ873llaOWvrtrAeR5BhMcXUIz_bm0j_aEvonb1BjHcmedRRSoolZAHzEUvecZp_Qqj3jHVJjU2h0NOD3jb3wVkIamdav_2h8dj6Tn/s1451/dns_resultion_flow_authoritative_answer.png" style="margin-left: 1em; margin-right: 1em;"><img alt="DNA resolution flow authoritative answer" border="0" data-original-height="1451" data-original-width="1294" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4AdHpn7iGEjijM5G2IyLn0u0ikMRiJnm2CTvcqGClyJkirAJ2WiJTJSce5SMkbI-pz-Hf2F1gPbbwm-1LBcmQ873llaOWvrtrAeR5BhMcXUIz_bm0j_aEvonb1BjHcmedRRSoolZAHzEUvecZp_Qqj3jHVJjU2h0NOD3jb3wVkIamdav_2h8dj6Tn/w570-h640/dns_resultion_flow_authoritative_answer.png" title="DNA resolution flow authoritative answer" width="570" /></a></div><p></p><h2 style="text-align: left;">How to find Authoritative Name Servers? </h2><p>As with everything DNS related, dig to the rescue! Let’s query a recursive DNS resolver and ask it what the NS for securesenses.net. is:<br /><br /><span style="font-family: courier;"><span style="font-size: small;">dig NS securesenses.net @8.8.8.8<br />; <<>> DiG 9.10.6 <<>> NS securesenses.net @8.8.8.8<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31323<br />;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1<br />;; OPT PSEUDOSECTION:<br />; EDNS: version: 0, flags:; udp: 512<br />;; QUESTION SECTION:<br />;securesenses.net. IN NS<br />;; ANSWER SECTION:<br />securesenses.net. 21600 IN NS ns-cloud-e1.googledomains.com.<br />securesenses.net. 21600 IN NS ns-cloud-e4.googledomains.com.<br />securesenses.net. 21600 IN NS ns-cloud-e3.googledomains.com.<br />securesenses.net. 21600 IN NS ns-cloud-e2.googledomains.com.</span></span><br /><br />We can see that securesenses.net. has 4 authoritative servers.<br /></p><h2 style="text-align: left;">Non-authoritative vs Authoritative DNS response<br /></h2><p></p><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: left;"></div><p>If we query a <a href="https://www.securesenses.net/2022/08/whats-recuresive-dns-query.html" target="_blank">recursive</a> DNS resolver we always receive a non-authoritative response. <br /><br /><span style="font-size: small;"><span style="font-family: courier;">dig www.securesenses.net @8.8.8.8<br />; <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34177<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1<br />;; OPT PSEUDOSECTION:<br />; EDNS: version: 0, flags:; udp: 512<br />;; QUESTION SECTION:<br />;www.securesenses.net. IN A<br />;; ANSWER SECTION:<br />www.securesenses.net. 1800 IN CNAME ghs.google.com.<br />ghs.google.com. 300 IN A 216.58.209.19<br />;; Query time: 74 msec<br />;; SERVER: 8.8.8.8#53(8.8.8.8)<br />;; WHEN: Sat Aug 20 10:59:55 CEST 2022<br />;; MSG SIZE rcvd: 93</span></span></p><p><span style="font-size: small;"><span style="font-family: courier;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikALvYZGjhFo_LcF3HX4-ImN-MpMOfg-71iGV5sJs9VWAvC_YPXBUK-a1HjpiABkyij-M_NC56NsT-c7GNX_57C-mtkjINYG7oL5Ui_36tlTh8ho1v2BLhiseZ2Ua1XF_hV-6p8oo9StO0KrDkisV6RKvxDRjSHNd03ysXc0YJqaoP_jXpeAHcXVW-/s886/non_authoritative_dns_answer.png" style="margin-left: 1em; margin-right: 1em;"><img alt="non authoritative DNS response" border="0" data-original-height="679" data-original-width="886" height="490" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikALvYZGjhFo_LcF3HX4-ImN-MpMOfg-71iGV5sJs9VWAvC_YPXBUK-a1HjpiABkyij-M_NC56NsT-c7GNX_57C-mtkjINYG7oL5Ui_36tlTh8ho1v2BLhiseZ2Ua1XF_hV-6p8oo9StO0KrDkisV6RKvxDRjSHNd03ysXc0YJqaoP_jXpeAHcXVW-/w640-h490/non_authoritative_dns_answer.png" title="non authoritative DNS response" width="640" /> </a></span></span><br /><br />To get an authoritative answer we need to query the authoritative server directly:<br /><br /><span style="font-size: small;"><span style="font-family: courier;">dig www.securesenses.net @ns-cloud-e1.googledomains.com.<br />; <<>> DiG 9.10.6 <<>> www.securesenses.net @ns-cloud-e1.googledomains.com.<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16954<br />;; flags: qr <b><span style="color: red;">aa</span></b> rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<br />;; WARNING: recursion requested but not available<br />;; OPT PSEUDOSECTION:<br />; EDNS: version: 0, flags:; udp: 512<br />;; QUESTION SECTION:<br />;www.securesenses.net. IN A<br />;; ANSWER SECTION:<br />www.securesenses.net. 1800 IN CNAME ghs.google.com.</span></span></p><p><span style="font-size: small;"><span style="font-family: courier;"></span></span></p><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: left;">We can see that the answer is authoritative in the “flags” section of dig output - the “aa” flag in dig signifies authoritative answer (aa).</div><div class="separator" style="clear: both; text-align: left;"> </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio8teNoQ5CRKBn5wY1LEo5384trhOTR4lgXSeORvNHRnfbDdEC3idYwd17MPDu5Ngt58seNtZs_26eAS_43J2cw2xZAp5NiZPhyLCdNRya-xvxkS-3KvNv4hvd1YNFHJQCHxtmvW9lyEKQn_BMYi0FMsKV5FlLaTGQebEwgDoVLTBJsovvYUDAVojg/s885/authoritative_dns_answer.png" style="margin-left: 1em; margin-right: 1em;"><img alt="authoritative DNS response" border="0" data-original-height="641" data-original-width="885" height="464" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio8teNoQ5CRKBn5wY1LEo5384trhOTR4lgXSeORvNHRnfbDdEC3idYwd17MPDu5Ngt58seNtZs_26eAS_43J2cw2xZAp5NiZPhyLCdNRya-xvxkS-3KvNv4hvd1YNFHJQCHxtmvW9lyEKQn_BMYi0FMsKV5FlLaTGQebEwgDoVLTBJsovvYUDAVojg/w640-h464/authoritative_dns_answer.png" title="authoritative DNS response" width="640" /></a></div><p></p><p></p><p></p><p></p><p></p><p></p><p></p><p></p><h2 style="text-align: left;">Checking authoritative servers in whois data<br /></h2><p>Alternative way of identifying the name servers is to query the WHOIS data. This is registration data. The registrar also maintains the information about the authoritative servers. <br /><br />As a side note, you may run into resolution problems if the NS record data at the registrar is different than in the DNS zone. They need to be kept in sync. If you manage your own DNS servers you need to keep that in mind. If you rely on domain resellers such as Godaddy or Google Domains it is done for you automatically. <br /> <br /><span style="font-size: small;"><span style="font-family: courier;">whois securesenses.net<br /><br /># whois.verisign-grs.com<br /><br /> Domain Name: SECURESENSES.NET<br /> Registry Domain ID: 1710731915_DOMAIN_NET-VRSN<br /> Registrar WHOIS Server: whois.google.com<br /> Registrar URL: http://domains.google.com<br /> Updated Date: 2022-04-26T06:31:13Z<br /> Creation Date: 2012-04-02T13:49:11Z<br /> Registry Expiry Date: 2024-04-02T13:49:11Z<br /> Registrar: Google LLC<br /> Registrar IANA ID: 895<br /> Registrar Abuse Contact Email: registrar-abuse@google.com<br /> Registrar Abuse Contact Phone: +1.8772376466<br /> Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited<br /> Name Server: NS-CLOUD-E1.GOOGLEDOMAINS.COM<br /> Name Server: NS-CLOUD-E2.GOOGLEDOMAINS.COM<br /> Name Server: NS-CLOUD-E3.GOOGLEDOMAINS.COM<br /> Name Server: NS-CLOUD-E4.GOOGLEDOMAINS.COM<br /> DNSSEC: signedDelegation<br /> DNSSEC DS Data: 61931 8 2 6964839492CD6B924457CD431D07DB84BBA721E791FDB345E8F8E0E53C2EE5EE<br /> URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/<br />>>> Last update of whois database: 2022-08-20T09:15:19Z <<<</span></span><br /><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script></p><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-19226265261482386232022-08-13T12:42:00.009+01:002022-08-21T07:51:28.969+01:00DNS injection attack<p>DNS injection is a type of a DNS poisoning attack in which, a network traffic monitoring device injects fake DNS responses.</p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEistklP4WPWJpaSu0WtZVN7S5l3rmjexiUIjtoht-ZTvHDvf53Od_ugaGHu-ptuLQNrg5IXFVwvFSxlUIwvIwGgQ_o5cQ1P2zka6CUlQQfJc1HHy9hY0GhAlIyoPYRJtFLmAjJ2WPky2RP-jtlqF2UVjg6mDg5bbCtvcElFtBguPeO8WyXSaFik7Ct2/s835/dns_injection_attack_full_example.png" style="margin-left: 1em; margin-right: 1em;"><img alt="DNS Injection attack" border="0" data-original-height="734" data-original-width="835" height="562" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEistklP4WPWJpaSu0WtZVN7S5l3rmjexiUIjtoht-ZTvHDvf53Od_ugaGHu-ptuLQNrg5IXFVwvFSxlUIwvIwGgQ_o5cQ1P2zka6CUlQQfJc1HHy9hY0GhAlIyoPYRJtFLmAjJ2WPky2RP-jtlqF2UVjg6mDg5bbCtvcElFtBguPeO8WyXSaFik7Ct2/w640-h562/dns_injection_attack_full_example.png" title="DNS Injection attack" width="640" /></a></div><div style="text-align: left;">When a monitoring device detects a DNS query for a censored domain, it forges a fake response and sends it to the client. This attack can be implemented by an on-path or an off-path device. This technique is commonly used by state actors to implement country based censorship. </div></div><p style="text-align: left;">We'll use The Great Firewall of China (GFW) to demonstrate this attack in practice.</p><p> Let's query wikipedia.org against Google DNS to get a baseline. </p><p><span style="font-family: courier;">dig wikipedia.org @8.8.8.8<br />; <<>> DiG 9.10.6 <<>> wikipedia.org @8.8.8.8<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61120<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<br />;; OPT PSEUDOSECTION:<br />; EDNS: version: 0, flags:; udp: 512<br />;; QUESTION SECTION:<br />;wikipedia.org. IN A<br />;; ANSWER SECTION:<br />wikipedia.org. 234 IN A 91.198.174.192 <br /></span></p><p>We can confirm in a WHOIS database that this IP address in fact belong to Wikimedia Foundation. <br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPHaDZ33wyNQNT4zZJ-PjgeW6EHyg6vw43VvY0BFuJVGpgV32frqPfT3fSLx0GrHLpkEovLNSr2gcXqjhuONYEOi5XJSMxGmYt2paszpSK3ouMu7wXWD_sFr58RUK073B6dZx7GLAeFn2iuniQErBuWfBKL7_cpzRYE6XP5gfNbOd3RDWMKvn1X5fq/s478/dns_injection_attack_valid_response.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="241" data-original-width="478" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPHaDZ33wyNQNT4zZJ-PjgeW6EHyg6vw43VvY0BFuJVGpgV32frqPfT3fSLx0GrHLpkEovLNSr2gcXqjhuONYEOi5XJSMxGmYt2paszpSK3ouMu7wXWD_sFr58RUK073B6dZx7GLAeFn2iuniQErBuWfBKL7_cpzRYE6XP5gfNbOd3RDWMKvn1X5fq/w400-h201/dns_injection_attack_valid_response.png" width="400" /></a></div><br /><p></p><p>Let's run the same query against a DNS server in China. We'll use DNS server with address 1.2.4.8. <br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4RZB-9ryMxWEjvydS461QMBnP6UkTC4WFJH5jc3YXCQrkLQDuiBb0-ERrAsyiLD6Fmv_iovQWj_yE7HU1Q0TCVik6j5n8EDArs-P_XsZLs0qSEHahKDcLcGkK9JHCgB9a2LMs0xgK-3s2b81m-VA344AQwGi1SxCLO6frKxheXwTYqZEadTDsGxPP/s513/dns_injection_attack_dns_srv_cn.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="247" data-original-width="513" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4RZB-9ryMxWEjvydS461QMBnP6UkTC4WFJH5jc3YXCQrkLQDuiBb0-ERrAsyiLD6Fmv_iovQWj_yE7HU1Q0TCVik6j5n8EDArs-P_XsZLs0qSEHahKDcLcGkK9JHCgB9a2LMs0xgK-3s2b81m-VA344AQwGi1SxCLO6frKxheXwTYqZEadTDsGxPP/w400-h193/dns_injection_attack_dns_srv_cn.png" width="400" /></a></div><span style="font-family: courier;"><br /></span><p><span style="font-family: courier;">dig wikipedia.org @1.2.4.8 <br />; <<>> DiG 9.10.6 <<>> wikipedia.org @1.2.4.8<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21972<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0<br />;; QUESTION SECTION:<br />;wikipedia.org. IN A<br />;; ANSWER SECTION:<br />wikipedia.org. 170 IN A 162.125.32.9</span><br /></p><p>Checking WHOIS data we see that this IP address doesn't belong to Wikimedia. Instead it belongs to Dropbox. </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo7U37GeerG56FM-8eYJqfa3zhMuHVPtkHgI82yI2hwJlkXtf5Y0YB2EneRcb97maplNnGQgvdMmJfZzYxXW8IvVCWKjuO9ndvI_eHZv8xDKVx_ugp4zimxn-vTO0xUHLVqLNNup4FJa-LYgnX4e1Rg4KiTtJq5hgoP6w6j_zQLoeiczrLvFtEdS6O/s473/dns_injection_attack_fake_response.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="241" data-original-width="473" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo7U37GeerG56FM-8eYJqfa3zhMuHVPtkHgI82yI2hwJlkXtf5Y0YB2EneRcb97maplNnGQgvdMmJfZzYxXW8IvVCWKjuO9ndvI_eHZv8xDKVx_ugp4zimxn-vTO0xUHLVqLNNup4FJa-LYgnX4e1Rg4KiTtJq5hgoP6w6j_zQLoeiczrLvFtEdS6O/w400-h204/dns_injection_attack_fake_response.png" width="400" /></a></div><p>Examining the network traffic, we see that in fact we received not one but three responses. <br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-83nc9jWmPHE0NF5gLWYInQQ2N0xoneNbkmLomdcjW2QpSEB7AomktuCOK9kqF-OIRwRmtvf42sPoE5p0osVFRMdr9E4P8BxFKSDfWAwfeLqQhDmbk4wBUIhvX5v6Sck7e9Ag5CiWpXaQQ0EFn-ggVndua9lKNEsHFQFsboVvbrhbkb3IAKA51jYn/s1056/gfw_injected_responses.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="88" data-original-width="1056" height="54" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-83nc9jWmPHE0NF5gLWYInQQ2N0xoneNbkmLomdcjW2QpSEB7AomktuCOK9kqF-OIRwRmtvf42sPoE5p0osVFRMdr9E4P8BxFKSDfWAwfeLqQhDmbk4wBUIhvX5v6Sck7e9Ag5CiWpXaQQ0EFn-ggVndua9lKNEsHFQFsboVvbrhbkb3IAKA51jYn/w640-h54/gfw_injected_responses.png" width="640" /></a></div><ul style="text-align: left;"><li>162.125.32.9 -> Dropbox</li><li>108.160.165.147 -> Dropbox</li><li>67.228.102.32 -> Softlayer <br /></li></ul><p> None of them belongs to Wikipedia. </p><p>To further demonstrate that this is a network based attack, we try to send a DNS query to an IP address that is not a DNS server and it's not even in use. We'll test this against 1.2.3.244. </p><p>First let's ping it to make sure there's nothing there.</p><p><span style="font-family: courier;">PING 1.2.4.244 (1.2.4.244): 56 data bytes<br />Request timeout for icmp_seq 0</span> </p><p>Now let's query it. <br /></p><div style="text-align: left;"><span style="font-family: courier;"> dig wikipedia.org @1.2.4.244 </span></div><div style="text-align: left;"><span style="font-family: courier;">; <<>> DiG 9.10.6 <<>> wikipedia.org @1.2.4.244</span></div><div style="text-align: left;"><span style="font-family: courier;">;; global options: +cmd</span></div><div style="text-align: left;"><span style="font-family: courier;">;; Got answer:</span></div><div style="text-align: left;"><span style="font-family: courier;">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27430</span></div><div style="text-align: left;"><span style="font-family: courier;">;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0</span></div><div style="text-align: left;"><span style="font-family: courier;">;; QUESTION SECTION:</span></div><div style="text-align: left;"><span style="font-family: courier;">;wikipedia.org. IN A</span></div><div style="text-align: left;"><span style="font-family: courier;">;; ANSWER SECTION:</span></div><div style="text-align: left;"><span style="font-family: courier;">wikipedia.org. 150 IN A 199.59.149.136</span></div><p></p><p>The response gets injected by the injector. </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4oWM3bPRyxnxywYvtX_tGwTpmn4-zNQpFGi1_LN40BXuYyAFwd1iAiXrQRvD49l31ytMsglTKI6XdWdwsNEv-aXXJMhRa7R32goEqVRxU9c4yLq8QjNhLYNXF--Lat0OH1V_i_MEVzJvgMaNjHXs723OASklVWsQtkPabkew87-zIpe2AB-CAmC5e/s1029/dns_injection_attack_fake_response_from_nonexistentip.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="69" data-original-width="1029" height="42" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4oWM3bPRyxnxywYvtX_tGwTpmn4-zNQpFGi1_LN40BXuYyAFwd1iAiXrQRvD49l31ytMsglTKI6XdWdwsNEv-aXXJMhRa7R32goEqVRxU9c4yLq8QjNhLYNXF--Lat0OH1V_i_MEVzJvgMaNjHXs723OASklVWsQtkPabkew87-zIpe2AB-CAmC5e/w640-h42/dns_injection_attack_fake_response_from_nonexistentip.png" width="640" /></a></div><p></p><p>Observant reader will notice that this time we've received two instead of three responses. We will cover why that is the case in a post dedicated to the Great Firewall of China DNS blocking. <br /></p><h3 style="text-align: left;">IP addresses in injected responses</h3><p>The fake response can contain anything the attacker chooses.These can be: </p><ul style="text-align: left;"><li>Publicly routable IP addresses blocked at the network level (for example BGP black-holed) or not serving any conten </li><li>IP addresses of specific block pages <br /></li><li>Local host address <br /></li><li>Private IP addresses (non-internet routable)</li><li>DNS error for example NXDOMAIN<br /></li></ul><p>The Great Firewall of China in its forged responses returns IP addresses from IP ranges owned by US companies such as Dropbox, Facebook, Twitter, Softlayer. This behaviour is specific to the GFW[ref 1] . </p><p>For example in Indonesia or Korea forged responses contain IP address that redirect users to block page. </p><p></p><p></p><p>References:</p><p>1 "How Great is the Great Firewall?" https://www.usenix.org/system/files/sec21-hoang.pdf<br /></p><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-140845016551649342022-08-11T14:22:00.013+01:002022-09-17T08:51:30.773+01:00What's a recursive DNS query?There are two types of DNS queries:<br /><ul style="text-align: left;"><li>Recursive query</li><li>Iterative query<br /></li></ul><p>In a recursive query, the DNS resolver will respond with the final result, best answer it has or an error message. How it responds depends on what kind of DNS server it is. A recursive resolver will respond with the final IP address (or set of IPs). A non-recursive DNS server (Root or GTLD) will respond with the best answer it has.<br /><br />In an iterative query, the DNS resolver is required to provide the best answer it has. Assuming the queried record is not in the server’s cache, the DNS client will receive the referral to the next DNS server in the resolution path.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTJ33Nfv9pmr4KUYVNBQuGCNGLtgPb-7nRH2PcoDrQw6iu6-fOrirlr-TWCCYh_kIY4MBOVgVHETIpdsDntP1c6mLQO5lgWKvimaJblLFHmyTgkIhAZosxWX1p5K7hieMHX_sKOJy95Lk8QHPtQ83paIWVVJMXo_ZxURupsz-eNHQxmZFTJlDhqOTR/s774/dns_recursive_iterative_query_flow.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Recursive and interative DNS queries diagram" border="0" data-original-height="774" data-original-width="690" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTJ33Nfv9pmr4KUYVNBQuGCNGLtgPb-7nRH2PcoDrQw6iu6-fOrirlr-TWCCYh_kIY4MBOVgVHETIpdsDntP1c6mLQO5lgWKvimaJblLFHmyTgkIhAZosxWX1p5K7hieMHX_sKOJy95Lk8QHPtQ83paIWVVJMXo_ZxURupsz-eNHQxmZFTJlDhqOTR/w570-h640/dns_recursive_iterative_query_flow.png" title="Recursive and interative DNS queries diagram" width="570" /></a></div>That’s the theory. Let's look at practical examples. <br /><p></p><h2 style="text-align: left;">Recursive query <br /></h2><p></p><p></p><p></p><p>DNS resolvers that are used by the DNS clients are referred to as “recursive resolvers”. Their purpose is to handle the queries, return the final resolution result and cache the response. <br /></p><p>When a DNS client queries a recursive DNS resolver it receives the IP address (or an error). Recursive query is default for dig, we don't need any flags to simulate it. </p><div style="text-align: left;"><p><span style="font-family: courier;"><span style="font-size: small;">dig www.securesenses.net @8.8.8.8 <br />; <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63739<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1<br />;; OPT PSEUDOSECTION:<br />; EDNS: version: 0, flags:; udp: 512<br />;; QUESTION SECTION:<br />;www.securesenses.net. IN A<br />;; ANSWER SECTION:<br />www.securesenses.net. 1800 IN CNAME ghs.google.com.<br />ghs.google.com. 300 IN A 142.250.75.19</span></span></p><p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjgAIm6HWgrLsVCtkqJ5x3ephqFqGq4GJjwevGQbocR93ACCou4--GrMD2jL9942EBClkFpst9inr-e2fj1wJkBlg4aRtkCnZXkqE15XIqcC0rOCEf1tQ8RNK-ponE_kCtphQ8sSnLyzBXBDkR5HiAEVx1LE3H36qfL5lNQ0vmKyuVsaLVQwLgaNhk/s531/recursive_query.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Recursive DNS query" border="0" data-original-height="378" data-original-width="531" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjgAIm6HWgrLsVCtkqJ5x3ephqFqGq4GJjwevGQbocR93ACCou4--GrMD2jL9942EBClkFpst9inr-e2fj1wJkBlg4aRtkCnZXkqE15XIqcC0rOCEf1tQ8RNK-ponE_kCtphQ8sSnLyzBXBDkR5HiAEVx1LE3H36qfL5lNQ0vmKyuVsaLVQwLgaNhk/w640-h456/recursive_query.png" title="Recursive DNS query" width="640" /></a></p></div><p></p><p>The response shows that the DNS resolver is recursive ("Recursion available" bit is set). The response contains the intermediary CNAME and the final A record. <br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDXc1lOYggKPuBUBKfXt4Nz-xA8hfpl1d5ZMc7uSc-9LqWPbsL83aSk2S6uFz0-VG9lui_h2jnSYmRSe2OvnNGgbQ2P7ixpCZACOA7EISwDHDoNs8-wC5LquhqjIdLTGUR5BPttU1cC6lmI5xVi5y-tF1C8swS9NRYtrUu8bhYlke7M7A6IT9v1nbY/s873/recursive_response.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Recursive DNS query" border="0" data-original-height="705" data-original-width="873" height="517" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDXc1lOYggKPuBUBKfXt4Nz-xA8hfpl1d5ZMc7uSc-9LqWPbsL83aSk2S6uFz0-VG9lui_h2jnSYmRSe2OvnNGgbQ2P7ixpCZACOA7EISwDHDoNs8-wC5LquhqjIdLTGUR5BPttU1cC6lmI5xVi5y-tF1C8swS9NRYtrUu8bhYlke7M7A6IT9v1nbY/w640-h517/recursive_response.png" title="Recursive DNS query" width="640" /></a></div><p></p><h2 style="text-align: left;">Iterative query</h2><p>We can use dig with +norecurse flag to issue an iterative query. An iterative query will have the "Recursion desired" bit disabled as shown below:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX6Tr4ghlxeDq_VYs0DGTkH7Z7_PwS_CZ46mZGumcMPQB7HBJ1GvrWswQJd8L8NBtJ3Tdh8AfObjJHV0Ki0ES7q7n2iG6ZWXTgzLsroESHdiqsfB-2zaUgwhyUxqT3z0AKQ17gZ5_4WUG8Sjcc1ZxfQyytrYpKgK_8831BWkZ6IyUV7JSJP9Q1aEby/s597/recursive_query.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Iterative DNS query" border="0" data-original-height="182" data-original-width="597" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX6Tr4ghlxeDq_VYs0DGTkH7Z7_PwS_CZ46mZGumcMPQB7HBJ1GvrWswQJd8L8NBtJ3Tdh8AfObjJHV0Ki0ES7q7n2iG6ZWXTgzLsroESHdiqsfB-2zaUgwhyUxqT3z0AKQ17gZ5_4WUG8Sjcc1ZxfQyytrYpKgK_8831BWkZ6IyUV7JSJP9Q1aEby/w640-h196/recursive_query.png" title="Iterative DNS query" width="640" /></a></div><p></p><p>Most public DNS resolvers will reject iterative queries. In the examples below we query two different DNS resolvers and receive two different error messages. First resolver returns "Refused" error, the second one responds with "Server failure" error. For a detailed explanation of the errors response see <a href="https://www.securesenses.net/2022/09/dns-response-and-error-types.htm" target="_blank">DNS response and error types.</a><br /></p><div style="text-align: left;"><span style="font-size: small;"><span style="font-family: courier;">dig www.securesenses.net @88.156.64.21 +norecurse<br />; <<>> DiG 9.10.6 <<>> www.securesenses.net @88.156.64.21 +norecurse<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, <b><span style="color: red;">status: REFUSED</span></b></span><span style="font-family: courier;"><span style="font-family: courier;"><b>, </b></span>id: 22875<br />;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 </span></span><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja8eKWp2GV1GSPutAdqMqsRgTWrXBtpZ_8GwvakIxUbQhTNyWzAJP7d9veRETmBKoWuln5QtEpsaTIkNY35o1yp0XA1o6LnJEdmueRjyC82mUJjByCUzXuSV602iGtltLnFFafoKfzLJv3oUpss-SZsxxpXiMAzFcLml6dB4FNTrn1WDqinYJLD6AN/s1158/error_refused.png" style="margin-left: 1em; margin-right: 1em;"><img alt="DNS error query refused" border="0" data-original-height="266" data-original-width="1158" height="149" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja8eKWp2GV1GSPutAdqMqsRgTWrXBtpZ_8GwvakIxUbQhTNyWzAJP7d9veRETmBKoWuln5QtEpsaTIkNY35o1yp0XA1o6LnJEdmueRjyC82mUJjByCUzXuSV602iGtltLnFFafoKfzLJv3oUpss-SZsxxpXiMAzFcLml6dB4FNTrn1WDqinYJLD6AN/w640-h149/error_refused.png" title="DNS error query refused" width="640" /></a></div><span style="font-family: courier;"><br /></span><div style="text-align: left;"><span style="font-size: small;"><span style="font-family: courier;">dig www.securesenses.net @8.8.8.8 +norecurse <br />; <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8 +norecurse<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, <b><span style="color: red;">status: SERVFAIL</span>,</b> id: 33028<br />;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1</span></span></div><p></p><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrpNod-z8bGZoz9Dq8HNjRJz0kd690EZ9g81xPJ6lRERTCqetNA93ejF7F0yhcxE_izfVf8pz3LJ9-zB2Erv9djyllY-K09GEGqCEnJoqb01wsgqFA0B-l9zpZySYSKNIvUG5pbsZ8wDPetut13sN6aUlJpRyqoajutRZGMj9KBjij9HqQUerUUy-b/s1204/error_serverfailure.png" style="margin-left: 1em; margin-right: 1em;"><img alt="DNS error server failure" border="0" data-original-height="380" data-original-width="1204" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrpNod-z8bGZoz9Dq8HNjRJz0kd690EZ9g81xPJ6lRERTCqetNA93ejF7F0yhcxE_izfVf8pz3LJ9-zB2Erv9djyllY-K09GEGqCEnJoqb01wsgqFA0B-l9zpZySYSKNIvUG5pbsZ8wDPetut13sN6aUlJpRyqoajutRZGMj9KBjij9HqQUerUUy-b/w640-h202/error_serverfailure.png" title="DNS error server failure" width="640" /> </a></div><div class="separator" style="clear: both; text-align: center;"> </div><div class="separator" style="clear: both; text-align: left;">As shown above DNS resolvers (aka recursive resolvers) don't support iterative queries. They are used between the Resolvers, the Root servers and the TLD servers. Let's query them.</div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"><h3 style="text-align: left;">Root server (l.root-servers.net.)</h3></div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;">The root server returns the referral to the GTLD servers <a href="https://www.securesenses.net/2022/08/authoritative-dns-server.html" target="_blank">authoritative</a> for the NET zone. <br /></div><div class="separator" style="clear: both; text-align: left;"><span style="font-family: courier;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: small;"><span style="font-family: courier;">dig www.securesenses.net @199.7.83.42 +norecurse<br />; <<>> DiG 9.10.6 <<>> www.securesenses.net @199.7.83.42 +norecurse<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26582<br />;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27<br />;; OPT PSEUDOSECTION:<br />; EDNS: version: 0, flags:; udp: 4096<br />;; QUESTION SECTION:<br />;www.securesenses.net. IN A<br />;; AUTHORITY SECTION:<br />net. 172800 IN NS a.gtld-servers.net.<br />net. 172800 IN NS b.gtld-servers.net.<br />net. 172800 IN NS c.gtld-servers.net.<br />net. 172800 IN NS d.gtld-servers.net.<br />net. 172800 IN NS e.gtld-servers.net.<br />net. 172800 IN NS f.gtld-servers.net.<br />net. 172800 IN NS g.gtld-servers.net.<br />net. 172800 IN NS h.gtld-servers.net.<br />net. 172800 IN NS i.gtld-servers.net.<br />net. 172800 IN NS j.gtld-servers.net.<br />net. 172800 IN NS k.gtld-servers.net.<br />net. 172800 IN NS l.gtld-servers.net.<br />net. 172800 IN NS m.gtld-servers.net.</span></span><br /></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIXbMZPmq5vuLpdrqPGwZYWYQGWfElpsqmDMbciKDzYBoLw7JkzKf9bZyRFMzIPXtGgusgIqsEKsgFZa7jqp68xJbAmOBthUWcjc3DxTIgZweTU_DO9whyPa6EEgAMJcKlFHM2a8-g0WWz2YqkK4ODFrW0ExKzE12CNxTw89nqtvYErWM4u8Qkamb3/s965/iterative_root_query.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Recuresive DNS query recursion not available" border="0" data-original-height="636" data-original-width="965" height="422" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIXbMZPmq5vuLpdrqPGwZYWYQGWfElpsqmDMbciKDzYBoLw7JkzKf9bZyRFMzIPXtGgusgIqsEKsgFZa7jqp68xJbAmOBthUWcjc3DxTIgZweTU_DO9whyPa6EEgAMJcKlFHM2a8-g0WWz2YqkK4ODFrW0ExKzE12CNxTw89nqtvYErWM4u8Qkamb3/w640-h422/iterative_root_query.png" title="Recuresive DNS query recursion not available" width="640" /></a></div><p></p><p></p><h3 style="text-align: left;">GTLD server (l.gtld-servers.net.) </h3><div style="text-align: left;">The GTLD server returns referral to the <a href="https://www.securesenses.net/2022/08/authoritative-dns-server.html" target="_blank">Authoritative Servers</a> (also referred to as NS servers). Those servers are authoritative for the securesenses.net. zone.<br /></div><div style="text-align: left;"><span style="font-size: small;"><span style="font-family: courier;">dig www.securesenses.net @192.41.162.30 +norecurse<br />; <<>> DiG 9.10.6 <<>> www.securesenses.net @192.41.162.30 +norecurse<br />;; global options: +cmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4978<br />;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1<br />;; OPT PSEUDOSECTION:<br />; EDNS: version: 0, flags:; udp: 4096<br />;; QUESTION SECTION:<br />;www.securesenses.net. IN A<br />;; AUTHORITY SECTION:<br />securesenses.net. 172800 IN NS ns-cloud-e1.googledomains.com.<br />securesenses.net. 172800 IN NS ns-cloud-e2.googledomains.com.<br />securesenses.net. 172800 IN NS ns-cloud-e3.googledomains.com.<br />securesenses.net. 172800 IN NS ns-cloud-e4.googledomains.com.</span></span></div><div style="text-align: left;"><span style="font-size: small;"><span style="font-family: courier;"> </span></span><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY9pvmrGxW-H1DQ5kNSDajAtciKNFQcYQCStKIYHg9BGtR1lMZ7Rrf8ubAzBP8hIVqYniLV5VcTi78QqFLGuG2u4gIfD0iDrY8JiDjIfMlr1uGoHahqsUWM0SNL0EI5DotzaB20vLuUylwke4ZyxuMkdZ7bkZOEHqGXitGZYD_xe0k9z15NJJfY9-A/s894/iterative_tld_query.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Recuresive DNS query recursion not available" border="0" data-original-height="832" data-original-width="894" height="596" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY9pvmrGxW-H1DQ5kNSDajAtciKNFQcYQCStKIYHg9BGtR1lMZ7Rrf8ubAzBP8hIVqYniLV5VcTi78QqFLGuG2u4gIfD0iDrY8JiDjIfMlr1uGoHahqsUWM0SNL0EI5DotzaB20vLuUylwke4ZyxuMkdZ7bkZOEHqGXitGZYD_xe0k9z15NJJfY9-A/w640-h596/iterative_tld_query.png" title="Recuresive DNS query recursion not available" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"><h3 style="text-align: left;">Recursive query against a non-recursive server</h3></div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;">When we query a non-recursive server (for example Root or GTLD), the server responds with the best answer it has. In the example below the Root server refers the DNS client to the GTLD server - which is the same behaviour as when we issued an iterative query.</div><div class="separator" style="clear: both; text-align: left;"><p></p></div><div class="separator" style="clear: both; text-align: left;"><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">dig www.securesenses.net @199.7.83.42 </span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">; <<>> DiG 9.10.6 <<>> www.securesenses.net @199.7.83.42</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">;; global options: +cmd</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">;; Got answer:</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31938</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">;; WARNING: recursion requested but not available</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">;; OPT PSEUDOSECTION:</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">; EDNS: version: 0, flags:; udp: 4096</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">;; QUESTION SECTION:</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">;www.securesenses.net. IN A</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">;; AUTHORITY SECTION:</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS a.gtld-servers.net.</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS b.gtld-servers.net.</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS c.gtld-servers.net.</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS d.gtld-servers.net.</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS e.gtld-servers.net.</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS f.gtld-servers.net.</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS g.gtld-servers.net.</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS h.gtld-servers.net.</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS i.gtld-servers.net.</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS j.gtld-servers.net.</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS k.gtld-servers.net.</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS l.gtld-servers.net.</span></span></div><div style="text-align: left;"><span style="font-family: courier;"><span style="font-size: small;">net. 172800 IN NS m.gtld-servers.net.</span></span></div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieB3520xFDgzg8irucrbZSdXeEmSI8uCfAgrv5JYZQEUGdhfVugdPghkrYxc37XeQtd5AmnaYxn8fZoljRpxlvhKW-2SZ9qNaGu0grUpOFeMp8pcIIzBcDxA9I2bNuwZISv39qM-2_SHGKTaiD-9YHAnj6dw1WnUOAvkFbTMyyJRRbJdZsvJnNxpMU/s885/recursive_query_against_non-recursive_server.png" style="margin-left: 1em; margin-right: 1em;"><img alt="Recuresive DNS query" border="0" data-original-height="644" data-original-width="885" height="466" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieB3520xFDgzg8irucrbZSdXeEmSI8uCfAgrv5JYZQEUGdhfVugdPghkrYxc37XeQtd5AmnaYxn8fZoljRpxlvhKW-2SZ9qNaGu0grUpOFeMp8pcIIzBcDxA9I2bNuwZISv39qM-2_SHGKTaiD-9YHAnj6dw1WnUOAvkFbTMyyJRRbJdZsvJnNxpMU/w640-h466/recursive_query_against_non-recursive_server.png" title="Recuresive DNS query" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"></div><div class="separator" style="clear: both; text-align: left;"><h3 style="text-align: left;">See the full resultion path using dig +trace</h3></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: small;"><span style="font-family: courier;">dig www.securesenses.net @8.8.8.8 +trace</span></span></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Step 1 - list of root servers<br /></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: small;"><span style="font-family: courier;"><br /></span></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: small;"><span style="font-family: courier;"> <<>> DiG 9.10.6 <<>> www.securesenses.net @8.8.8.8 +trace<br />;; global options: +cmd<br />. 23937 IN NS m.root-servers.net.<br />. 23937 IN NS b.root-servers.net.</span></span></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Step 2 - list of GTLD servers authoritative for NET. zone</div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: small;"><span style="font-family: courier;"><br /></span></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: small;"><span style="font-family: courier;">net. 172800 IN NS i.gtld-servers.net.<br />net. 172800 IN NS e.gtld-servers.net.</span></span></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Step 3 - list of NS (authoritative servers) for securesenses.net. </div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: small;"><span style="font-family: courier;"><br /></span></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: small;"><span style="font-family: courier;">securesenses.net. 172800 IN NS ns-cloud-e1.googledomains.com.<br />securesenses.net. 172800 IN NS ns-cloud-e2.googledomains.com.<br />securesenses.net. 172800 IN NS ns-cloud-e3.googledomains.com.<br />securesenses.net. 172800 IN NS ns-cloud-e4.googledomains.com.</span></span></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Step 4 - final result - in the last step we get the CNAME, dig +trace does not resolve it to the final IP <br /></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: small;"><span style="font-family: courier;">www.securesenses.net. 1800 IN CNAME ghs.google.com.</span></span></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">This is what it looks like in Wireshark</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_3vl5B6RwH9yoczD5lrJiJNBMS1vR4w1dtboMA9P0KRCmb5guRMxdhrhW12gH8453AIs4rUlBxwETgzYPbvpxMz-5F0yvPaLKlsr7OEoBEyb5dgldPPEIBN-mazvJTSypKj7fMdDXZU5120-MM7siX6nhihSZObSHRm6oRS2da2Ixwr1BY0ENw7hZ/s1195/digtrace.png" style="margin-left: 1em; margin-right: 1em;"><img alt="DNS resultion path dig trace" border="0" data-original-height="165" data-original-width="1195" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_3vl5B6RwH9yoczD5lrJiJNBMS1vR4w1dtboMA9P0KRCmb5guRMxdhrhW12gH8453AIs4rUlBxwETgzYPbvpxMz-5F0yvPaLKlsr7OEoBEyb5dgldPPEIBN-mazvJTSypKj7fMdDXZU5120-MM7siX6nhihSZObSHRm6oRS2da2Ixwr1BY0ENw7hZ/w640-h88/digtrace.png" title="DNS resultion path dig trace" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: left;"><br /></div><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-66901008520974659682022-08-09T15:25:00.009+01:002022-08-21T07:51:19.193+01:00Types of DNS poisoning attacksDNS poisoning attacks are commonly referred to as DNS cache poisoning attacks. In reality DNS cache poisoning is only one class of DNS attacks. I have handled many real word DNS poisoning attacks but I have never observed actual cache poisoning attacks in the wild. <br /> <br />In this post we will cover the different types of DNS poisoning attacks, explain why they should not be referred to as DNS cache poisoning and make the case for a more relevant name for this class of internet censorship tactics. <br /> <br />For brevity, this will be a high level overview of the types of DNS attacks. Each will be covered in <br />detail separately in a dedicated blog post.<br /> <br />I distinguish three types of network/server side DNS attacks:<br /><br />1. DNS Cache Poisoning<br />2. <a href="https://www.securesenses.net/2022/08/dns-injection-attack.html" target="_blank">DNS injection</a><br />3. <a href="https://www.securesenses.net/2022/08/rogue-dns-server.html">Rogue DNS server </a> <br /><br />The above attacks don’t require any modification of the DNS client’s OS or the last mile router/modem. <br /><br />While outside of the scope of this article, for completeness client side based DNS attacks can be divided into the following:<br /><br /> <br />1. OS modification <br /><ul><li> malware adding host entries </li><li> malware changing the DNS settings </li></ul>2. Router modification <br /><ul style="text-align: left;"><li> Local malware changing the DNS settings on the router </li><li> External changes to the router’s DNS settings (for example using UPnP or exposed administrative interfaces)</li></ul><h2 style="text-align: left;">What’s a DNS cache? </h2>In order to understand why most DNS poisoning attacks are not cache poisoning attacks firstly let’s cover what the DNS cache is.<br /><br />DNS is a distributed hierarchical database. Parts of DNS data are distributed and spread across many globally distributed servers. Each DNS record has a Time To Live (TTL) value. TTL specifies (in seconds) how long a DNS record can be cached for. As a side note, some DNS servers do not respect the TTL and overwrite it but we will explore it in a different post. <br /><br />In order to reduce the load on the servers and speed up the resolution process valid responses are cached in memory (the DNS cache) for the duration of the TTL.<br /><br />When a recursive DNS resolver (see <a href="https://www.securesenses.net/2022/08/whats-recuresive-dns-query.html" target="_blank">What's a recursive DNS query</a>?) resolves a name for a DNS client, it caches the name in its cache. When the resolver is queried for the same name within the duration of the TTL, it instantly returns the record from its cache. The client caches the result in its cache too.<br /><br />Now that we know what a DNS cache is…<br /><h2 style="text-align: left;">DNS Cache Poisoning attack</h2><p>In this attack, malicious dns records are inserted into the DNS server’s cache. Once cached, the server will return the data from its cache for the duration of the TTL. <br /><br />This attack relies on timing. The attacker queries the resolver for the target domain name and the attacker itself returns a spoofed result to the resolver. <br /><br />High level steps are as follows:</p><ol style="text-align: left;"><li>Attacker queries the target resolver for target.example.com</li><li>Resolver issues an iterative query on behalf of the client for target.example.com</li><li>Attacker sends a spoofed DNS response to the resolver pointing target.example.com to the IP address of attacker’s choosing</li><li>Resolver receives the spoofed response and inserts it into its cache</li><li>Resolver’s cache has been poisoned<br /></li></ol><p>Simple in theory, but extremely difficult and impractical to pull off. The attacker needs to get many things right for this to succeed and he must do all of it before the real answer arrives - which is usually measured in milliseconds. <br /><br />I have personally never seen this happen in the wild and I consider this largely a theoretical attack nowadays. </p><h2 style="text-align: left;">DNS injection attack<br /></h2><p>In this type of DNS attack, a network traffic monitoring device injects spoofed responses. <br /><br />This attack is relatively easy to carry out (assuming the attacker controls the network) because DNS uses the UDP protocol. <br /><br />When a monitoring device detects a DNS query for a censored domain, it forges a fake response and sends it to the client. This attack can be implemented by an in-path or an off-path device. This technique is used by state actors to implement country based censorship. <br /><br />For example in China, the Great Firewall of China (GFW) injects the fake response however it doesn’t block the original query nor it drops the real answer. It relies on its logical proximity to the DNS clients to ensure the fake responses arrive faster than the valid ones. <br /><br />We will look at this behaviour in detail in a post dedicated to DNS injection attacks where we’ll break it down by country. </p><h2 style="text-align: left;">Rogue DNS server attack</h2><p>In this type of attack a legitimate DNS server is configured to return fake responses. This attack can be carried out by an external actor (someone hacking a DNS server) or an internal actor (for example someone at an ISP). <br /><br />In my research I have seen this attack affecting single servers, ISP in a specific region of a country and a whole ISP.</p><h2 style="text-align: left;">Summarising<br /></h2><p>In this very high level post we’ve outlined three types of DNS attacks. We covered what the DNS cache is and explained why only one of the attacks actively targets the servers’ cache. <br /></p><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-76330055673996152302022-04-22T08:29:00.004+01:002022-08-09T15:31:56.282+01:00Changing focus to cover internet censorship<span style="font-family: Arial;">It’s clearly been a while since the post on this blog! I’m planning to change that and start posting again. <br /><br />The focus will change from general IT to topics related to a broad subject of internet censorship. <br /><br />Internet censorship has been the main focus of my work for more than half a decade (time flies) and I’ve wanted to share what I’ve learnt for a while now. <br /><br />These are some of the topics I’m planning to cover in detail over the next months and probably years: <br /></span><ul style="text-align: left;"><li><span style="font-family: Arial;"> How DNS works</span></li><li><span style="font-family: Arial;"> DNS poisoning </span></li><li><span style="font-family: Arial;"> DNS spoofing</span></li><li><span style="font-family: Arial;"> DNS cache poisoning </span></li><li><span style="font-family: Arial;"> HTTPS SNI blocking</span></li><li><span style="font-family: Arial;"> HTTP blocking </span></li><li><span style="font-family: Arial;"> HTTP redirections </span></li><li><span style="font-family: Arial;"> What’s the Great Firewall of China and what blocking techniques it implements</span></li><li><span style="font-family: Arial;"> Internet censorship in China</span></li><li><span style="font-family: Arial;"> Internet censorship in Korea</span></li><li><span style="font-family: Arial;"> Internet censorship in India</span></li><li><span style="font-family: Arial;"> Internet censorship in Indonesia</span></li></ul><span style="font-family: Arial;"><br />We will dive deep down to the packet level and see exactly how these attacks are implemented as well as how to diagnose and reproduce them. <br /><br />That’s it for now. Stay tuned!</span><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script><script id="stacks-wallet-provider" src="moz-extension://2f3138b5-86b6-4197-8619-4ac85d0ae220/inpage.js"></script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-87306914697622225632016-01-01T13:44:00.001+00:002016-01-01T13:44:44.844+00:00Local Administrator Password Solution (LAPS) is now officialThis solution is now officially distributed by Microsoft! <br />
<br />
"Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords."<br />
<br />
<br />
https://www.microsoft.com/en-us/download/details.aspx?id=46899<br />
<br />
https://technet.microsoft.com/en-us/library/security/3062591.aspx<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-91080057725458112682013-10-28T11:19:00.000+00:002013-10-28T22:09:32.363+00:00Managing The Local Administrator Password - Part 3 - The Implementation<span style="font-family: Arial, Helvetica, sans-serif;">In this post I outline a step by step guide on implementing the solution. This post builds on the previous one.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">This is mostly a condensed version of the author’s documentation with addition of some items that either I found unclear or were not covered by the author. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">In any case you should read the full documentation found here:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789/file/96116/1/Documentation.zip">http://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789/file/96116/1/Documentation.zip</a></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">WARNING: The solution requires schema extension and this should never be taken lightly so do test properly and proceed at your own risk. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The steps described in this section can be carried out on a Domain Controller or a management workstation. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">1.<span class="Apple-tab-span" style="white-space: pre;"> </span><u>Install the CSE including the “Management Tools”</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">This installs: </span><br />
<br />
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">AdmPwd.ps PowerShell module </span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">GPO templates (AdmPwd.admx and .adml) </span></li>
</ul>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Note: I tested this on a domain with a local GPO store. If you are using a Central Store you should check if the templates have been copied. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The following to steps are required for Windows 2008 and 7. Windows 2012 comes with .Net4 installed and enabled.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">A) </span><span style="font-family: Arial, Helvetica, sans-serif;">Download and install .Net4: </span><span style="color: #1155cc; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 15px;"><a href="http://www.microsoft.com/en-us/download/details.aspx?id=17718">http://www.microsoft.com/en-us/download/details.aspx?id=17718</a></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">B) Configure PowerShell to load .Net4: </span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Create a file named “PowerShell.exe.config” in “\windows\system32\WindowsPowerShell\v1.0\” with the following content:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><?xml version="1.0"?</span><span style="font-family: Consolas, Menlo, Monaco, Lucida Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera Sans Mono, Courier New, monospace, serif;"><span style="font-size: 14px; line-height: 18px;">></span></span><br />
<span style="font-family: Courier New, Courier, monospace;"><configuration> </span><br />
<span style="font-family: Courier New, Courier, monospace;"> <</span><span style="font-family: 'Courier New', Courier, monospace;">startup useLegacyV2RuntimeActivationPolicy="true"></span><br />
<span style="font-family: Courier New, Courier, monospace;"> <</span><span style="font-family: 'Courier New', Courier, monospace;">supportedRuntime version="v4.0.30319"/></span><br />
<span style="font-family: Courier New, Courier, monospace;"> <</span><span style="font-family: 'Courier New', Courier, monospace;">supportedRuntime version="v2.0.50727"/></span><br />
<span style="font-family: Courier New, Courier, monospace;"> <</span><span style="font-family: 'Courier New', Courier, monospace;">/startup></span><br />
<span style="font-family: Courier New, Courier, monospace;"></configuration></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Reference: <a href="http://tfl09.blogspot.cz/2010/08/using-newer-versions-of-net-with.html">http://tfl09.blogspot.cz/2010/08/using-newer-versions-of-net-with.html</a></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">4.<span class="Apple-tab-span" style="white-space: pre;"> </span><u>Update schema</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">PS C:> Import-module AdmPwd.ps</span><br />
<span style="font-family: Courier New, Courier, monospace;">PS C:> Update-AdmPwdSchema </span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">5.<span class="Apple-tab-span" style="white-space: pre;"> </span><u>Remove “All Extended Rights” permission</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">This permission is not granted by default, you should however ensure it has not been granted manually as this would give access to the stored passwords. </span><br />
<br />
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Use ADSIEDIT.msc to and connect to the “Default Naming Context”</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Right-click the OU that will contain computer objects you want to manage,</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Go to “Permissions” tab and click “Advanced”. </span></li>
</ul>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">You should also ensure that permission inheritance is enabled on sub-OUs.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">6.<span class="Apple-tab-span" style="white-space: pre;"> </span><u>Add Write permission to ms-MCS-AdmPwdExpirationTime and ms-MCS-AdmPwd attributes to SELF</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">PS C:> Set-AdmPwdComputerSelfPermission -OrgUnit <name delegate="" of="" on="" ou="" permissions="" the="" to="" want="" which="" you=""></name></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">7.<span class="Apple-tab-span" style="white-space: pre;"> </span><u>Add CONTROL_ACCESS permission to ms-MCS-AdmPwd attribute</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">In this step we grant permission to retrieve passwords from AD. See the previous post for more details. Firstly you need to create a group which you will use to grant access to retrieve passwords.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">PS C:> Set-AdmPwdReadPasswordPermission -OrgUnit <name delegate="" of="" on="" ou="" permissions="" the="" to="" want="" which="" you=""> -AllowedPrincipals <identification allowed="" be="" groups="" of="" password="" read="" should="" that="" to="" users=""></identification></name></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">8.<span class="Apple-tab-span" style="white-space: pre;"> </span><u>Add Write permission to ms-MCS-AdmPwdExpirationTime attribute</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">In this step we grant permission to force password reset . </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">PS C:> Set-AdmPwdResetPasswordPermission -OrgUnit <name delegate="" of="" on="" ou="" permissions="" the="" to="" want="" which="" you=""> -AllowedPrincipals <identification allowed="" be="" groups="" of="" password="" reset="" should="" that="" to="" users=""></identification></name></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">9.<span class="Apple-tab-span" style="white-space: pre;"> </span><u>Create a GPO that will be used to enable password management</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The GPO needs to be linked to the OU containing accounts of the computers you want to manager. You don’t configure any settings in the GPO. The magic happens in the next step. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">10.<span class="Apple-tab-span" style="white-space: pre;"> </span><u>Register the CSE with the GPO</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><u><br /></u></span>
<span style="font-family: Courier New, Courier, monospace;">PS C:> Register-AdmPwdWithGPO -GpoIdentity:<gpo cse="" execution="" should="" that="" trigger=""></gpo></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The cmdlet accepts displayName, GUID or DN.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">This is all configuration that's required server side.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Now we need to deploy the CSE to computers we want to manage, and configure password requirements (see the previous post for and the documentation for details). </span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-83746764412472989592013-10-28T11:15:00.000+00:002013-10-28T22:08:43.729+00:00Managing The Local Administrator Password - Part 2 - The Solution<span style="font-family: Arial, Helvetica, sans-serif;">Jiri Formacek, a Microsoft Services consultant (based on his LinkedIn profile), has published an excellent local admin password management solution. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The solution uses Group Policy Client Side Extension (CSE) to set random and unique per computer local administrator password that is changed at a user controlled interval (30 days by default). The password is then stored in a confidential Active Directory (AD) attribute. Permission to retrieve the password is controlled using a security group.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The solution is described in the documentation so I won’t be repeating what’s there. I’ll go over the main points and some stuff that’s not covered in the official documentation. I recommend reading the documentation.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The solution can be downloaded here:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789">http://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789</a></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The documentation can be found here:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789/file/96116/1/Documentation.zip">http://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789/file/96116/1/Documentation.zip</a></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Implementation requires AD schema extension in order to create two new attributes and add them to the computer object class. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The two attributes are:</span><br />
<br />
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">ms-MCS-AdmPwd – stores the password </span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">ms-MCS-AdmPwdExpirationTime – stores the expiration time, password change can be forced by setting the value to “0”</span></li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuFyNHOal44Cj-hwTYxuvQw47uaFldMgGiXUlKAcGJpd7xQYA_SlCy4X8J7Rlp22RrMVGNxaJVpLdHHzZ0FyHPUY6jC0bg_U_dqxtEx8cEolAN9DN-C9Qv64NapShRcYVclAx5RLWQhPU/s1600/attributes_set1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuFyNHOal44Cj-hwTYxuvQw47uaFldMgGiXUlKAcGJpd7xQYA_SlCy4X8J7Rlp22RrMVGNxaJVpLdHHzZ0FyHPUY6jC0bg_U_dqxtEx8cEolAN9DN-C9Qv64NapShRcYVclAx5RLWQhPU/s1600/attributes_set1.png" /></a></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">The attributes are marked as confidential so the authenticated users group cannot read the values.</span></div>
<div>
</div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">More on confidential attributes here: <a href="http://support.microsoft.com/kb/922836">http://support.microsoft.com/kb/922836</a></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Access to the attributes is controlled, with a security group. I used two separate groups. One group with read access to the ms-MCS-AdmPwd attribute for retrieving the passwords and the second one with write permission to the ms-MCS-AdmPwdExpirationTime attribute allowing for forcing the reset. In most cases it would be the same group performing both, however I prefer to have an option of separating the tasks. Permission can be granted per OU so you can further subdivide the access. For example based on geographical location.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">The passwords can be retrieved using “AD Users and Computers” and ADSIEDIT consoles. Also, the author provided a GUI tool that can be used to easily retrieve admin passwords. The tool is installed along with the management tools.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifIBKkN-bIf0L098US4NmVgEFPcZc3qWUH7b188oGD94l31p1puynTJXpEWrwqiPh8LM7J_G0piFG7O2Y17ynt5guyrtIX8qn8NOzQfolkqOImJ5BuCPcCj5RiEngxgKfmstPaSNFPWKY/s1600/pwdRetrieveGUI.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifIBKkN-bIf0L098US4NmVgEFPcZc3qWUH7b188oGD94l31p1puynTJXpEWrwqiPh8LM7J_G0piFG7O2Y17ynt5guyrtIX8qn8NOzQfolkqOImJ5BuCPcCj5RiEngxgKfmstPaSNFPWKY/s400/pwdRetrieveGUI.PNG" height="307" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">The Client Side Extension (CSE) is a DLL file that needs to be deployed to and registered on managed computers. A convenient MSI file is provided. It can be deployed using your standard package management tools such as SCCM, Altiris or Group Policy.</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">The management tools (Group Policy Template, PowerShell scripts, and the GUI tool) are installed using the same MSI. Only the CSE needs to be installed on the managed computers.</span></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdUi7IHmmi5FG9pp7htVbhRDbkJOm7R56W6rZ8BwBvQTSfXHeOkrx29Zjhz2Oq3CDdI7nBlT3jGwZ2YzoVNeB464Pz8ebnx9D9yy_Tbbr-LPP9j-5OC2JNPKOMNbaZi-RUMVxqWcMt8EU/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdUi7IHmmi5FG9pp7htVbhRDbkJOm7R56W6rZ8BwBvQTSfXHeOkrx29Zjhz2Oq3CDdI7nBlT3jGwZ2YzoVNeB464Pz8ebnx9D9yy_Tbbr-LPP9j-5OC2JNPKOMNbaZi-RUMVxqWcMt8EU/s1600/1.PNG" /></a></div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">The CSE is configured using the provided GPO template. </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw6m1Zm5ufNAIg4aiOGRrsCffcTFLYsOMHL8GYS_AJD2X_hRfxkJtjP6E4yJiY0tKHx3z-mwEcvAVlkvxQruo6_MWMovLo45I4x4zVvZZksxAPBM5eUSNJyqa-KpUTbjPkNiRyzQX1alE/s1600/gpo1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw6m1Zm5ufNAIg4aiOGRrsCffcTFLYsOMHL8GYS_AJD2X_hRfxkJtjP6E4yJiY0tKHx3z-mwEcvAVlkvxQruo6_MWMovLo45I4x4zVvZZksxAPBM5eUSNJyqa-KpUTbjPkNiRyzQX1alE/s1600/gpo1.PNG" /></a></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"> The documentation states that the default password length is 15 characters, in fact it is 12. </span><span style="font-family: Arial, Helvetica, sans-serif;">We definitely want to use at least 15 characters long password as this prevents Windows from storing passwords using insecure LM Hash. More on LanManager here: </span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://computer-forensics.sans.org/blog/2012/02/29/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly">http://computer-forensics.sans.org/blog/2012/02/29/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly</a></span></div>
<div>
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">There are two settings in the template:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaS7BObrPuiZyQSS6MHLfM-wrRjHbq4YfzFqulKFbJ_YhFsw4BkC__PlaETxdNDZAzu6pVUK0l-xmwuCgR21KZABeqK1yNTqLd5zUgskjyRg5IxB6VX2Jax0iQXtO6hyphenhyphenxUA4NiKOnUsQo/s1600/2a.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaS7BObrPuiZyQSS6MHLfM-wrRjHbq4YfzFqulKFbJ_YhFsw4BkC__PlaETxdNDZAzu6pVUK0l-xmwuCgR21KZABeqK1yNTqLd5zUgskjyRg5IxB6VX2Jax0iQXtO6hyphenhyphenxUA4NiKOnUsQo/s1600/2a.PNG" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglkuMLdV9S0IWwMbj6EQpM9d7X6LC24YN4A6auJ8K2Axb4X2DoRB5WJcxfKgRgBKLp_FTeGD0M2J7bTwTS0KwlYi5b47EQnliUZBlagqZDLE7MKDXhOLwtgdBiwZJ7YqdBkcT9AY1Vm50/s1600/3a.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglkuMLdV9S0IWwMbj6EQpM9d7X6LC24YN4A6auJ8K2Axb4X2DoRB5WJcxfKgRgBKLp_FTeGD0M2J7bTwTS0KwlYi5b47EQnliUZBlagqZDLE7MKDXhOLwtgdBiwZJ7YqdBkcT9AY1Vm50/s1600/3a.PNG" /></a></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">The CSE has an event log provider that logs to the Application Log. This is detailed in the documentation. I found it useful to set the logging level to the highest during testing.</span></div>
</div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh85qhupae4iVeH8wxQyBhJKblgEjIRUCT6ZfWR8p5ZcR4CmY2O8aV9WzKfaLtEQDiS-G2z5QWFYLk-7Q5Py5wkml9_l0RbM4a3i01s8rv_opIpXcBLVmhz8TQgHyisCVeARhyphenhyphenFIhz-qmM/s1600/pwdchanged.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh85qhupae4iVeH8wxQyBhJKblgEjIRUCT6ZfWR8p5ZcR4CmY2O8aV9WzKfaLtEQDiS-G2z5QWFYLk-7Q5Py5wkml9_l0RbM4a3i01s8rv_opIpXcBLVmhz8TQgHyisCVeARhyphenhyphenFIhz-qmM/s1600/pwdchanged.PNG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9Kp6J2a5AMCdSg75Q2mcnU5qAtO6EyknskHBemw1Pj8t3j5CT_unxRefMoe7OGljMAIszFrwC26NTXr4w2xIUJMGiMG0UDgA9YZGC6lc9BUYhL2HPoRhdA-Adz9q7n-uM3qMXZ5ORKQ0/s1600/pwdreported.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9Kp6J2a5AMCdSg75Q2mcnU5qAtO6EyknskHBemw1Pj8t3j5CT_unxRefMoe7OGljMAIszFrwC26NTXr4w2xIUJMGiMG0UDgA9YZGC6lc9BUYhL2HPoRhdA-Adz9q7n-uM3qMXZ5ORKQ0/s1600/pwdreported.PNG" /></a></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Summarizing, I find this solution to meet all requirements. I have tested it on a 2012 AD with Win 7 clients and 2012 member servers as well as 2008R2 AD with Win7 and XP clients. </span><span style="font-family: Arial, Helvetica, sans-serif;">I think this is an excellent solution.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">A potential concern one may have is that the passwords are stored in clear text in AD directory partition. However, an attacker would have to obtain a copy of the AD database and extract the passwords offline. </span></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-83297795567515734602013-10-15T18:20:00.004+01:002013-10-15T18:21:29.445+01:00Managing The Local Administrator Password - Part 1 - The Issue<span style="font-family: Arial, Helvetica, sans-serif;">Local administrator password has always been a cause of a headache for security professionals. There hasn’t been a good and free way to manage the password on a large scale and most organizations ended up using the same password on all desktops or even servers. This introduces a number of vulnerabilities, such as:</span><br />
<br />
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">All IT Staff know the password</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">The password is never changed</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">The password inevitably becomes known to the users and various 3rd parties</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Machines are exposed to pass-the-hash attacks </span></li>
</ul>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">If an attacker, a malware or an evil insider gains access to a single machine currently logged on under the local admin account they will be able to access all machines by executing a script or using built-in management tools. Moreover, compromise of a single machine will allow an attacker to grab a password hash and use it to access other computers.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">The local administrator password can be managed using Group Policy Preferences as detailed in the following article: </span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<a href="https://social.technet.microsoft.com/wiki/contents/articles/1827.active-directory-how-to-change-the-local-administrator-password-on-domain-member-computers-dsforum2wiki.aspx"><span style="font-family: Arial, Helvetica, sans-serif;">https://social.technet.microsoft.com/wiki/contents/articles/1827.active-directory-how-to-change-the-local-administrator-password-on-domain-member-computers-dsforum2wiki.aspx</span></a></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">While this satisfies most compliance requirements (they generally only require that passwords are changed at a set interval), this still leaves all computers with a single password. Furthermore, Group Policy Preferences store encrypted passwords in the SYSVOL folder and the encryption key is published on MSDN:</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<a href="http://msdn.microsoft.com/en-us/library/cc422924.aspx"><span style="font-family: Arial, Helvetica, sans-serif;">http://msdn.microsoft.com/en-us/library/cc422924.aspx</span></a></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Clear text passwords can be retrieved from Group Policy Preferences using a PowerShell script as detailed in the article below:</span></div>
<div>
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://obscuresecurity.blogspot.com/2013/07/get-gpppassword.html">http://obscuresecurity.blogspot.com/2013/07/get-gpppassword.html</a> </span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Summarizing, GPO Preference is not a good solution.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">As to other solutions, there is one from SANS. I haven’t explored it but it does look comprehensive:</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<a href="http://www.sans.org/windows-security/2013/08/01/reset-local-administrator-password-automatically-with-a-different-password-across-the-enterprise"><span style="font-family: Arial, Helvetica, sans-serif;">http://www.sans.org/windows-security/2013/08/01/reset-local-administrator-password-automatically-with-a-different-password-across-the-enterprise</span></a></div>
</div>
<div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-8688569341653082622013-06-03T10:30:00.000+01:002013-10-18T21:09:10.310+01:00OCSP response unauthorized or unsuccessful <span style="font-family: Arial, Helvetica, sans-serif;">Windows OCSP client requires that the OCSP responder URL is populated in the AIA extension. If it is not included, Windows will not form the OCSP request properly and the validation will fail with Certutil status of "Unsuccessful". The same certificate was successfully validated by a Cisco ASA OCSP client. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">According to the RFC2560 Apendix A.1.1:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<pre style="white-space: pre-wrap; word-wrap: break-word;">{url} may be derived from the value of AuthorityInfoAccess or
other local configuration of the OCSP client.</pre>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">This does not seem to be the case in Microsoft's implementation. </span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">OCSP responder address is specified in the Authority Information Access (AIA) extension. </span><span style="font-family: Arial, Helvetica, sans-serif;">In Windows CA, this is configured in the properties of the CA on the"Extensions" tab.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWHh0qN1Jsw07IMpVfGik9v38th9o8lpsYoG2n-GaS09-eYAQhHHI1Ng7NXKJV_WDxYknJLNm5URI1vDgsCbRgem9QBoNxprwkwS1k6JBD84o93SGNaM0o6cxFga0r3yvuzC-Gt5dag-8/s1600/ocsp+aia.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWHh0qN1Jsw07IMpVfGik9v38th9o8lpsYoG2n-GaS09-eYAQhHHI1Ng7NXKJV_WDxYknJLNm5URI1vDgsCbRgem9QBoNxprwkwS1k6JBD84o93SGNaM0o6cxFga0r3yvuzC-Gt5dag-8/s1600/ocsp+aia.PNG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"> Once configured all newly issued certificates will include the OCSP responder address.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCiIyIP8rWwXPnAwGkpd1UReIM21Xn29fwecpU5Arh5hiMGVNu_8JLJyeMNPbupIDEjYPcF9s6apNh4Sl2MfsJ9BdUx8sQUlOip2JyvXFmGAuHoXUK6PPd4wqBTGPTwOaEBtz4wZQHoVE/s1600/CaptureAIA.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCiIyIP8rWwXPnAwGkpd1UReIM21Xn29fwecpU5Arh5hiMGVNu_8JLJyeMNPbupIDEjYPcF9s6apNh4Sl2MfsJ9BdUx8sQUlOip2JyvXFmGAuHoXUK6PPd4wqBTGPTwOaEBtz4wZQHoVE/s1600/CaptureAIA.PNG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: Arial, Helvetica, sans-serif;">Without the OCSP extension validation using certutil fails.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLY-GYY8_sZtFlOhg7MNCyDnKcEVND0Bd41JmJT1yqY7B_YzCDa6UWfhJ8MqPR21D8THDIVpmXkrx9OtFaRXvFDBJZXA6Z48eiuM-L1XNffp_HZFmsvKp-XdYAl5FGFMaY7rSEWbOZlFg/s1600/Capture3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLY-GYY8_sZtFlOhg7MNCyDnKcEVND0Bd41JmJT1yqY7B_YzCDa6UWfhJ8MqPR21D8THDIVpmXkrx9OtFaRXvFDBJZXA6Z48eiuM-L1XNffp_HZFmsvKp-XdYAl5FGFMaY7rSEWbOZlFg/s1600/Capture3.PNG" /></a></div>
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">According to RFC2560, an OCSP request must specify hashing algorithm, issuer name hash, issuer key hash and serial number of the certificate to be validated. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Extract from RFC2560:</span><br />
<br />
<pre style="white-space: pre-wrap; word-wrap: break-word;"><pre style="white-space: pre-wrap; word-wrap: break-word;"><span style="font-family: Courier New, Courier, monospace;">CertID ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
issuerNameHash OCTET STRING, -- Hash of Issuer's DN
</span><span style="font-family: 'Courier New', Courier, monospace;">issuerKeyHash OCTET STRING, -- Hash of Issuers public key</span></pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;"><span style="font-family: Courier New, Courier, monospace;"> serialNumber CertificateSerialNumber }
issuerNameHash is the hash of the Issuer's distinguished name. The hash shall be calculated over the DER encoding of the issuer's name field in the certificate being checked. IsuerKeyHash is the hash of the Issuer's public key. The hash shall be calculated over the value(excluding tag and length) of the subject public key field in the issuer's certificate. The hash algorithm used for both these hashes, is identified in hashAlgorithm. serialNumber is the serial number of the certificate for which status is being requested.
</span></pre>
<div>
</div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">If the AIA extension doesn't specify the OCSP URL Windows client does not include issuer's key hash in the request. </span></div>
</pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWLtF07AcXt9wCzZ4ftm4qVe6xry22SKhbMYR_-92drWdV8UjBAWw5IsLi8d3LpFnq_JY5JlGFEXBX9ChM_WNEQ6DiuN3kzylmupdMdh_PRgnHx6tMcDd5S7IYZDy-N2kwqvFD3Xd22qI/s1600/Capture1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWLtF07AcXt9wCzZ4ftm4qVe6xry22SKhbMYR_-92drWdV8UjBAWw5IsLi8d3LpFnq_JY5JlGFEXBX9ChM_WNEQ6DiuN3kzylmupdMdh_PRgnHx6tMcDd5S7IYZDy-N2kwqvFD3Xd22qI/s1600/Capture1.PNG" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">In this case the responder returns an error of "unauthorized" and the validation fails. </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrCxeXHFaw0wJEeVV6KZyshgAhyphenhyphen0SU9HVK6kfcJtLfA_Go4iAa82J5ZA9Vyxco-_9SBAVkJcXqpqOfOoTSpUI0CapTGahg-HCaZOqSWrfZlVIM4hmTQQNXDH8r3G2KyX5TCJGdXGwYTbw/s1600/Capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrCxeXHFaw0wJEeVV6KZyshgAhyphenhyphen0SU9HVK6kfcJtLfA_Go4iAa82J5ZA9Vyxco-_9SBAVkJcXqpqOfOoTSpUI0CapTGahg-HCaZOqSWrfZlVIM4hmTQQNXDH8r3G2KyX5TCJGdXGwYTbw/s1600/Capture2.PNG" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Extract from RFC2560:</span><br />
<br />
<span style="white-space: pre-wrap;"><span style="font-family: Courier New, Courier, monospace;">2.3 Exception Cases</span></span><br />
<pre style="white-space: pre-wrap; word-wrap: break-word;"><span style="font-family: Courier New, Courier, monospace;">
In case of errors, the OCSP Responder may return an error message. These messages are not signed. Errors can be of the following types:
-- malformedRequest
-- internalError
-- tryLater
-- sigRequired
-- unauthorized
</span></pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;"><span style="font-family: Courier New, Courier, monospace;">The response "unauthorized" is returned in cases where the client is not authorized to make this query to this server.</span></pre>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-50804139868886031102013-05-19T12:12:00.001+01:002013-05-19T19:24:26.869+01:00x.509 Certificates - Critical vs non-critical extensions<span style="font-family: Arial, Helvetica, sans-serif;">Extensions are used to associate additional information with the user or the key. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Each certificate extension has three attributes - extnID, critical, extnValue</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">extnID - Extension ID - an OID that specifies the format and definitions of the extension</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">critical - Critical flag - Boolean value</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">extnValue - Extension value </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Criticality flag specifies whether the information in an extension is important. If an application doesn't recognize the extension marked as critical, the certificate cannot be accepted. If an extension is not marked as critical (critical value False) it can be ignored by an application.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">In Windows, critical extensions are marked with a yellow exclamation mark, </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJRySsUMKsGTWDfhBFBQ0ki3uwEv34q7vB7OxmjN9OO4_Dydy-X1AcE0Yb6SWa2jfV9fSOOlE_w25qo5JRiUN5-b93wQMF7XONLEHkx-Ah3bSafXGwI5jeaMhyeLNnbwEg-Mw0aljjcnk/s1600/critical.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJRySsUMKsGTWDfhBFBQ0ki3uwEv34q7vB7OxmjN9OO4_Dydy-X1AcE0Yb6SWa2jfV9fSOOlE_w25qo5JRiUN5-b93wQMF7XONLEHkx-Ah3bSafXGwI5jeaMhyeLNnbwEg-Mw0aljjcnk/s1600/critical.PNG" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div style="font-family: Arial, Helvetica, sans-serif;">
View certificate extensions using OpenSSL:</div>
<div style="font-family: Arial, Helvetica, sans-serif;">
<br /></div>
<span style="font-family: Courier New, Courier, monospace;"># openssl x509 -inform pem -in cert.pem -text -noout</span><br />
<div style="font-family: Arial, Helvetica, sans-serif;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif;">
(output abbreviated)</div>
<div style="font-family: Arial, Helvetica, sans-serif;">
<br /></div>
<span style="font-family: Courier New, Courier, monospace;"> X509v3 extensions:</span><br />
<span style="font-family: Courier New, Courier, monospace;"> <b> X509v3 Key Usage: critical</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><b> Digital Signature, Key Encipherment</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> X509v3 Subject Key Identifier:</span><br />
<span style="font-family: Courier New, Courier, monospace;"> A1:96:A8:0E:32:4B:F6:BE:23:33:42:46:55:8A:72:64</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Extract from RFC </span><span style="font-family: Arial, Helvetica, sans-serif;">"Internet X.509 Public Key Infrastructure - Certificate and CRL Profile" </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">http://www.ietf.org/rfc/rfc2459.txt</span><br />
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">4.1 Basic Certificate Fields</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"> The X.509 v3 certificate basic syntax is as follows. For signature</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> calculation, the certificate is encoded using the ASN.1 distinguished</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> encoding rules (DER) [X.208]. ASN.1 DER encoding is a tag, length,</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> value encoding system for each element.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"> Each extension includes an OID and an ASN.1 structure. When an</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> extension appears in a certificate, the OID appears as the field</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> extnID and the corresponding ASN.1 encoded structure is the value of</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> the octet string extnValue</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"> Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"> Extension ::= SEQUENCE {</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> extnID OBJECT IDENTIFIER,</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> critical BOOLEAN DEFAULT FALSE,</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> extnValue OCTET STRING }</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">4.2 Standard Certificate Extensions</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"> The extensions defined for X.509 v3 certificates provide methods for</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> associating additional attributes with users or public keys and for</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> managing the certification hierarchy. The X.509 v3 certificate</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> format also allows communities to define private extensions to carry</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> information unique to those communities. Each extension in a</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> certificate may be designated as critical or non-critical. A</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> certificate using system MUST reject the certificate if it encounters</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> a critical extension it does not recognize; however, a non-critical</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> extension may be ignored if it is not recognized.</span><br />
<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-5235010280409185312013-05-03T15:40:00.000+01:002013-05-03T15:40:24.430+01:00Windows CRL caching<span style="font-family: Arial, Helvetica, sans-serif;">By default, both downloaded CRLs and OCSP responses are cached by a Windows client. If a</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">time-valid version of the CRL or OCSP response exists in the cache, the client will use the</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">cached version rather than downloading an updated CRL or submitting a new OCSP request. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Caching related configuration is defined in the following registry hive:</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\</span><span style="font-family: 'Courier New', Courier, monospace;">CertDllCreateCertificateChainEngine\Config</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">A binary value of: </span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">ChainCacheResyncFiletime </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">defines when cache will be cleared. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Force the cache to be cleared:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">c:\> certutil –setreg chain\ChainCacheResyncFiletime @now</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Force the cache to clear in 1 hour:</span><br />
<br />
<div style="margin: 0in;">
<div style="font-family: 'Courier New', Courier, monospace;">
<br /></div>
<div style="font-family: 'Courier New', Courier, monospace;">
</div>
<span style="font-family: Courier New, Courier, monospace;">c:\> certutil –setreg chain\ChainCacheResyncFiletime @now+0:1</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">View current cache life time config:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<span style="font-family: 'Courier New', Courier, monospace;">c:\> </span><span style="font-family: Courier New, Courier, monospace;">certutil –getreg chain\ChainCacheResyncFiletime</span></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-86512266672613281302013-04-29T12:42:00.001+01:002013-04-29T12:42:12.723+01:00SCEP certificate enrollment - packet analysis<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><u>1. CA cert request:</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Enrolling device requests and installs CA cert.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">SCEP Opertion: GetCACert</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">HTTP Header:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">GET /CertSrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=SCEPLab HTTP/1.0</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Host: 10.0.0.6</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj13SBOgBtFPK78bz9gZjhk8ZsfFRYLhdg_ehn5Dhpi0zLbzdRNMoJC1grCtaRdeG7ZfnH9o7ZUxI2CsbjJ_flsaxP1wiCiQf5xSsi-Kz-1gRnlu8WLDgGDd7XfX13p-bRpqFE5nfs9ltI/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj13SBOgBtFPK78bz9gZjhk8ZsfFRYLhdg_ehn5Dhpi0zLbzdRNMoJC1grCtaRdeG7ZfnH9o7ZUxI2CsbjJ_flsaxP1wiCiQf5xSsi-Kz-1gRnlu8WLDgGDd7XfX13p-bRpqFE5nfs9ltI/s640/3.PNG" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><u>2. SCEP server returns the CA cert:</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">In the case of GET operation with a type of GetCACert, the MIME content type returned will </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">depend on whether or not an RA is in use. If there is no RA, only the CA certificate is </span><span style="font-family: Arial, Helvetica, sans-serif;">sent back in the response, and the response has the content type tagged as application/x-x509-ca-cert.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">If there is an RA, as it is the case in this lab, the RA certificates are sent back together with the CA certificates. </span><span style="font-family: Arial, Helvetica, sans-serif;">The content type is application/x-x509-ca-ra-cert.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">HTTP Header:</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">HTTP/1.1 200 OK</span><br />
<span style="font-family: Courier New, Courier, monospace;">Content-Length: 4170</span><br />
<span style="font-family: Courier New, Courier, monospace;">Content-Type: application/x-x509-ca-ra-cert</span><br />
<span style="font-family: Courier New, Courier, monospace;">Server: Microsoft-IIS/8.0</span><br />
<span style="font-family: Courier New, Courier, monospace;">Date: Mon, 29 Apr 2013 09:15:51 GMT</span><br />
<span style="font-family: Courier New, Courier, monospace;">Connection: close</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVIsDud4k13JGI866hyyi9YD4lxEdJP5sScUYR_KSH3US5FGG101TL-6SLwsIf33f5CUOFYJ8Ok-TqUHogD4uebSMV0O8qwyzsrBP6ZxVm1C3heV-OAmkEYLzzi0-aBwjmsjS3w3NuJOI/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVIsDud4k13JGI866hyyi9YD4lxEdJP5sScUYR_KSH3US5FGG101TL-6SLwsIf33f5CUOFYJ8Ok-TqUHogD4uebSMV0O8qwyzsrBP6ZxVm1C3heV-OAmkEYLzzi0-aBwjmsjS3w3NuJOI/s640/2.PNG" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><u>3. Device requests an identity certificate:</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">SCEP Operation: PKIOperation</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">HTTP Header (message string has been truncated):</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">GET /CertSrv/mscep/mscep.dll/pkiclient.exe?operation=PKIOperation&message=MIITnyeD%0%3D%3D%0A HTTP/1.0</span><br />
<span style="font-family: Courier New, Courier, monospace;">Host: 10.0.0.6</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj13SBOgBtFPK78bz9gZjhk8ZsfFRYLhdg_ehn5Dhpi0zLbzdRNMoJC1grCtaRdeG7ZfnH9o7ZUxI2CsbjJ_flsaxP1wiCiQf5xSsi-Kz-1gRnlu8WLDgGDd7XfX13p-bRpqFE5nfs9ltI/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj13SBOgBtFPK78bz9gZjhk8ZsfFRYLhdg_ehn5Dhpi0zLbzdRNMoJC1grCtaRdeG7ZfnH9o7ZUxI2CsbjJ_flsaxP1wiCiQf5xSsi-Kz-1gRnlu8WLDgGDd7XfX13p-bRpqFE5nfs9ltI/s640/3.PNG" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><u>4. SCEP server returns identity cert:</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">For each GET operation, the CA/RA server will return a MIME object via HTTP. For a GET operation with PKIOperation as </span><span style="font-family: Arial, Helvetica, sans-serif;">its type, the response is tagged as having a Content Type of application/x-pki-message. The body of this message is a BER encoded binary PKI message.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">HTTP Header:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">HTTP/1.1 200 OK</span><br />
<span style="font-family: Courier New, Courier, monospace;">Content-Length: 2067</span><br />
<span style="font-family: Courier New, Courier, monospace;">Content-Type: application/x-pki-message</span><br />
<span style="font-family: Courier New, Courier, monospace;">Server: Microsoft-IIS/8.0</span><br />
<span style="font-family: Courier New, Courier, monospace;">Date: Mon, 29 Apr 2013 10:46:51 GMT</span><br />
<span style="font-family: Courier New, Courier, monospace;">Connection: close</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghsNL9VPWFxoYWU1IXbsInA-d6TomlvOj076KCZ15FG8l-Ll-CAlHeV4oZ8XJKXMALSwGyz_tB38QbFPyGg4C0mLBnDy4DeylaogyiIXwGhnIWlcns6a3YqLGT5J3afzx7Pb345J34GBI/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghsNL9VPWFxoYWU1IXbsInA-d6TomlvOj076KCZ15FG8l-Ll-CAlHeV4oZ8XJKXMALSwGyz_tB38QbFPyGg4C0mLBnDy4DeylaogyiIXwGhnIWlcns6a3YqLGT5J3afzx7Pb345J34GBI/s640/4.PNG" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i>SCEP Reference: http://www.cisco.com/warp/public/cc/pd/sqsw/tech/scep_wp.htm</i></span><br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-72247057613011081162013-04-29T12:30:00.002+01:002013-04-29T12:30:34.370+01:00Enrolling Cisco ASA for certificates via SCEP<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b>1. <u>Install CA cert</u></b></span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config)# crypto ca trustpoint CA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ciscoasa(config-ca-trustpoint)# revocation-check crl</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ciscoasa(config-ca-trustpoint)# enrollment url http://10.0.0.6/certsrv/mscep/mscep.dll</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ciscoasa(config)# crypto ca authenticate CA </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><u>Debug output</u>:</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI: HTTP response header:</span><br />
<span style="font-family: Courier New, Courier, monospace;">HTTP/1.1 200 OK</span><br />
<span style="font-family: Courier New, Courier, monospace;">Content-Length: 4170</span><br />
<span style="font-family: Courier New, Courier, monospace;">Content-Type: application/x-x509-ca-ra-cert</span><br />
<span style="font-family: Courier New, Courier, monospace;">Server: Microsoft-IIS/8.0</span><br />
<span style="font-family: Courier New, Courier, monospace;">Date: Mon, 29 Apr 2013 11:13:14 GMT</span><br />
<span style="font-family: Courier New, Courier, monospace;">Connection: close</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Content-Type indicates we have received CA and RA certificates.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=CA)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">INFO: Certificate has the following attributes:</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Fingerprint: 537adc87 22cc6e2b 07fdf2e0 18d8ba8b</span><br />
<span style="font-family: Courier New, Courier, monospace;">The PKCS #7 message contains 4 certificates.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI:crypto_pkcs7_extract_ca_cert found cert</span><br />
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI: transaction GetCACert completed</span><br />
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI: CA certificate received.</span><br />
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI: crypto_pki_authenticate_tp_cert()</span><br />
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI: trustpoint CA authentication status = 0</span><br />
<span style="font-family: Courier New, Courier, monospace;">Trustpoint 'CA' is a subordinate CA and holds a non self-signed certificate.</span><br />
<span style="font-family: Courier New, Courier, monospace;">Trustpoint CA certificate accepted.</span><br />
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI: Verifying certificate with serial number: 4D00000002924DEC093140270B000000000002, subject name: cn=IssuingCA-DC1,dc=kp,dc=local, issuer_name: cn=ORCA1-CA, signature alg: SHA1/RSA.</span><br />
<div style="font-family: Arial, Helvetica, sans-serif;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif;">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><u><b>2. Request and install identity certificate:</b></u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Depending on SCEP server configuration, a challenge password may be required to obtain certificate In Microsoft's SCEP implementation - NDES - we browse to </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">http://scepserver /CertSrv/mscep_admin to obtain the password</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg25eamxDiVa5Lv8AkGPvTJh9kONLZKY0HGq5lDXZz84HCWB7km8aGramklutBEJ8YPaKPeWno6OItlpow1Nr5xW3sz57AN14aYVwt5udnmFHH9EqBnmrniyeYP1AU29la7-Zjk1Uzvg2M/s1600/8.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg25eamxDiVa5Lv8AkGPvTJh9kONLZKY0HGq5lDXZz84HCWB7km8aGramklutBEJ8YPaKPeWno6OItlpow1Nr5xW3sz57AN14aYVwt5udnmFHH9EqBnmrniyeYP1AU29la7-Zjk1Uzvg2M/s640/8.PNG" width="640" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><u>ASA config:</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config)# crypto ca trustpoint CA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ciscoasa(config-ca-trustpoint)#</span><span style="font-family: 'Courier New', Courier, monospace;"> </span><span style="font-family: 'Courier New', Courier, monospace;">keypair testKey</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ciscoasa(config-ca-trustpoint)#</span><span style="font-family: 'Courier New', Courier, monospace;">password C972703054ED1301</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">ciscoasa(config)# </span><span style="font-family: 'Courier New', Courier, monospace;">crypto ca enroll CA</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br /></span>
<br />
<span style="font-family: Courier New, Courier, monospace;">% Start certificate enrollment ..</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">% The fully-qualified domain name in the certificate will be: ciscoasa.kp.local</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">% Include the device serial number in the subject name? [yes/no]: yes</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">% The serial number in the certificate will be: 123456789AB</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Request certificate from CA? [yes/no]: yes</span><br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Debug output:</u></span><br />
<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI: Found a subject match - inserting the following cert record into certList</span><br />
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI: Found a subject match - inserting the following cert record into certList</span><br />
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI: Found a subject match - inserting the following cert record into certListThe certificate has been granted by CA!</span><br />
<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-23157915465725559852013-04-26T14:58:00.001+01:002013-04-27T18:16:56.688+01:00Linux certificate storage<br />
<span style="font-family: Arial, Helvetica, sans-serif;">As opposed to Windows, Linux doesn't have crypto APIs that would be usable by user-mode applications. </span><span style="font-family: Arial, Helvetica, sans-serif;">Linux does have Kernel level CryptoAPI (crypto.h) which is accessible to kernel mode processes. </span><span style="font-family: Arial, Helvetica, sans-serif;">As such applications store certificates in application specific locations. That way we end up with multiple </span><span style="font-family: Arial, Helvetica, sans-serif;">copies of the same certificate. One way to workaroud is to designate a directory for certificate storage </span><span style="font-family: Arial, Helvetica, sans-serif;">and create symbolic links in required directories. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The Linux Kernel Cryptographic API overview: <a href="https://thesweeheng.files.wordpress.com/2007/11/6451.pdf">https://thesweeheng.files.wordpress.com/2007/11/6451.pdf</a></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Generate CSR using a new key pair:</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">openssl req -nodes -newkey rsa:1024 -keyout serverName.key -out serverName.csr</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Generate CSR using an existing key pair:</u></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">openssl req -new -key serverName.key -out serverName.csr</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Once the request is signed, certs and keypair must be copied to relevant location. Most Linux applications </span><span style="font-family: Arial, Helvetica, sans-serif;">require Base64 encoded certificate with .PEM extension. This however may vary. Apache for example </span><span style="font-family: Arial, Helvetica, sans-serif;">requires Base64 encoded .CRT certificate. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Sample storage locations:</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Cisco AnyConnect:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">User certs:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">~/.cisco/certificates/ca <span class="Apple-tab-span" style="white-space: pre;"> </span> Root CA</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">~/.cisco/certificates/client <span class="Apple-tab-span" style="white-space: pre;"> </span> User certificate </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">~/.cisco/certificates/client/private PrivateKeys</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Computer certs:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">/opt/.cisco/certificates/ca <span class="Apple-tab-span" style="white-space: pre;"> </span> Root CA</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">/opt/.cisco/certificates/client Client certificates </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">/opt/.cisco/certificates/client/private PrivateKeys</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Nessus:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">/opt/nessus/com/nessus/CA/servercert.pem </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">/opt/nessus/var/nessus/CA/serverkey.pem</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Apache:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Locations of cert and private key are specified in the config file (sample config below) per virtual host. Sample location:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">/etc/httpd/conf/ssl.crt/serverName.crt</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">/etc/httpd/conf/ssl.key/serverName.key</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Enabling SSL in Apache. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Enable mod_ssl:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># e2enmod ssl</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Configure Virtual Host:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">This is configured in an httpd.conf or apache2.conf (which by default includes httpd.conf)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><i><virtualhost securesenses.net:443=""></virtualhost></i></span><br />
<i style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-tab-span" style="white-space: pre;"> </span>DocumentRoot /var/www/</i><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span>ServerName 10.0.0.20</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span>SSLEngine on</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span>SSLCertificateFile /etc/apache2/conf/ssl.crt/10.0.0.20.crt</i></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span>SSLCertificateKeyFile /etc/apache2/conf/ssl.key/10.0.0.20.key</i></span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Restart service:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># service httpd restart</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">or</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"># apachectl -restart</span><br />
<div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-3861287608458879782013-04-22T12:27:00.001+01:002013-04-29T10:08:56.118+01:00OCSP certificate validation - packet analysis<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Online Certificate Status Protocol (OCSP) is an IETF standard defined in RFC 2560 </span><span style="font-family: Arial, Helvetica, sans-serif;">(</span><a href="http://www.ietf.org/rfc/rfc2560.txt" style="font-family: Arial, Helvetica, sans-serif;">http://www.ietf.org/rfc/rfc2560.txt</a><span style="font-family: Arial, Helvetica, sans-serif;">). OCSP is used for real-time certificate status checking. OCSP uses HTTP as its transport mechanism. Transaction consists of an HTTP query using an HTTP POST verb and an HTTP 200 response. </span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">1. OCSP request (MIME type: ocsp-request):</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">HTTP header:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Courier New, Courier, monospace;">POST /ocsp HTTP/1.1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Cache-Control: no-cache</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Connection: Keep-Alive</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Pragma: no-cache</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Content-Type: application/ocsp-request</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Accept: */*</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">User-Agent: Microsoft-CryptoAPI/6.2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Content-Length: 86</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Host: srv3.kp.local</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Arial, Helvetica, sans-serif;">The request contains hash of the issuer's name and public key along with the serial number of the certificate to be validated:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXlW7GteKOvvlRbaHkcuqjr4rSS-uEmzpOQnmlfAOABSXSKAaDFP3QMx7xjpBvTYNWZM6R8zKm_rXxYN84dzNcvKXAdU-sml1nbnTljNVeBM6dZTzlvjd78utZ7Jqg9j1-ciVolIjSkYg/s1600/ocsp1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXlW7GteKOvvlRbaHkcuqjr4rSS-uEmzpOQnmlfAOABSXSKAaDFP3QMx7xjpBvTYNWZM6R8zKm_rXxYN84dzNcvKXAdU-sml1nbnTljNVeBM6dZTzlvjd78utZ7Jqg9j1-ciVolIjSkYg/s640/ocsp1.PNG" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">2. OCSP response (MIME type: ocsp-response): </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><span style="font-family: Arial, Helvetica, sans-serif;">HTTP header:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><span style="font-family: 'Courier New', Courier, monospace;">HTTP/1.1 200 OK</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">Cache-Control: max-age=580</span><br />
<span style="font-family: Courier New, Courier, monospace;">Content-Length: 1256</span><br />
<span style="font-family: Courier New, Courier, monospace;">Content-Type: application/ocsp-response</span><br />
<span style="font-family: Courier New, Courier, monospace;">Expires: Mon, 22 Apr 2013 10:34:16 GMT</span><br />
<span style="font-family: Courier New, Courier, monospace;">Last-Modified<br />
: Mon, 22 Apr 2013 08:59:16 GMT</span><br />
<span style="font-family: Courier New, Courier, monospace;">ETag: "407c5206fbf20cfa69f6110435a82fd4"</span><br />
<span style="font-family: Courier New, Courier, monospace;">Server: Microsoft-IIS/8.0</span><br />
<span style="font-family: Courier New, Courier, monospace;">Date: Mon, 22 Apr 2013 09:59:35 GMT</span><br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">OCSP response contains the revocation status </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXcwqM5a25CWtcMyE1e6C9X5SqOdd4e4haQ8KiC2JebRjmR3UaeQfXwvCM1CphDo6RknuTLZIqCbF-zO6KcbXziiJpPrOqKVNA7Y3zdD9n8befCJdOAJ0FvlxfFfi1AdduI4Ew6P6hrdc/s1600/ocsp2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="592" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXcwqM5a25CWtcMyE1e6C9X5SqOdd4e4haQ8KiC2JebRjmR3UaeQfXwvCM1CphDo6RknuTLZIqCbF-zO6KcbXziiJpPrOqKVNA7Y3zdD9n8befCJdOAJ0FvlxfFfi1AdduI4Ew6P6hrdc/s640/ocsp2.PNG" width="640" /></a></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">To prevent spoofing attacks, the response is signed by the responder. In order to validate the signature, certificate containing public key of the responder is returned. This could lead to a problem whereby OCSP signing certificate revocation would be checked leading to a "verification loop". According to the RFC's 2560 section 4.2.2.2.1 there are three ways of overcoming this issue. Microsoft CA implementation uses special extension "id-pkix-ocsp-nochek". This extention tells the requester not to validate status of the OCSP signing certificate. The risk of the certificate being misused is mitigated by using very short certificate validity periods. </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQh8VSSd6HHdReOMeJkZ4WKuyZ3Ne1tGx8hMe0ZGicDPYaJx1dCNxjGJMHM3H5ACpFYFlBp4Ba7LDEvYzQjlrH7wWffqYgGG7ef_aCP5t2W_sKntR1QU43hTac4inJstOgkm8kB46szmM/s1600/ocsp4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="391" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQh8VSSd6HHdReOMeJkZ4WKuyZ3Ne1tGx8hMe0ZGicDPYaJx1dCNxjGJMHM3H5ACpFYFlBp4Ba7LDEvYzQjlrH7wWffqYgGG7ef_aCP5t2W_sKntR1QU43hTac4inJstOgkm8kB46szmM/s640/ocsp4.PNG" width="640" /></a></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">OCSP signing certificate:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHq36je7rFDW3FrNZnZ5SJyD6Vk_wYj4hwEEoJAWYlGZzYiQGqsVVTIM0m6gOe-j48BbncoXUe1klN0GheSy8kM01qAiQRC0QOJIe_GB_uxSRpxJp9t9n3DSmANwI0MlADtBo02dhblCU/s1600/ocsp3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHq36je7rFDW3FrNZnZ5SJyD6Vk_wYj4hwEEoJAWYlGZzYiQGqsVVTIM0m6gOe-j48BbncoXUe1klN0GheSy8kM01qAiQRC0QOJIe_GB_uxSRpxJp9t9n3DSmANwI0MlADtBo02dhblCU/s1600/ocsp3.PNG" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: Arial, Helvetica, sans-serif;">Corresponding OCSP responder signing configuration:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrxmPm1DzN6zBF3KFRhXXXIPmxoxfH33qm7jlygwOGgiU9lOf0YP28Lm0TgGTm7eM8rGpq0J7pAjLGwOE2IqRL45AzOzgIoH9peDQpUIX2vDzGvukjd7C-hgBmwGL6PB0jWg4aJO0StoA/s1600/ocspx.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrxmPm1DzN6zBF3KFRhXXXIPmxoxfH33qm7jlygwOGgiU9lOf0YP28Lm0TgGTm7eM8rGpq0J7pAjLGwOE2IqRL45AzOzgIoH9peDQpUIX2vDzGvukjd7C-hgBmwGL6PB0jWg4aJO0StoA/s1600/ocspx.PNG" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-79900116120673596752013-04-22T10:42:00.001+01:002013-04-23T12:00:51.213+01:00CRL request over HTTP - packet analysis<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">One of the ways a CRL can be retrieved is HTTP. Whole transaction consists of an HTTP GET and an OK 200 response packets. The response is a </span><span style="font-family: Arial, Helvetica, sans-serif;">PKIX-CRL MIME type encoded CRL. PKIX-CRL is an IETF standard defined in RFC 2585 </span><span style="font-family: Arial, Helvetica, sans-serif;">- <a href="http://www.ietf.org/rfc/rfc2585.txt">http://www.ietf.org/rfc/rfc2585.txt</a></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">1. CRL requester generates an HTTP query using an HTTP GET verb</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">HTTP header:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">GET /pki/IssuingCA-DC1.crl HTTP/1.1</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Cache-Control: no-cache</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Connection: Keep-Alive</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Pragma: no-cache</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Accept: */*</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">User-Agent: Microsoft-CryptoAPI/6.2</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: Courier New, Courier, monospace;">Host: dc1.kp.local</span></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0-AcxxmmzUNZhE5tcolLNvM0ZjSgOvjjJusfIKnCifsj9LqpNzu0YCcMLGKcfcoz2TNTp_oowEQ_OiK09Zqb_dHttImapRn69NZVxnYBAcJ5DgakjrAavlwM3N208gvbE0S0pvclbA2U/s1600/http1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0-AcxxmmzUNZhE5tcolLNvM0ZjSgOvjjJusfIKnCifsj9LqpNzu0YCcMLGKcfcoz2TNTp_oowEQ_OiK09Zqb_dHttImapRn69NZVxnYBAcJ5DgakjrAavlwM3N208gvbE0S0pvclbA2U/s640/http1.PNG" style="cursor: move;" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">2. Server responds with CRL encoded in PKIX-CRL MIME type</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">HTTP header:</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: 'Courier New', Courier, monospace;">HTTP/1.1 200 OK</span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace;">Content-Type: application/pkix-crl</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace;">Last-Modified: Mon, 22 Apr 2013 08:29:51 GMT</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace;">Accept-Ranges: bytes</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace;">ETag: "d06e258f333fce1:0"</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace;">Server: Microsoft-IIS/8.0</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace;">X-Powered-By: ASP.NET</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace;">Date: Sun, 21 Apr 2013 08:46:23 GMT</span></div>
<div class="separator" style="clear: both;">
<span style="font-family: 'Courier New', Courier, monospace;">Content-Length: 820</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNmd_MSxkIr9xfOqaPdcgv076JWfHg0MSCEe8oTxC1IackAMSRUIOyInHSRX8XS2NssdaHRaATlhxOLsAdudvtcqN6AfJyMzBY671R9Yjd3w023Jbd-PTrjiceSH6yYdSoQ8TGaNElxGI/s1600/http2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="486" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNmd_MSxkIr9xfOqaPdcgv076JWfHg0MSCEe8oTxC1IackAMSRUIOyInHSRX8XS2NssdaHRaATlhxOLsAdudvtcqN6AfJyMzBY671R9Yjd3w023Jbd-PTrjiceSH6yYdSoQ8TGaNElxGI/s640/http2.PNG" width="640" /></a></div>
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">WireShark decodes the PKIX-CRL. We can see all CRL extensions directly in the packet.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmk2uklmStZYsyB7N6Cs1JFu3ICKtNPVtWzWu4wqeSUXea3MeO5R2IbIG-5_yIiaUdhtXD3Qe3TFCDpFj1LTD5YgMMzIyej0khkE9xgKdhx2LLZezbUgUtFe7QNFYW1JXoVvPUnaux6WU/s1600/http3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmk2uklmStZYsyB7N6Cs1JFu3ICKtNPVtWzWu4wqeSUXea3MeO5R2IbIG-5_yIiaUdhtXD3Qe3TFCDpFj1LTD5YgMMzIyej0khkE9xgKdhx2LLZezbUgUtFe7QNFYW1JXoVvPUnaux6WU/s640/http3.png" width="640" /></a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-5127935249171653602013-04-19T17:16:00.001+01:002013-04-19T17:48:38.605+01:00Cisco ASA Certificate Revocation Checking<br />
<span style="font-family: Arial, Helvetica, sans-serif;">ASA supports status verification using CRLs and OCSP. CRL can be retrieved using HTTP, LDAP or SCEP.</span><br />
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Revocation checking using CRL:</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Over HTTP:</u></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config-ca-trustpoint)# revocation-check crl</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config-ca-crl)# protocol http</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">By default ASA will use address listed in CDP extension of the certificate that is being validated. </span><span style="font-family: Arial, Helvetica, sans-serif;">To override default behaviour we need to add the following in the CRL configuration context.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">ciscoasa(config-ca-crl)# policy static</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config-ca-crl)# url 1 http://cdpurl.kp.local/crl.crl</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Over LDAP:</u></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Certificate I'm using for this lab, doesn't have LDAP address in its CDP extension. Therefore I'm using "policy static" to specify LDAP URL where CRL can be retrieved. </span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config-ca-trustpoint)# revocation-check crl</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config-ca-trustpoint)# crl configure</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config-ca-crl)# protocol ldap</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config-ca-crl)# policy static</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config-ca-crl)# url 1 ldap://dc1.kp.local/CN=IssuingCA-DC1,CN=dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=kp,DC=local/</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config-ca-crl)# ldap-dn CN=asacrl,OU=UsersRoot,DC=kp,DC=local password</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config-ca-crl)# ldap-defaults 10.0.0.7</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Revocation checking using OCSP:</u></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config)# crypto ca trustpoint ASDM_TrustPoint2</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config-ca-trustpoint)# revocation-check ocsp</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config-ca-trustpoint)# ocsp url http://srv3.kp.local/ocsp</span></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<br /></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><u>View CRL cache:</u></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"></span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa# show crypto ca crl</span></div>
<span style="font-family: Courier New, Courier, monospace;">
</span>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<span style="font-family: Courier New, Courier, monospace;">
<div>
CRL Issuer Name:</div>
<div>
cn=IssuingCA-DC1,dc=kp,dc=local</div>
<div>
LastUpdate: 15:23:47 UTC Apr 11 2013</div>
<div>
NextUpdate: 03:43:47 UTC Apr 19 2013</div>
<div>
Cached Until: 14:54:45 UTC Apr 15 2013</div>
<div>
Retrieved from CRL Distribution Point:</div>
<div>
http://dc1.kp.local/pki/IssuingCA-DC1.crl</div>
<div>
Size (bytes): 716</div>
<div>
Associated Trustpoints: ASDM_TrustPoint0</div>
</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Enable crypto transaction debugging:</u></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><u><br /></u></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa# debug crypto ca transactions 10</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Retrieve CRL: </u></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"></span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;">ciscoasa(config)#crypto ca crl request ASDM_TrustPoint0</span></div>
<span style="font-family: Courier New, Courier, monospace;">
</span>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<span style="font-family: Courier New, Courier, monospace;">
<div>
CRYPTO_PKI: CRL is being polled from CDP http://dc1.kp.local/pki/IssuingCA-DC1.crl.</div>
<div>
<br /></div>
<div>
CRYPTO_PKI: HTTP response header:</div>
<div>
HTTP/1.1 200 OK</div>
<div>
Content-Type: application/pkix-crl</div>
<div>
Last-Modified: Thu, 11 Apr 2013 15:33:47 GMT</div>
<div>
Accept-Ranges: bytes</div>
<div>
ETag: "edeaef5c936ce1:0"</div>
<div>
Server: Microsoft-IIS/8.0</div>
<div>
X-Powered-By: ASP.NET</div>
<div>
Date: Mon, 15 Apr 2013 13:50:57 GMT</div>
<div>
Connection: close</div>
<div>
Content-Length: 716</div>
<div>
<br /></div>
<div>
CRYPTO_PKI: Found a subject match - inserting the following cert record into certList</div>
<div>
CRYPTO_PKI: set CRL update timer with delay: 309171</div>
<div>
CRYPTO_PKI: the current device time: 13:50:56 UTC Apr 15 2013</div>
<div>
<br /></div>
<div>
CRYPTO_PKI: the last CRL update time: 15:23:47 UTC Apr 11 2013</div>
<div>
CRYPTO_PKI: the next CRL update time: 03:43:47 UTC Apr 19 2013</div>
<div>
CRYPTO_PKI: CRL cache delay being set to: 3600000</div>
<div>
CRYPTO_PKI: transaction HTTPGetCRL completed</div>
<div>
<br /></div>
</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Debug output of certificate validation using CRL:</u></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;">CRYPTO_PKI: Verifying certificate with serial number: 4D00000002924DEC093140270B000000000002, subject name: cn=IssuingCA-DC1,dc=kp,dc=local, issuer_name: cn=ORCA1-CA, signature alg: SHA1/RSA.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"></span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI(Cert Lookup) issuer="cn=ORCA1-CA" serial number=4d 00 00 00 02 92 4d ec 09 31 40 27 0b 00 00 00 </span></div>
<span style="font-family: Courier New, Courier, monospace;">
</span>
<div>
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI: Cerificate is resident.</span></div>
<span style="font-family: Courier New, Courier, monospace;">
<div>
CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert.</div>
<div>
CRYPTO_PKI: Sorted chain size is: 1</div>
<div>
CRYPTO_PKI: Found ID cert. serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe</div>
<div>
CRYPTO_PKI: Verifying certificate with serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe, issuer_name: cn=IssuingCA-DC1,dc=kp,dc=local, signature alg: SHA1/RSA.</div>
<div>
CRYPTO_PKI(Cert Lookup) issuer="cn=IssuingCA-DC1,dc=kp,dc=local" serial number=6d 00 00 00 07 5a 2d 9b 4f e8 e3 4d f7 00 00 00 | ...</div>
<div>
<br /></div>
<div>
CRYPTO_PKI: Starting CRL revocation check.</div>
<div>
CRYPTO_PKI: Attempting to find cached CRL for CDP http://dc1.kp.local/pki/IssuingCA-DC1.crl</div>
<div>
CRYPTO_PKI: Found CRL in cache for CDP: http://dc1.kp.local/pki/IssuingCA-DC1.crl, status 0.</div>
<div>
<b>CRYPTO_PKI: Certificate is revoked!</b></div>
<div>
<br /></div>
</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<u style="font-family: Arial, Helvetica, sans-serif;">Debug output of certificate validation using OCSP:</u></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"></span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI: Sorted chain size is: 2</span></div>
<span style="font-family: Courier New, Courier, monospace;">
</span>
<div>
<span style="font-family: Courier New, Courier, monospace;">CRYPTO_PKI: Verifying certificate with serial number: 4D00000002924DEC093140270B000000000002, subject name: cn=IssuingCA-DC1,dc=kp,dc=local, issuer_name: cn=ORCA1-CA, signature alg: SHA1/RSA.</span></div>
<span style="font-family: Courier New, Courier, monospace;">
<div>
CRYPTO_PKI(Cert Lookup) issuer="cn=ORCA1-CA" serial number=4d 00 00 00 02 92 4d ec 09 31 40 27 0b 00 00 00 </div>
<div>
CRYPTO_PKI: Cerificate is resident.</div>
<div>
<br /></div>
<div>
CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert.</div>
<div>
<br /></div>
<div>
CRYPTO_PKI: Sorted chain size is: 1</div>
<div>
CRYPTO_PKI: Found ID cert. serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe</div>
<div>
CRYPTO_PKI: Verifying certificate with serial number: 6D000000075A2D9B4FE8E34DF7000000000007, subject name: ea=jd@kp.local,cn=Joe Doe, issuer_name: cn=IssuingCA-C1,dc=kp,dc=local, signature alg: SHA1/RSA.</div>
<div>
<br /></div>
<div>
CRYPTO_PKI(Cert Lookup) issuer="cn=IssuingCA-DC1,dc=kp,dc=local" serial number=6d00 00 00 07 5a 2d 9b 4f e8 e3 4d f7 00 00 00</div>
<div>
CRYPTO_PKI: Verify cert is polling for revocation status.</div>
<div>
<br /></div>
<div>
CRYPTO_PKI: Starting OCSP revocation</div>
<div>
CRYPTO_PKI: no responder matching this URL; create one!</div>
<div>
CRYPTO_PKI: http connection opened</div>
<div>
<b>CRYPTO_PKI: OCSP response status - unauthorized</b>.</div>
<div>
CRYPTO_PKI: transaction GetOCSP completed</div>
</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-103897293048954245.post-60286176868914675162013-04-18T14:43:00.003+01:002013-05-03T15:36:41.360+01:00Managing Certificate Revocation Lists (CRLs) in Windows<br />
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Publish CRL to LDAP
store:</u></span></div>
<div style="margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Courier New, Courier, monospace;">C:\> certutil
-dspublish .\IssuingCA-DC1.crl serverName</span></div>
<div style="margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Validate certificate's Authority Information Access (AIA), Certificate Revocation List (CRL), Online Certificate Status Protocol (OCSP) status</u>:</span></div>
<div style="margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Courier New, Courier, monospace;">C:\>certutil
-URL certname.cer</span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;">This command launches below UI that can be used to check the following:</span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;">Note: the certificate in question is revoked</span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;">Authority Information Access (AIA) - this extension specify location where CA certificates are located ( used for building certification path):</span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp76FAfBNMBNT_ZLD1aGtsZy-f5Eg3uWn6EH-WFeNs7JJe8B6Jj8wWbu2yX-IG-QBI_csaA8XJ13SGDgaExpgOLt01W6gh3sBS07EsfbngHsD-_xXP7KbgCu0Ek2hICfvVIKVMAKFJngw/s1600/crl1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp76FAfBNMBNT_ZLD1aGtsZy-f5Eg3uWn6EH-WFeNs7JJe8B6Jj8wWbu2yX-IG-QBI_csaA8XJ13SGDgaExpgOLt01W6gh3sBS07EsfbngHsD-_xXP7KbgCu0Ek2hICfvVIKVMAKFJngw/s1600/crl1.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6VvwfDs-yw3QyBefJU2q2OiDQ-e1VJciW9l2YhWTIH8hPMHPvMXzGyW-lLiB8uje2VFeAFlTH7t2AgsaoNA5ChlLI_qk3XeTMmM_4U0gAf0Kj2NE24SZvfDB1QJIjdw71J_c0BCoenQM/s1600/crl1a.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6VvwfDs-yw3QyBefJU2q2OiDQ-e1VJciW9l2YhWTIH8hPMHPvMXzGyW-lLiB8uje2VFeAFlTH7t2AgsaoNA5ChlLI_qk3XeTMmM_4U0gAf0Kj2NE24SZvfDB1QJIjdw71J_c0BCoenQM/s1600/crl1a.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;">CRL accessibility based on CRL Distribution Point (CDP) extension:</span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHf3egIIbfSvsDrhCxP0J2wvsxrsmRwigcvl64Rl6uFcFWKpaelw8CJLFzSSNwcAQn3rHHuIwt_Z5Z0oDr_UKvY8LnFHhvPTBPXb2c6INuedKN2c92IXdOvSIx4e9yUfBblZf0HmwAxTE/s1600/crl2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHf3egIIbfSvsDrhCxP0J2wvsxrsmRwigcvl64Rl6uFcFWKpaelw8CJLFzSSNwcAQn3rHHuIwt_Z5Z0oDr_UKvY8LnFHhvPTBPXb2c6INuedKN2c92IXdOvSIx4e9yUfBblZf0HmwAxTE/s1600/crl2.PNG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjizexvERU-LuVxx7nElKvhxwRAyTbg6V2ao3GHqzDj3Lth1jiNHaCvbFAX0vSgdEux6xPbxMIXbZweVasb1SWHV7HLiO6_ckndGNGrdtUaqXJT3RQl2RNsxwmIcK26k21o-FrKeS6GXUA/s1600/crl2a.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjizexvERU-LuVxx7nElKvhxwRAyTbg6V2ao3GHqzDj3Lth1jiNHaCvbFAX0vSgdEux6xPbxMIXbZweVasb1SWHV7HLiO6_ckndGNGrdtUaqXJT3RQl2RNsxwmIcK26k21o-FrKeS6GXUA/s1600/crl2a.PNG" /></a></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;">Revocation status using OCSP:</span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhadmU3s7zGoM8PQwedi4znnX52z9SfX4X63iFRqKhOvxcZ_Y0yaZrosYFGWHNJTxPoFf9Ktav34xE725PtCLwhjWVkqOEth_rLkJh01ShAFLv1IHAJLQi7pG7pCLIRbDNwQv_3uHJ8UrI/s1600/crl3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhadmU3s7zGoM8PQwedi4znnX52z9SfX4X63iFRqKhOvxcZ_Y0yaZrosYFGWHNJTxPoFf9Ktav34xE725PtCLwhjWVkqOEth_rLkJh01ShAFLv1IHAJLQi7pG7pCLIRbDNwQv_3uHJ8UrI/s1600/crl3.PNG" /></a></div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">OCSP URL is specified in AIA extension:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoQg6tRVSbi1ECUJxPV-IEoOPu0y9i3Mw2lv6SWQxC3tUxT_-RJk2YAxj5PbTJTDVGsaPGmLPiiPxDWHc52FJfdX1IQCCtK5whvmheYYlgrT-B9EmtrCW0KvpaKwDNelJhhicnM-AZCN8/s1600/crl3a.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoQg6tRVSbi1ECUJxPV-IEoOPu0y9i3Mw2lv6SWQxC3tUxT_-RJk2YAxj5PbTJTDVGsaPGmLPiiPxDWHc52FJfdX1IQCCtK5whvmheYYlgrT-B9EmtrCW0KvpaKwDNelJhhicnM-AZCN8/s1600/crl3a.PNG" /></a></div>
<div style="margin: 0in;">
<u style="font-family: Arial, Helvetica, sans-serif;"><br /></u>
<u style="font-family: Arial, Helvetica, sans-serif;">Download CRL (creates file "Blob0_1_0.crl" in working directory):</u></div>
<div style="margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Courier New, Courier, monospace;">C:\>
certutil-split -URL <a href="http://dc1.kp.local/pki/IssuingCA-DC1.crl">http://dc1.kp.local/pki/IssuingCA-DC1.crl</a></span></div>
<div style="margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><u>View CRL publication
related registry entries:</u></span></div>
<div style="margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Courier New, Courier, monospace;">C:\> certutil
-getreg ca\CRLPublicationURLs</span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="margin: 0in;">
</div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Verify revocation and validity of a specific certificate:</u></span></div>
<div style="margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Courier New, Courier, monospace;">C:\> certutil -f -urlfetch -verify .\compcert.cer</span><br />
<br />
<br />
<div style="margin: 0in;">
<u style="font-family: Arial, Helvetica, sans-serif;">View CRL cached by CryptoAPI:</u></div>
<div style="margin: 0in;">
<u style="font-family: Arial, Helvetica, sans-serif;"><br /></u></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;">Windows CryptoAPI caches CRL for performance reasons.</span></div>
<div style="margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Courier New, Courier, monospace;">C:\> certutil -urlcache CRL</span></div>
<div style="margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><u>Update local CRL cache / View CRL:</u></span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><u><br /></u></span></div>
<div style="margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;">Command below forces update of CRL cache.</span></div>
<div style="margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Courier New, Courier, monospace;">C:\> certutil -URL <a href="http://dc1.kp.local/pki/IssuingCA-DC1.crl">http://dc1.kp.local/pki/IssuingCA-DC1.crl</a></span></div>
<br />
<br /></div>
Unknownnoreply@blogger.com0