Module 10: AI

Question 1

What is DNS censorship?

Answer 1

Blocking or manipulating DNS queries to prevent users from resolving certain domain names.

Question 2

What are the properties of GFW (Great Firewall of China)?

Answer 2

Large-scale, centralized, multi-layered filtering system using DNS injection, blocking, content inspection, and active probing.

Question 3

How does DNS injection work?

Answer 3

A censor inserts spoofed or no response for a given domain

Question 4

What are the three steps involved in DNS injection?

Answer 4

1. DNS probe sent to open DNS resolver
2. Probe is checked against blocklist of domains or keywords
3. Blocked domains/keywords return fake DNS A record

Question 5

List five DNS censorship techniques and briefly describe their working principles.

Answer 5

1. Packet dropping (drop DNS queries)
2. DNS poisoning (inject forged responses)
3. content inspection (block based on payload)
4. blocking with resets (reset TCP connections)
5. immediate reset of connections (terminate sessions quickly).

Question 6

Which DNS censorship technique is susceptible to overblocking?

Answer 6

Packet dropping.

Question 7

What are the strengths and weaknesses of the ‘packet dropping’ technique?

Answer 7

Strong: simple and hard to bypass; Weak: causes collateral damage and overblocking.

Question 8

What are the strengths and weaknesses of the ‘DNS poisoning’ technique?

Answer 8

Strong: precise and persistent manipulation; Weak: block entire domain

Question 9

What are the strengths and weaknesses of the ‘content inspection’ technique?

Answer 9

Strong: precise, flexible
Weak: scalability

Question 10

What are the strengths and weaknesses of the ‘blocking with resets’ technique?

Answer 10

Strong: immediate stopping of connections
Weak: detectable and sometimes disrupts benign traffic.

Question 11

What are the strengths and weaknesses of the ‘immediate reset of connections’ technique?

Answer 11

Strong: fast and effective
Weak: easily identified and can be circumvented using encryption or retries.

Question 12

Why is our understanding of censorship around the world limited?

Answer 12

Because of lack of transparency, regional variation, measurement difficulty, and political sensitivity.

Question 13

What are the limitations of main censorship detection systems?

Answer 13

• Diverse Measurements
• Need for scale
• Identifying the intent to restrict content access
• Ethics and minimizing risks

Question 14

What kind of disruptions does Augur focus on identifying?

Answer 14

Routing-based connectivity disruptions across Autonomous Systems.

Question 15

How does Iris counter the issue of lack of diversity while studying DNS manipulation?

Answer 15

By using a global pool of DNS resolvers and comparing responses across regions via annotation and clustering.

Question 16

What are the steps involved in the global measurement process using DNS resolvers?

Answer 16

1. Scan IPv4 space for open DNS resolvers
2. Identifying infrastructure DNS resolvers
   
   1. Global DNS queries
   2. Annotate responses with auxillary information
   3. Additional PTR and TLS scanning

Question 17

What metrics does Iris use to identify DNS manipulation?

Answer 17

• Consistency
  
  • IP
  • AS
  • HTTP Content
  • HTTPS Certificate
  • PTRs for CDN
• Independent verifiability
  
  • SSL certificates

Question 18

How to identify DNS manipulation via machine learning with Iris?

Answer 18

Train classifiers on labeled resolver responses using extracted features to detect abnormal patterns.

Question 19

How is connectivity disruption achieved via routing disruption?

Answer 19

• withdrawing prefixes
  
  • re-advertising

Question 20

How is connectivity disruption achieved via packet filtering?

Answer 20

• Typically in firewalls and switches
• Harder to detect

Question 21

Explain a scenario of disruption detection when no filtering occurs.

Answer 21

Traffic flows normally; traceroute paths appear intact without anomalies. IP ID increments by 2

Question 22

Explain a scenario of disruption detection in the case of inbound blocking.

Answer 22

Probes to the target fail because inbound packets are dropped before reaching the destination. IP ID increments by 1

Question 23

Explain a scenario of disruption detection in the case of outbound blocking.

Answer 23

Probes leave the source but responses never return due to outbound filtering at the target’s network. IP ID increments my multiple sets of 2.