DNS Anomalies: Why You Shouldn’t Host Your Web Infrastructure in China

Experts from the company Assetnote recently uncovered a widespread issue of DNS query spoofing within China’s internet infrastructure. While analyzing the DNS resolvers of a client with a significant presence in China, they noticed unusual behavior: numerous subdomains were resolving to random IP addresses.

At first, this anomaly was attributed to malfunctioning DNS servers. It was suspected that the query spoofing was related to unstable DNS resolvers or specific load balancing algorithms. However, it later became clear that the problem only occurred on servers located in China.

Initially, the spoofing was observed only on “.cn” domains, but it soon became apparent that other zones were also affected if their names were resolved through Chinese DNS servers. Researchers found that queries to certain key subdomains triggered unexpected DNS responses. For example, DNS queries to AlibabaDNS servers often returned unstable IP addresses, and the responses changed depending on keywords in the subdomains. Even when resolving non-existent domains, unexpected DNS responses could be received.

Over time, it was established that the problem was not limited to a single DNS provider. DNS query spoofing was also found on servers of other providers, such as Cloudflare China. This indicates that the issue is systemic and related to the way DNS operates within the “Great Firewall of China.”

Potential for Malicious Exploitation

Researchers then identified several ways this “feature” could be exploited for malicious purposes. The first method involves the CDN provider Fastly. If spoofed IP addresses belonging to Fastly’s infrastructure are detected, attackers can intercept traffic by creating CDN profiles using fake subdomains. This allows all traffic to be redirected to the attacker’s servers.

The second method is related to a vulnerability in cPanel, which allows XSS attacks on spoofed subdomains. This approach also potentially enables attackers to exploit DNS spoofing to target end users.

The ability to intercept traffic and perform XSS attacks via DNS spoofing has serious consequences. In particular, it allows attackers to access HTTPOnly cookies and other confidential data. However, the risk of an attack via Fastly depends on whether the domain has already been added to Fastly’s infrastructure. Meanwhile, cPanel-based XSS attacks are more universal, though they do not provide access to HTTPOnly cookies.

Possible Causes and Recommendations

Researchers believe that this behavior is linked to censorship efforts by the Chinese government. DNS spoofing may be part of the “Great Firewall of China,” which monitors and blocks requests to certain resources related to proxy servers, VPNs, torrents, and other prohibited content.

To minimize risks, experts recommend that organizations move their DNS servers outside of China. However, this may impact website performance and speed for Chinese users. Additionally, companies should ensure basic web security, such as setting the “Secure” and “HTTPOnly” flags for cookies, to prevent potential attacks on users.