Hi all,
This comment is my personal views and has nothing to do with Netnod or
I-root.
My take is that the Great Firewall is a complex thing that acts
different depending on situation or protocol in use.
For DNS/port 53 I see the GFW more as an IDS (Intrusion Detection
System) listening on traffic and acting in ways we only see the result
of from time to time. The IDS thing can be anywhere in the network, at
the borders (probably not), at core locations at ISP networks or close
to the eyeballs.
For other protocols, like SSH or your favorite VPN, the GFW probably
acts more as a classic "brick" firewall with an inside and outside
interface.
If the GFW do things with BGP, I don't know.
So, I don't see the Great Firewall as firewall as the word let us think.
I see it as a complex system made of many different parts and sometimes
we notice it when the "impersonation" affects the wrong "audience".
As of this complexity (both on general network level and the GFW), I
don't think of local DNS root instances in the way that an instance can
be "country local".
I don't see Internet routing and BGP as a binary thing at network level.
Of cause the routing decision in a single router has to be "binary" to
select next-hop, but on a larger scale you can't predict exact what will
happen with your outgoing packets, as Liman wrote.
Regards,
// mem
Den 2021-11-09 kl. 08:23, skrev Davey Song:
AFAIK, the root server instances in China are not expected to serve queries
outside of China. They are called local Root instances when they are
introduced.
It is true as Liman said no one wishes to inflict problems on clients
outside China.
There are must be a network error I think which allows resolvers out of
China to reach it.
Network errors always happen, so the old issues will happen again. Sad.
Davey
On Mon, 8 Nov 2021 at 16:15, Anand Buddhdev <[email protected]> wrote:
Hi Davey, Manu,
The server we operate in Guangzhou was indeed reachable from outside
China. This is not the intention, of course. On Saturday, when we got
notification about this, we withdrew the prefix from the server, and we
are communicating with the host to solve this.
Many people have already said this, but I'd like to make it clear that
the K-root server was NOT emitting false responses for Facebook and
WhatsApp. The responses were being modified by something between the
server and its clients.
Regards,
Anand Buddhdev
RIPE NCC
On 08/11/2021 08:45, Davey Song wrote:
If it is urgent, I suggest the K root operator withdraw the route of the
instance in Guangzhou immediately.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
