Something fishy about the DoT ban

Submitted by varun on Thu, 20/07/2006 - 1:40am.

The order to blacklist certain sites, issued by DoT to all ISPs in India is now old news. I don't have anything original to add to the issue... everything that should be said has been said.

I was in Chennai for a couple of days on an official trip and did not know something like this was happening... the first inkling I got of something of both sad and funny was when waiting to board the plane at Chennai.

Needless to say the Government or CERT-IN or DoT or whichever body has initiated this is totally inept and clueless about blogs and the Internet. It scares me to think that these are the morons with powers to influence the Internet and take policy decisions about it in India. Funnily even the so called technology correspondents who wrote about this on various news sites seemed ignorant about the terminology and the technology behind blogs.

Loads of bloggers and non-bloggers have filed RTI applications asking for an explanation about this arbitrary ban. I was also thinking of filing one, frankly wanted to do it for the experience, but could not do so due to lack of time. I guess I will just wait for the government to come out with their version of the story and I am sure that the bloggers who filed the application will blog about it when they get their replies.

Now there is word that the ban was only a limited one encompassing of around 15-20 sites, not whole domains as is the case now. And it is being said that it is due to the technical ineptness or lack of technology of the ISPs due to which whole domains have become inaccessible. Bullshit. Nothing but bullshit. I find it very difficult to believe that all major ISPs would commit the exact same technical mistake at once... It is even more ridiculous to assert that ISPs do not have the capability to selectively block URIs! Blocking specific URIs (and not whole domains) is ridiculously easy to do... ISPs had done it sometime in 2003 to block the Yahoo! group of some anti-India group... they initially blocked all Yahoo! Groups but then they came to their senses and blocked only the offending Yahoo! group.

In other words there is definitely something going on behind the scenes. Maybe there was an unofficial but strict directive from the DoT to the ISPs to block the affected domains... but why you might ask. Who knows? It is difficult to fathom what goes on in the minds of the babus at the helm of these organizations.

Trackback URL:

http://www.thoughtfulchaos.com/trackback/599

printer friendly version

<< Comment moderation enabled on this blog | Good things >>

17 comments

Add new comment

However...

Submitted by Ramnath R Iyer on Fri, 21/07/2006 - 9:10pm.

All blogspot.com URLs have the same IP address. I think host-based resolution is used to direct the user to the correct site. This may have something to do with the "technical ineptness" of the ISPs. I don't think they have any kind of access configuration filters on a per-client basis. Instead, they're probably blocking specific IPs from upstream ISPs. This could mean that they can block only IPs, and not domain-names.

didn't understand you fully

Submitted by varun on Sat, 22/07/2006 - 1:20am.

I have not researched about how exactly they are effecting the ban but I think they are simply causing the DNS resolution to fail.

If you replace your default DNS settings with other DNS servers (for e.g. from OpenDNS) then you will be able to access the blocked domains.

If ISPs can cause the resolution of blogspot.com to fail why can't they selectively restrict example1.blogspot.com and example2.blogspot.com to fail. After all each of these have to have an explicit entry in the ISPs DNS servers. This explanation is not complete and has some caveats but what I want to say is they _can_ selectively block sites if they want to, especially the way they are doing it right now. Think about it.

Of course their performance might take a hit because they will have to do 17 comparisons instead of just 1 but then that is not justification enough to block entire domains.

Will elaborate on this when I get back to Delhi.

DNS isn't the problem

Submitted by Ramnath R Iyer on Sat, 22/07/2006 - 2:09am.

I don't think they've simply removed the DNS entries. I did an IP-address lookup from my PC (at DA-IICT) and the IP address was returned immediately. If I tried to connect using a browser, I would get a 'Connection Failed' or 'Timed-Out' message.

Each individual domain-name is an alias for blogspot.blogger.com, whose IP is 66.102.15.101. I tried using the IP itself, and ended up with the same message.

This is how I think blogspot works: a request is sent to 66.102.15.101. For every request that reaches the server at 66.102.15.101, the actual URL used to access the site is examined and an appropriate response is returned.

In this case, if IP-blocking is the only option, then either all these domain-names have to be blocked, or none at all, because each domain-name doesn't have a unique IP-address.

use proxy ...

Submitted by A (not verified) on Sat, 22/07/2006 - 12:35pm.

www.kproxy.com or www.shysurfer.com should be an easy workaround ..

Transparent Proxy

Submitted by Sahil (not verified) on Sat, 22/07/2006 - 4:27pm.

Most of the ISP's used transparent proxies when I was in India. They use a proxy like squid which funnels all HTTP requests through.

Its quite easy to block URL's in such a set up.

wouldn't squid be a huge performance hit?

Submitted by varun on Tue, 25/07/2006 - 4:30pm.

I believe that even if Squid is being used somewhere then it is very close to the end user and not more upstream. In such a case it would be very cumbersome pushing the list of blocked domains to hundreds (possibly thousands) of Squid proxies.

ISPs would be handling huge amounts of requests and I think using Squid would not give acceptable performance... maybe small time ISPs used to do it many years ago but I seriously doubt if it is the norm, especially today.

they _are_ blocking DNS name resolutions

Submitted by varun on Tue, 25/07/2006 - 4:26pm.

Funnily enough the block still seems to be in place for me. I am unable to access any blogspot.com blogs even now. I was out of town and have just come back so I don't know if it is just me or it is the case everywhere.

Your analysis is incorrect in this case. You are right when you say that blogspot.com sub-domains are an alias for blogspot.blogger.com (IP address: 66.102.15.101). So what happens is that the browser first tries to resolve example.blogspot.com, this aliases to blogspot.blogger.com (STEP 1), the browser resolves blogspot.blogger.com (STEP 2), gets an IP address and crafts the appropriate HTTP request. So even though all sub-domains map to the same IP address the browser does not (cannot) know that and has to go through the above 2 steps.

If DNS name resolution blocking is is used then the blocking can take place at STEP 1 thereby selectively blocking domains instead of blocking it at STEP 2 which seems to be the case right now.

In the 3rd paragraph you have just outlined virtual hosting i.e. the web server looks at the hostname (domainname) of the incoming HTTP request and uses that to serve the appropriate resource.

BTW I am a bit confused... which domainname did you lookup from your DA-IICT PC?

I did some investigation and I am almost 100% sure that ISPs (at least mine: VSNL) is blocking DNS name resolutions for blogspot.com and sub-domains to implement this block.

Here is what I did.

Checking whether my DNS thingies are working alright:

varun@calvin:~$ dig google.com

; <<>> DiG 9.3.2 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36526
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 166 IN A 64.233.187.99
google.com. 166 IN A 72.14.207.99
google.com. 166 IN A 64.233.167.99

;; AUTHORITY SECTION:
google.com. 344732 IN NS ns2.google.com.
google.com. 344732 IN NS ns3.google.com.
google.com. 344732 IN NS ns4.google.com.
google.com. 344732 IN NS ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com. 245689 IN A 216.239.32.10
ns2.google.com. 245689 IN A 216.239.34.10
ns3.google.com. 245689 IN A 216.239.36.10
ns4.google.com. 245689 IN A 216.239.38.10

;; Query time: 13 msec
;; SERVER: 202.54.15.30#53(202.54.15.30)
;; WHEN: Tue Jul 25 15:44:48 2006
;; MSG SIZE rcvd: 212

Things look fine.

Now lets see if we are able to resolve mumbaihelp.blogspot.com.

varun@calvin:~$ dig mumbaihelp.blogspot.com

; <<>> DiG 9.3.2 <<>> mumbaihelp.blogspot.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63163
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mumbaihelp.blogspot.com. IN A

;; Query time: 54 msec
;; SERVER: 202.54.15.30#53(202.54.15.30)
;; WHEN: Tue Jul 25 15:45:26 2006
;; MSG SIZE rcvd: 41

Oops! Looks like we are unable to get IP address for mumbaihelp.blogspot.com.

So now I look up IP address of mumbaihelp.blogspot.com from netcraft.com. As expected I get the answer 66.102.15.101.

Are the sites being blocked based on IP addresses?

varun@calvin:~$ ping -c 5 66.102.15.101
PING 66.102.15.101 (66.102.15.101) 56(84) bytes of data.
64 bytes from 66.102.15.101: icmp_seq=1 ttl=246 time=292 ms
64 bytes from 66.102.15.101: icmp_seq=2 ttl=246 time=297 ms
64 bytes from 66.102.15.101: icmp_seq=3 ttl=246 time=301 ms
64 bytes from 66.102.15.101: icmp_seq=4 ttl=246 time=275 ms
64 bytes from 66.102.15.101: icmp_seq=5 ttl=246 time=293 ms

--- 66.102.15.101 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4026ms
rtt min/avg/max/mdev = 275.545/292.251/301.649/8.922 ms

Nope. The IP address is reachable fine.

Now for the confirmatory test. I added
"66.102.15.101 mumbaihelp.blogspot.com"
to my /etc/hosts file and ...

varun@calvin:~$ ping -c 5 mumbaihelp.blogspot.com
PING mumbaihelp.blogspot.com (66.102.15.101) 56(84) bytes of data.
64 bytes from mumbaihelp.blogspot.com (66.102.15.101): icmp_seq=1 ttl=246 time=308 ms
64 bytes from mumbaihelp.blogspot.com (66.102.15.101): icmp_seq=2 ttl=246 time=305 ms
64 bytes from mumbaihelp.blogspot.com (66.102.15.101): icmp_seq=3 ttl=246 time=304 ms
64 bytes from mumbaihelp.blogspot.com (66.102.15.101): icmp_seq=4 ttl=246 time=307 ms
64 bytes from mumbaihelp.blogspot.com (66.102.15.101): icmp_seq=5 ttl=246 time=301 ms

--- mumbaihelp.blogspot.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4021ms
rtt min/avg/max/mdev = 301.462/305.261/308.575/2.561 ms

I type http://mumbaihelp.blogpost.com into my browser the the page is rendered just fine.
Voila! The ban has been circumvented.

This exercise clearly shows that they are simply breaking the DNS resolution step in the entire process. If that step can somehow be restored things should work fine. But I am still perplexed as to how you are still able to lookup a blogspot.com sub-domain successfully? Maybe Reliance Infocomm screwed up in implementing the ban :-)

And yet...

Submitted by Ramnath R Iyer on Sat, 29/07/2006 - 1:35am.

Quite contrary to your experiences, this is what I found:

I looked up the IP address of somesite.blogspot.com, and I got a valid response. That is, the domain-name-to-IP resolution was working.

Try entering the IP of any blogspot blog in your browser - you'll get a page with the text "ok" in it. When I tried it earlier (when the ban was in effect) I got a "Connection Failed" message from the proxy.

So my analysis was correct for my case. Yes, I was outlining virtual-hosting, but I'm not sure if that's the ONLY way it is done.

The conclusion I think, is that different ISPs were doing it differently. As for screw-ups, don't you think Reliance Infocomm did a better job enforcing the ban than your ISP? :-) RI didn't block the DNS lookups, they blocked the IPs.

you are right

Submitted by varun on Sat, 29/07/2006 - 4:09pm.

You are right. Different ISPs are implementing the ban in different ways. But funnily enough all of them imposed a blanket ban irrespective of the fact that the ban was implemented in different ways.

And you are also right about VSNL screwing up the ban and not Reliance... IP-based bans are (slightly) more difficult to circumvent than DNS-based bans. I don't know why but I got totally carried away with the whole thing and forgot the original objective of the ban :-) and that's why I concluded that Reliance had screwed up.

Shabby

Submitted by jhquest on Mon, 24/07/2006 - 3:27pm.

If the block is based on IP addresses, that's just too shabby. There are better ways of blocking just specific member sites on blogspot however I have to admit this is the easiest. I do fail to understand how this would be unhackable, its as easy as going through a anonymous proxy to get to blogspot. However, I cannot confirm if you can do that, if u cannot, then probably some other kind of blocking is in place. However, what would intrest me the most is that how is the government imposing this as unlike the old days where the only upstream provider was VSNL, there are a lot more players in the market now. Technology apart, I do not see how this ban serves any purpose.

cheers
//JhQuest

blocked blogs can be accessed through anonymous proxies

Submitted by varun on Tue, 25/07/2006 - 4:35pm.

Bypassing this lame block using anon proxies is well documented.

I am very positive that the ban is being implemented by just causing DNS name lookups to fail.

True, there are many more upstream providers but all them have to follow any instructions issued by DoT.

What I wanted to emphasize is that this blanket block by ISPs cannot be a mistake... it is too much of a conincidence. I think the government made a mistake and is now trying to sweep the issue under the carpet.

http://066.232.118.93

ThoughtfulChaos

My Thoughts. My Chaos. My Blog.