The Internet is broken in China
For a while now I’ve been aware of this situation, but thinking it would pass I didn’t do anything. Well, it hasn’t, so I thought I’d start sharing what I see.
Beijing Telecom has broken the Internet
At various places, one or more of the DNS servers you get from, e.g., wifi hotspots, will be configured to always resolve any domain name lookup. That means typos like www.doesnotexist11.com will resolve.
What do they resolve to? They resolve to IP addresses for websites of advertisers. It’s most likely a pay-per-referrer business model.
In 2003 VeriSign introduced wildcards into .com and .net DNS zones (which they had exclusive control over) so that all typos would resolve to their SiteFinder site. This broke the Internet as well, and they were stopped dead in their tracks by multiple lawsuits and, in general, very bad publicity all around. What’s happening in China is worse in some ways:
- It is clearly a greedy pay-per-referral model. SiteFinder could at least be argued to be helpful.
- It’s been going on for a while (some months) now.
- I’m not aware of any petitions or other fights against this.
- (Unconfirmed) I’ve got a suspicion domains that are slow to resolve get treated as not existing, thus resulting in the wrong IP address being returned. Need a bit more proof.
The Proof
Here is what I could find out snooping around on the DNS servers I get when online through CNC at Pacific Coffee in Beijing:
% cat /etc/resolv.conf domain domain nameserver 202.106.46.151 nameserver 202.106.0.20 % host doesnotexist111.com 202.106.0.20 Using domain server: Name: 202.106.0.20 Address: 202.106.0.20#53 Aliases: Host doesnotexist111.com not found: 3(NXDOMAIN) % host doesnotexist111.com 202.106.46.151 Using domain server: Name: 202.106.46.151 Address: 202.106.46.151#53 Aliases: [sometimes] Host doesnotexist111.com not found: 3(NXDOMAIN) [ … or] doesnotexist111.com has address 202.108.251.201-205 [ … or] doesnotexist111.com has address 202.106.195.20
Although both name servers belong to CNC, only one of them (202.106.46.151) was misconfigured this way. It’ll return the IP address of two redirector site farms. When accessing them they’ll redirect to client sites:
% telnet 202.108.251.201 80 Trying 202.108.251.201… Connected to 202.108.251.201. Escape character is ‘^]’. GET / HTTP/1.1 Host: www.doesnotexist111.com HTTP/1.1 302 Found Date: Sat, 11 Nov 2006 08:49:24 GMT Server: Apache/2.2.3 (Unix) PHP/4.4.3 X-Powered-By: PHP/4.4.3 Location: http://navigation.bobodogs.com/ Cache-Control: max-age=600 Expires: Sat, 11 Nov 2006 08:59:24 GMT Content-Length: 3 Content-Type: text/html Connection closed by foreign host.
… and the other one…
% telnet 202.106.195.20 80 Trying 202.106.195.20… Connected to 202.106.195.20. Escape character is ‘^]’. GET / HTTP/1.1 Host: www.doesnotexist111.com HTTP/1.1 200 OK Set-Cookie: JSESSIONID=B7EB9B70BC5638135F8CC7B9306E8FF9; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Length: 652 Date: Sat, 11 Nov 2006 08:51:53 GMT Server: Apache-Coyote/1.1 < !DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”> <script language=”JavaScript”> document.write(”<html>”); document.write(”<meta HTTP-EQUIV=\”Content-Type\” Content=\”text-html; charset=gb2312\”>”); document.write(”<head>”); document.write(”<meta HTTP-EQUIV=\”refresh\” content=\”0.1;URL=/URLAsk\”>”) document.write(”<title>No Page Found</title></head>”); document.write(”<body></body></HTML>”); </Script> Connection closed by foreign host.
So it redirects to /URLAsk. Let’s follow the redirect to find the final (client) URL:
% telnet 202.106.195.20 80 Trying 202.106.195.20… Connected to 202.106.195.20. Escape character is ‘^]’. GET /URLAsk HTTP/1.1 Host: www.doesnotexist111.com HTTP/1.1 302 Moved Temporarily Location: http://auto.search.msn.com/response.asp?MT=www.doesnotexist111.com&rov=&utf8 Content-Length: 0 Date: Sat, 11 Nov 2006 09:00:47 GMT Server: Apache-Coyote/1.1 Connection closed by foreign host.
Both return the same pages all the time (small client base). The first one goes to a site called Bobodogs:
… the second goes to MSN search:
Another interesting point is that they’re returning fake 404 Not Found pages as well, as witnessed by the fact that I am on a Mac using Safari and Firefox, and I get a (broken even) Windows Internet Explorer error page.
So what can we do about it?
Beats me. Awareness of the problem is always good. Meanwhile, if you experience strange redirections, just know it’s not necessarily spyware on your computer… it could be a rogue DNS server.
This also brings up the question: Is this set up by some overzealous (and greedy) Unix administrators, or is this a new business model for CNC?
November 12th, 2006 at 02:46
Those bastards!
November 14th, 2006 at 13:36
What about all the damm un solicited spam that gets sent to my mobile phone in the form of SMS day and night!!!
China will make a profit at any chance and screw the rules and whoever is in their way to do so. Lack of accountability by the people, the law enforcers and the willingness for people to just “accept as reality” and allow others to screw them over.
Those guangao sms piss me off to no ends. If my phone service was free - it would be a different story but a 1,500 rmb a month in phone bills - I deserve better.
November 14th, 2006 at 15:12
Hey, Richard, I tried your site http://utilitycomputing.com.cn/ and at a different hotspot. It’s using the same DNS’s, and since it seems the DNS isn’t resolving yet, one of the DNS servers is also redirecting me to the bobodogs site.
Stupid me, I only now realize that what they’re trying to do is return something that looks like the IE DNS failure page but add advertising to it, thus the IE looking failure thing on the left side of the page. Oh welll, it’s just confusing.
Agree with you about SMS spam. You can actually report this to China Mobile, though.
November 16th, 2006 at 00:13
Yeah - but they need you to do it for each and every number that comes in…… Sheesh. It is never ending.
It can’t be a secret to see where on your network someone is linked in and sending mass sms and then just block them.
I wish there was a “DO NOT SMS” list in China like the “DO NOT CALL” list in the states. I just find it completely incredulous how they casn do it. I pay for the phone - and for that I get the benefit of advertising. They should offer a lower monthly rate for people that will put up with the constant beep, beep, beep, beep, beep of their phones…..
I shouldn’t be suprised. China. No ethics.
The problem for me is with server monitoring. It is like the boy who cried wolf. Any particular beep - I don’t know if it is an advertisment or a real notification from a system or a person. So unfair, such an abuse of my patronage. I wonder if UNICOM has this problem too?
November 16th, 2006 at 08:01
It’s not immediately obvious that your attention has value and that spammers are stealing it (and in the case of SMS also stealing your RMB), and that this wrong. It’s been a slow realization in the West as well. Currently not too much value is put on people’s time and attention in China, but given the speed most things develop here, I wouldn’t be surprised if this changed in a few years.
Meanwhile, I’m considering reporting to China Mobile the spams I do get. Not sure, but I suspect Unicom is about the same.
November 27th, 2006 at 20:01
I was running a demo the other day to show Linux is a virtual land free of virus… then I made a typo in firefox address bar and it brought up this ugly bobodogs page! I was quite sure it was not caused by spam plugins but I just didn’t have time to digest what it actually meant.
That was about 2 months ago. Thank you for your research on the issue. People like us can easily fix the issue by removing/replacing DNS server 202.106.46.151 (the one with illegal wildcard resolve settings) in resolv.conf, though I understand that’s not the point of this problem. I will try to talk to the people I know in CNC about it.
November 27th, 2006 at 22:24
A friend of mine reporting getting the Bobodogs page when trying to access Google as well, and I seem to remember having seen this as well. DNS lookups from China sometimes fails (UDP isn’t reliable) or time out too quickly, so the first couple of lookups can fail only for the later once to succeed.
Returning a Bobodogs error page truly breaks the Internet in this case.
Let us know what you find from talking to CNC.
December 29th, 2006 at 13:34
Hi there:
I have gotten the bobodogs.com site when accessing google.com from my apartment before. I think selling this space to bobodogs is reprehensible, also. Then again, despite the protestations of some of my friends who work in the biz here in Beijing, the Internet is a fucking joke here. The government has no ethics, the companies have no ethics, and it’s all just par for the course.
I just figure eventually (maybe soner than we think), these sorts of schemes will have no choice but to go away, just China is growing more and more dependent on foreign money, and they are going to have to have these kinds of links fully functioning, instead of the frankenstein monster it seems to be now.