Yesterday, service administrators and web surfers worldwide began to get a taste of what life behind the Great Firewall of China is like. Domain servers were inexplicably offering up Chinese services for many sites such as YouTube, Facebook, and others.
The results for some were interesting, to say the least. Much of YouTube and most of Facebook are not allowed in China, so what appeared on some users’ screens when visiting Facebook.com was not what they were used to.
The problem lay in the domain name system (DNS) servers of the Top Level Domain (TLD) servers at Verisign. Or, rather, they were because the Verisign servers weren’t being consulted. It’s hard to explain, but let’s give it a shot. Ars Technica did a good job of explaining to the tech-head, but not really to laymen. Here’s a breakdown.
When you type in “Facebook.com,” for instance, several things happen before your browser ultimately loads the popular social website. First. the “.com” portion triggers a domain lookup at the TLD server in charge of .com’s – Verisign. These are generally handled regionally, so that if you’re in the Western U.S. you’ll likely have your query sent to a different set of servers than you would if you were in, say, Germany.
That regional response isn’t so much for time (it literally ads only nanoseconds to travel the globe), but more for security. If one TLD gets shut down, it won’t close up the entire ‘Net, just that region of it – which can be redirected until the problem is fixed.
What happened here was related to the way that TLD and DNS servers in China operate. In order to facilitate the firewall they use to censor what Chinese surfers can access, China had to get creative with the way that domain queries are handled there. Domain censorship is handled at the root rather than on individual sites or with some kind of software filter. So instead of filtering sites like your “kid safe” software might, China just filters the domains themselves, resolving them to Chinese-specific domains (.cn).
Somehow, this level of filtering was propagated to some TLD services outside of China, resulting in users outside of China being directed to Chinese versions of websites. Of course, whether this was all an accident or not is still up in the air, but most likely it’s a problem with the size of the Internet, number of users, and a system that is becoming antiquated.
Some major Internet Service Providers (ISPs) are already talking about changing a few of the easier-to-alter portions of how all of this routing works. The most obvious solution is to watch for domain direction to Chinese-based websites and servers unless directly called. Basically, this would mean that anything aiming for something other than a .cn site address would never end up behind the Great Firewall.
