Wikileaks DNS

[ewx]

The official story, to the extent that it’s coherent at all, seems to be that yesterday, EveryDNS.net canceled Wikileaks’ domain name wikileaks.org.

EveryDNS say they told Wikileaks they were doing to do this on Wednesday (1st December). (Obviously I’ve no way to tell if that is true, but it’s not very relevant to the points I want to make. Nor is it relevant whether EveryDNS did this for operational reasons or because they were under some kind of state pressure.) At any rate, the delegation for wikileaks.org still (now) points at EveryDNS’s name servers, and this matches the situation as it was yesterday:

chymax$ dig ns org|grep '^[^;]'
org.			2910	IN	NS	c0.org.afilias-nst.info.
org.			2910	IN	NS	b0.org.afilias-nst.org.
org.			2910	IN	NS	b2.org.afilias-nst.org.
org.			2910	IN	NS	a2.org.afilias-nst.info.
org.			2910	IN	NS	a0.org.afilias-nst.info.
org.			2910	IN	NS	d0.org.afilias-nst.org.
a2.org.afilias-nst.info. 2921	IN	A	199.249.112.1
a2.org.afilias-nst.info. 2921	IN	AAAA	2001:500:40::1
b2.org.afilias-nst.org.	14502	IN	A	199.249.120.1
b2.org.afilias-nst.org.	14502	IN	AAAA	2001:500:48::1
c0.org.afilias-nst.info. 2916	IN	A	199.19.53.1
c0.org.afilias-nst.info. 2916	IN	AAAA	2001:500:b::1
chymax$ dig ns wikileaks.org @199.249.112.1|grep '^[^;]'
wikileaks.org.		86400	IN	NS	ns1.everydns.net.
wikileaks.org.		86400	IN	NS	ns2.everydns.net.
wikileaks.org.		86400	IN	NS	ns3.everydns.net.
wikileaks.org.		86400	IN	NS	ns4.everydns.net.

However, they appear to be dropping any requests for wikileaks.org on the floor. (I think really they ought to be sending back a REFUSED response (rcode=5), but that’s just crappy implementation rather than anything sinister.)

chymax$ dig a ns1.everydns.net|grep '^[^;]'
ns1.everydns.net.	2707	IN	A	208.76.61.100
everydns.net.		2707	IN	NS	ns1.everydns.net.
everydns.net.		2707	IN	NS	ns4.everydns.net.
everydns.net.		2707	IN	NS	ns2.everydns.net.
everydns.net.		2707	IN	NS	ns3.everydns.net.
ns2.everydns.net.	2707	IN	A	208.76.62.100
ns3.everydns.net.	2707	IN	A	208.76.63.100
ns4.everydns.net.	2707	IN	A	208.76.60.100

; <<>> DiG 9.6.0-APPLE-P2 <<>> any wikileaks.org @208.76.61.100
;; global options: +cmd
;; connection timed out; no servers could be reached

As well as a lot of people passing IP addresses round Twitter yesterday, wikileaks.ch was suggested as an alternative name. I didn’t keep a record of DNS responses but when I checked yesterday this name was also being served from EveryDNS’s name servers! Later on yesterday they spotted that too and it went the same way as wikileaks.org. The last time I checked, the information returned by whois from nic.ch referred to a different set of name servers but the actual delegation in the DNS still pointed at EveryDNS.

As of today they’ve got wikileaks.ch sorted out:

chymax$ dig ns wikileaks.ch|grep '^[^;]'
wikileaks.ch.		2540	IN	NS	ns2.swebflex.ch.
wikileaks.ch.		2540	IN	NS	dns.wikileaks.ch.
wikileaks.ch.		2540	IN	NS	dns2.syshack.org.
wikileaks.ch.		2540	IN	NS	ns4.pcdog.ch.
wikileaks.ch.		2540	IN	NS	ns1.buzzernet.net.
wikileaks.ch.		2540	IN	NS	ns1.swebflex.ch.
wikileaks.ch.		2540	IN	NS	ns3.pcdog.ch.
wikileaks.ch.		2540	IN	NS	ns2.pcdog.ch.
wikileaks.ch.		2540	IN	NS	dns1.syshack.org.
wikileaks.ch.		2540	IN	NS	ns1.pcdog.ch.
dns.wikileaks.ch.	2540	IN	A	178.63.167.108
dns.wikileaks.ch.	2540	IN	A	193.138.215.125
dns.wikileaks.ch.	2540	IN	A	212.101.16.84
dns.wikileaks.ch.	2540	IN	A	216.18.205.196
dns.wikileaks.ch.	2540	IN	A	46.4.160.2
dns.wikileaks.ch.	2540	IN	A	77.109.132.51
dns.wikileaks.ch.	2540	IN	A	85.124.44.140
ns1.buzzernet.net.	9740	IN	A	193.138.215.125
dns1.syshack.org.	42140	IN	A	46.4.160.2

The following are completely clear:

• Wikileaks’ DNS was formerly a single point of failure (EveryDNS) and it failed.
• Nobody has canceled wikileaks.org. Its DNS provider threw in the towel, that’s all.
• EveryDNS were no more willing to provide name service for wikileaks.ch than for wikileaks.org and treated it in exactly the same way.
• wikileaks.ch is now up and running and, at least superficially, more robustly configured than wikileaks.org was.

These things are true but hard to explain:

• Wikileaks attempted to bring up their new domain using the same single point of failure that had just failed.
• Wikileaks still have not moved wikileaks.org to their new DNS infrastructure.

Comments

[wellinghall.livejournal.com]

Um, any chance of a cut for length? Ta.

[sweh.livejournal.com]

I wonder if, somehow, they can't make registrar level changes to the .org registration ("Admin Name:John Shipton c/o Dynadot Privacy"). You'd have thought it simple enough to change the delegation...

Not too surprising to see the .ch registration owned by the pirate party.

[ewx.livejournal.com]

Possible but that wouldn’t explain why they tried to use EveryDNS for wikileaks.ch too.

[sweh.livejournal.com]

I can't see from the whois record when it was registered; it's possible that it was an older pre-existing DNS entry (and so very likely using the same provider) and they just fell back to using that one.

(I see the whois record DNS entries for .ch have changed, again).

[arnhem.livejournal.com]

If wikileaks.org is being more DDOSed than wikileaks.ch (and in particular if the DDOS is against the DNS rather than or as well as against the host(s)), then perhaps they don't want to poison their new DNS infrastructure by sticking wikileaks.org on it?

[ewx.livejournal.com]

I think they’d have to assume their attackers to be pretty dim in that case. (Of course they may indeed assume that…)

[arnhem.livejournal.com]

Not necessarily dim, possibly just slow.

I suspect there's non-trivial latency in re-targeting a botnet, so you might gain a day; in the current state of play, that's a bonus.

[knell.livejournal.com]

Thanks for doing this. I see it as important to realise the difference between OMG US GOVERNMENT CENSORSHIP CONSPIRACY and OMG OUR PROVIDERS CAN'T HANDLE THE LOAD AND DROPPED US, but unfortunately rational discussion of anything involving Wikileaks seems to be hard to find.