2019 Internet blackout in Iran was a great chance to analyze National Information Network. At the time I was in Tehran playing around to find a way out.
The blackout took less than 24 hours to fully operate. According to blackout’s timeline, there are at least 4 groups of internet users in Iran (Note that people living in other cities might experience different timeline):
- Mobile broadband Internet users
- Fixed broadband home users
- Universities and common companies
- Data Centers and special IT companies
Mobile broadband users are always the first ones to be disconnected during every blackout (and most of the time the only ones) and home users are the next ones to be disconnected. It was the first time that universities and almost all companies were disconnected (their blackout was only 24–48 hours shorter than home users). The only ones who had Internet access were Data Centers and some unique IT companies.
What kind of blackout it was? It was almost a perfect blackout; no ping response, no TCP handshake, no UDP DNS response (almost certainly no ICMP, no TCP, and no UDP from inside to outside). Of course there were few internal recursive / caching DNS resolvers which could resolve your DNS queries, but you may not resolve any domain name recursively, because all root servers were outside (except national root servers, say, .ir root servers). However there were some special cases: there are many internal (hosted inside) websites with non-national domain names (aka .com, .gov, .net, .info, …) which were accessible during the blackout. It is not usual, because every TLD has it’s own root name servers and I’m sure none of them are hosted inside Iran.
According to my tests, all DNS queries (I tested SOA, A, and TXT types), even requests for international domain names, answered correctly by internal recursive / caching DNS resolvers. At first I thought they had cached all of my queries before (because my knowledge was limited and I only remembered popular domain names), so they could answer without sending any external request for it, that’s why I needed to do more tests to find out: a dynamic test. Due to limited resource and information from outside servers, it was a difficult task; I couldn’t simply google it!
Hopefully I knew about github.io pages. Anyone can use a personal sub-domain of .github.io to host static contents; so if I could resolve a random sub-domain of .github.io, I literally managed to send an external non-cached request (I’m sure that no DNS cache server will ever answer an address query for a random sub-domain of .github.io with a cached address of the other sub-domains of .github.io).
I requested many random .github.io sub-domains’ addresses, and all of them were answered by the same address; I had been tested for non-existed domains with a not found response before, so I concluded that those addresses returned from internal DNS servers were real addresses, and I certainly managed to send an external request, plus receiving it’s response. At first I felt so good; I defeated the great censorship monster. But there were some problems:
- I didn’t have any external server talking to me in DNS protocol; I sent several SOS messages in TXT request format to google and cloudflare servers, but it was useless
- This time there was a DNS vulnerability in an almost perfect Internet blackout, but next time there might be nothing; and unfortunately it is true
After the blackout I was happily working on my own tunnel over DNS until I found something terrible. There is a website responsible for registering any national domain name (nic.ir). In that website, they introduce an experimental section: national domain name servers. It seems that they already know their vulnerabilities and they are fixing it!
At the end, I’m sure the next Internet blackout will be the last one, and we will become another North Korea.