Sep 6 – 7, 2023 Workshop
Meliá Danang Beach Resort
Asia/Ho_Chi_Minh timezone

Intercept and Inject: DNS Response Manipulation in the Wild

Sep 6, 2023, 3:50 PM
Meliá Danang Beach Resort

Meliá Danang Beach Resort

19 Trường Sa, Hoà Hải, Ngũ Hành Sơn, Đà Nẵng 550000, Vietnam
Remote Standard Presentation OARC 41 Day 1


Ms Yevheniya Nosyk (Grenoble Institute of Technology)


DNS is a protocol responsible for translating human-readable domain names into IP addresses. Despite being essential for many Internet services to work properly, it is inherently vulnerable to manipulation. In November 2021, users from Mexico received bogus DNS responses when resolving It appeared that a BGP route leak diverged DNS queries to the local instance of the k-root located in China. Those queries, in turn, encountered middleboxes that injected fake DNS responses. In this paper, we analyze that event from the RIPE Atlas point of view and observe that its impact was more significant than initially thought—the Chinese root server instance was reachable from at least 57 probes (in 15 countries) several months before being reported. We then launch a nine-month longitudinal measurement campaign using RIPE Atlas probes and locate 11 probes outside China reaching the same instance and receiving bogus responses, although this time over IPv6. More broadly, motivated by the November 2021 event, we study the extent of DNS response injection when contacting root servers. While only less than 1% of queries are impacted, they originate from 7% of RIPE Atlas probes in 66 countries. We conclude by discussing several countermeasures that limit the probability of DNS manipulation.

Primary authors

Ms Yevheniya Nosyk (Grenoble Institute of Technology) Mr Qasim Lone (RIPE NCC) Maciej Korczynski (Grenoble Institute of Technology)

Presentation materials