In the past, the Chinese authorities’ DNS poisoning system would direct Chinese internet users who were trying to access Facebook, Twitter and other blocked websites (without the use of a circumvention tool) to a set of fake IP addresses that are blocked in China or are non-existent. After waiting for some time, Chinese internet users would receive a timeout message if they were trying to access a blocked site.

However, with the new DNS poisoning system, in addition to those IP addresses used before, the Chinese authorities are using real IP addresses that actually host websites and are accessible in China. For example, https://support.dnspod.cn/Tools/tools/ shows that if a user tries to access Facebook from China, they might instead land on a random web page, e.g. http://178.62.75.99

Below is a screenshot by a Chinese user when he was trying to access our GreatFire.org website which was blocked in China. He was redirected to a goverment site in Korea. In essense, GFW is sending Chinese users to DDOS the Korea government's website.

One Chinese Internet user reported to us that when he tried to access Facebook in China, he was sent to a Russian website, unrelated to Facebook. Another user tweeted that he was redirected to an German adult site when he tried to access a website for a VPN.

某墙你这什么意思,DNS 污染返回给我一个德国工口站的 IP,满屏很黄很暴力弹弹弹(

— nil (@xierch) January 4, 2015

The redirection to adult content is especially ironic. The authorities often cite the “protection of minors” as one reason to justify internet censorship. But in this example, users who are trying to access perfectly legal but blocked content instead are sent to illegal (in China) adult content websites. Perhaps this is a mistake but it may not be. Does this signal that the censorship authorities are beyond the rule of law in China?

This upgrade of the GFW effectively disabled many anti-DNS-poisoning tools. Because GFW used only a small set of fake IP addresses, these tools could discard the fake IP addresses easily and access the correct IP addresses to bypass any block. Now this is no longer possible as legitimate IP address are used to poison other domains. In addition, the authorities may be experimenting with a new way of hiding censorship from the people by redirecting them to random sites that are accessible - making it seem that the problem rests with the host website.

Chinese internet users have grown accustomed to websites timing out - and many make the connection with censorship. Maybe the authorities think that, after a transition period, internet users will become accustomed to the new model of DNS poisoning as they have with websites timing out. We do not anticipate that Chinese netizens will react negatively to this change as many are already familiar with such tactics. The redirection strategy was already being used by some local ISPs in China to deliver advertising.

It is clear that the authorities treat the great firewall as a work-in-progress and are constantly tweaking and making changes to the censorship apparatus. We expect to see more changes in the coming months.