Censorship Detector: using X.509 certificates to detect censorship implemented via DNS manipulation

DNS manipulation attacks can be implemented by different kinds of malicious actors, with the purpose of luring the victim into a different webpage compared to the one that was originally meant to be visited. However, the content of the malicious page can vary depending on the attacker’s reasons, which span from credentials theft to censorship. During the years, different kinds of methodologies have been proposed to identify when such attacks happen. One of the latest heuristics consist in exploiting information obtained by X.509 certificates, which can indicate if a manipulation attack has been put into place. This work focuses on DNS manipulation attacks implemented with the purpose of hiding domains and censoring them, typically implemented by malicious DNS resolvers. The aforementioned methodology, based on certificates analysis, is proven to be a valid one to effectively identify such attacks. This methodology is used by Censorship Detector, a tool which has been developed with the purpose of identifying if a resolver provides manipulated DNS responses with the purpose of blocking domains. This tool is mainly based on certificates fields’ check, but also implements other auxiliary analysis techniques, taking into account other data retrieved when connecting to a website, including the response status code and the page’s HTML. When using this tool to inspect DNS resolvers, the results obtained are consistent with the ones presented by previous studies, confirming that X.509 certificates provide essential information for detecting DNS manipulation attacks.