When a DNS request for a censored domain travels across China’s network boundary, the Great Firewall (GFW) will inject DNS responses pointing to bogus IP addresses. While packets sent to these IP addresses are often believed to be dropped or null-routed, in this report, we show that for unknown reasons, some of these IP addresses will actually accept TCP handshakes from clients. We characterize this behavior and fingerprint the infrastructure that accepts these client connections. Additionally, we analyze the malformed Teredo addresses sent in response to AAAA queries for censored domains. Finally, we suggest that users encrypt their DNS queries and block all outgoing traffic to these injected IP addresses.
@article{sheffey2025ll,
title={I’ll Shake Your Hand: What Happens After DNS Poisoning},
author={Sheffey, Jade and Zohaib, Ali and Kang, Dayeon and Durumeric, Zakir and Houmansadr, Amir and Wu, Qiang},
journal={Free and Open Communications on the Internet},
year={2025}
}