Monday 17 morning Orange clients could not connect to not only Google but also Wikipedia or OVH, biggest French hosting company. Most people got an error message saying that the site wasn’t reachable. Some ended up on a scary page telling them they tried to reach a terrorist website. This page was set up to by the French Ministry of Interior after an anti-terrorist law was passed in November 2014 to allow the police to
request censorship of websites.
This page is nicknamed “la main rouge” (red hand) because its first iteration was showing a red hand along with typos. (Today the red hand is replaced with a pictogram of an exclamation mark and typos are
A similar censorship law has been discussed in Czech republic and critics point the risk of blocking legitimate websites. Such accidents happened in the past and this French story is here to remind it. Let’s try to see how this could happen.
When the french police wants to block sites, they send to french Internet providers a list of addresses (domain names or hosts) that they want to be redirected to their “red hand” page. To make this redirection, ISPs use lying DNS resolvers.
Most clients of Orange are using the revolvers of their ISP to translate domain names to actual IP addresses of the requested service but it is possible for the ISP to change the true answer by another one. On this Monday, for the request google.fr Orange resolvers replied 18.104.22.168 which is the server hosting the anti terrorist page while anywhere else the answer could be for example 22.214.171.124 on Google’s network.
According to Orange who answered the press about it, the incident is due to “human error” started between 7 and 8 and lasted about one hour but some customers could still experience after 11h25. This is because Orange resolvers are setup to keep the information about requested domains for a certain time. Orange has more than 10 millions customers, this gives an idea of the impact of such human error.
In France most ISPs provide their own “boxes” that they remotely maintain, to sometimes offer additional services. The resolvers set on Orange “livebox” cannot be altered. This is off course possible to use other revolvers than the one provided on the “livebox” but most customers do not change it. This incident might push more Internet users in France to use external resolvers with the risk to switch to other lying DNS like OpenDNS.
The best solution to avoid such incidents would be to let customers run their own resolvers but this is too technical for most Internet users. Maybe a router like Turris Omnia running Knot DNS resolver can be a good help for this but this is another story.