CERTainty: Detecting DNS Manipulation at Scale using TLS Certificates

DNS manipulation is an increasingly common technique used by censors and other network adversaries to prevent users from accessing restricted Internet resources hijack their connections. Prior work in detecting relies largely on comparing resolutions with trusted control results identify inconsistencies. However, the emergence of CDNs cloud providers practicing content localization load balancing leads these heuristics being inaccurate, paving need for more verifiable signals manipulation. In this paper, we develop a new technique, CERTainty, that utilizes widely established TLS certificate ecosystem accurately detect manipulation, obtain information about performing such We find untrusted certificates, mismatching hostnames, blockpages are powerful proxies Our show previous using consistency-based allowing 72.45% false positives cases detected as Further, 17 commercial filtering products 52 countries, including SafeDNS, SkyDNS, Fortinet, presence 55 ASes 26 countries perform ISP-level also 226 blockpage clusters not covered research. integrating techniques CERTainty into active measurement platforms continuously monitor