Iris
This is a system that detects DNS censorship. It does this by comparing the responses of open DNS resolvers on the internet. This is done in a multi-step process as shown below.
This first looks for open DNS resolvers that are part of the internet infrastructure (i.e. not home routers that are sometimes open due to misconfiguration).
Then we query them all for the same set of domains and compare the responses.
- Perform global DNS queries - establish a based line using 3 of them within the control of the Iris team.
- Annotate DNS responses with auxiliary information to assist classification.
- Additional PTR and TLS scanning - this is to allow inconsistencies due to virtual hosting to be resolved.
After the dataset is gathered we then calculate two types of metrics:
- Consistency metrics: Checking if the same look up in different locations provides different responses for IP address, AS, HTTP content, ect.
- Independent verifiable metrics: These are metrics that use other datasets to verify they are correct such as HTTPS certificates.
If both of these metrics are satisfied then the response is considered correct otherwise it is labelled as incorrect.