[ooni-dev] Understanding how client resolver is determined

Arturo Filastò art at torproject.org
Wed Aug 3 10:34:54 UTC 2016

Hi Khairil,

The system resolver is determined by querying a public service run by akamai called whoami.akamai.net.

You can see our implementation of such service to see how it works here:

We don’t use our own servers for doing this as we are assuming that using a public service vs using
something hosted on a ooni.* domain is more stealth.

The basic idea behind how it works is that you do an A lookup for a special domain and the delegated
authoritative name server will reflect back the IP address from where the query originated.

The reason why you are seeing a different IP than that where you are directing your queries to is that
quite often DNS resolvers are deployed in a way where the machine actually doing the queries and
then caching them are different than those where you make queries to.

As an example with the google DNS resolver you will see this:

$ dig +short whoami.akamai.net @

However you can confirm that actually that IP is in the range allocated to google:

$ whois | grep ^Organization
Organization:   Google Inc. (GOGL)

Hope this answers your question.

~ Arturo

On Aug 3, 2016, at 09:27, Khairil Yusof <khairil.yusof at sinarproject.org> wrote:
> yaml webconnectivity log:
> accessible: false
> agent: redirect
> blocking: dns
> body_length_match: false
> body_proportion: 0.09658116667249887
> client_resolver:
> control:
>   dns:
>     addrs: [sarawakreport.org,,]
> Questions.
> What is client_resolver how does it determine that it's, in
> another yesterday it's (https://explorer.ooni.torproject.or
> g/measurement/20160802T205955Z_AS4788_3omRbM1JA9BYIMF5O5uiKEsdmUqy4kdun
> nKn7exzBlM2ebboDh?input=http:%2F%2Fwww.sarawakreport.org)
> Both of which I can't use to resolve addresses from the same network.
> The system resolver in this case is would also
> work but is not used in the report.
> However the http_request does use the correct tampered address, so I'm
> curious as to how it could use a resolver that I can't use to lookup
> from the same network.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/ooni-dev/attachments/20160803/e3734624/attachment.sig>

More information about the ooni-dev mailing list