[mschuster91]

> and the internal segment would not break if the outside routes suddenly disappeared.

Not when your default nameserver is 8.8.8.8. Or your NTP source is set to the public NTP pools.

There is definitely a benefit in doing a "we are isolated" scenario test once in a while to prepare for such incidents...

[floatboth]

8.8.8.8 is anycast, it is announced locally in many places around the world.

[yardstick]

Is there a local instance of it in Russia? What happens when that server can’t reach any upstreams?

[isostatic]

Yes there is, but if there wasn't it's easy enough for a government controlled provider to advertise it (and 1.1.1.1 etc).

China (and others) can also simply intercept all udp traffic to port 53.

[mschuster91]

> China (and others) can also simply intercept all udp traffic to port 53.

Which is why DNSSEC (to prevent MITM tampering) and DNS encryption technologies such as DNScrypt or DNS-over-TLS/HTTPS become ever more important to be widely deployed.

[tptacek]

DNSSEC does little to prevent state-level intercept of DNS queries, since it's a server-to-server protocol that collapses down to a single, trivially-flipped header bit in the client/server transaction.

[isostatic]

Doesn't really help though - even when you bypass China's DNS hijacking you still can't connect to the target IP.

[floatboth]

There is. Only Google can answer the second question with certainty, but I'm 99% sure its upstreams are http://root-servers.org

[yardstick]

So wouldn’t it be reasonable to test what happens when it can’t reach its upstream servers? I assume Russia will need to provide some way of DNS record changes still working. It could be they intercept/replace 8.8.8.8, or they intercept the upstreams, but whatever it is I can see why they would want to test it first.

Not that I agree with the ultimate reasons for doing this exercise — mass filtering and surveillance — just speaking to the technical merits of why a test would be done.