[yardstick]

Is there a local instance of it in Russia? What happens when that server can’t reach any upstreams?

[isostatic]

Yes there is, but if there wasn't it's easy enough for a government controlled provider to advertise it (and 1.1.1.1 etc).

China (and others) can also simply intercept all udp traffic to port 53.

[mschuster91]

> China (and others) can also simply intercept all udp traffic to port 53.

Which is why DNSSEC (to prevent MITM tampering) and DNS encryption technologies such as DNScrypt or DNS-over-TLS/HTTPS become ever more important to be widely deployed.

[tptacek]

DNSSEC does little to prevent state-level intercept of DNS queries, since it's a server-to-server protocol that collapses down to a single, trivially-flipped header bit in the client/server transaction.

[isostatic]

Doesn't really help though - even when you bypass China's DNS hijacking you still can't connect to the target IP.

[floatboth]

There is. Only Google can answer the second question with certainty, but I'm 99% sure its upstreams are http://root-servers.org

[yardstick]

So wouldn’t it be reasonable to test what happens when it can’t reach its upstream servers? I assume Russia will need to provide some way of DNS record changes still working. It could be they intercept/replace 8.8.8.8, or they intercept the upstreams, but whatever it is I can see why they would want to test it first.

Not that I agree with the ultimate reasons for doing this exercise — mass filtering and surveillance — just speaking to the technical merits of why a test would be done.