Can the US Really Shut Down .cn Websites? Inside DNS Root Server Mechanics

Why Only 13 Logical Root Servers?

Because DNS messages are sent over UDP and must stay under 512 bytes (RFC1035), only 13 root server IPs can fit within the space allocated for root records. Adding more would exceed the packet size limit.

Physical vs. Logical Roots

Those 13 logical roots are not 13 physical machines; each logical root is served by many physical servers worldwide using anycast routing. As of August 2020 there were 1,097 root server instances spread across the globe, all sharing the same 13 IP addresses.

Anycast means a single IP address represents a set of servers; traffic is routed to the nearest instance based on routing metrics such as hop count, latency, or load.

Basic DNS Concepts

DNS translates human‑readable domain names into IP addresses. A local resolver (LDNS) queries an authoritative DNS server when it lacks a cached answer. If the authoritative server cannot answer, it refers the resolver to the next level, eventually reaching a root DNS server, which points to the appropriate top‑level domain (TLD) servers.

There are 13 root servers (A‑M). Ten are located in the United States, with the remaining three in the UK, Sweden, and Japan. Their names and IPs are listed in the root‑hints file (e.g., named.root from https://www.internic.net/domain/named.root).

DNS Query Example

LDNS asks a root server for the IP of www.baidu.com.

The root server returns the NS records for the .com TLD.

LDNS queries a .com authoritative server, which points to the baidu.com authoritative server.

The baidu.com server returns an A record (or a CNAME that is then resolved).

LDNS finally returns the IP to the client.

If any cache entry exists at any level, the query stops before reaching the root.

Root Zone File

The root zone file, maintained by ICANN, contains all TLD delegations. It is about 2.2 MiB and updated whenever a TLD changes. Deleting the .cn entries from this file would make .cn domains unreachable after caches expire.

US Influence and Potential Risks

The United States operates 10 of the 13 logical roots, so in theory it could alter the root zone file to block or redirect domains. However, such an action would damage the credibility of ICANN and the US’s standing in internet governance.

China’s Root Mirrors

Since 2003 China has deployed its own root‑mirror nodes (F, I, J, K, L, etc.) managed by CNNIC, China Telecom, China Unicom, and other institutions. By 2019 there were dozens of mirror instances across major Chinese cities, all reachable via anycast, ensuring domestic queries stay within China.

Mitigation Strategies

Maintain control over local mirror content; do not synchronize deletions of .cn records.

Deploy scripts that re‑add .cn entries immediately after any upstream sync.

Optionally run an independent root server that does not follow the global root zone.

These measures keep Chinese users able to resolve .cn domains even if the global root were altered.

Expert Opinions

Chinese Academy of Engineering member Wu Jianping (2019) stated that root servers are not a “nuclear button” and that a total shutdown is practically impossible.

ZDNS director Mao Wei (2020) noted that emergency root servers and additional mirrors can be used to restore service if the global root is compromised.

Conclusion

While the US technically controls most logical root servers, the combination of anycast, widespread mirrors, and the multistakeholder governance model makes a unilateral shutdown of .cn domains highly unlikely. The internet’s design includes redundancy and fallback mechanisms that preserve accessibility.