Can the US Really Shut Down Your .cn Domain? Inside DNS Root Server Secrets

Since the United States announced the “Clean Network” operation, many network‑savvy people worry that the U.S. might target root DNS servers to block national top‑level domains.

Historical incidents show this concern is not new: in 2014 the People’s Daily cited experts saying the U.S. controls 10 of the 13 global root servers, theoretically allowing it to block a country’s TLD instantly. Similar actions occurred during the Iraq war (blocking .iq) and in 2004 when the U.S. halted Libya’s .ly service for three days.

DNS Beginner's Guide

Basic concepts:

What is DNS? It translates domain names to IP addresses.

How does DNS work? Each computer has a local DNS resolver (LDNS) that queries authoritative DNS servers, often through several steps.

Authoritative DNS provides definitive answers for zones.

Root DNS is consulted when no cached information is available.

Number of root DNS servers – 13, with 10 located in the United States, one each in the UK, Sweden, and Japan.

Root server names and IPs are listed at https://www.internic.net/domain/named.root .

Why only 13 root servers?

Technical and historical reasons: DNS messages use UDP and must stay under 512 bytes, limiting the number of root server IPs that can fit efficiently.

Are there really only 13 physical servers?

The 13 roots are logical entities; each has many physical machines worldwide. As of August 2020 there were 1,097 root server instances, each a mirror of the logical roots.

The number keeps growing; during the 70th‑anniversary parade in 2020, there were 1,015 instances.

How does DNS actually work?

When a user requests a domain, the resolver checks local caches, the OS cache, the hosts file, and finally queries the configured root server IPs (pre‑installed in the resolver). The resolver then follows the hierarchy: root → TLD → authoritative → final answer, using caching at each step.

What role do root mirrors play?

Root mirrors replicate the root zone file and serve the same 13 IP addresses using anycast, allowing users to reach the nearest mirror and providing redundancy if some roots fail.

How are root DNS servers managed?

They are operated by 12 organizations; the primary root (A‑root) is run by Verisign in the U.S. The root zone file is overseen by ICANN.

Historically, Jon Postel (UCLA) managed the roots, later transitioning to IANA under DARPA, and then to ICANN, which became an independent non‑profit in 2016.

Who manages China’s root mirrors?

Since 2003 China has deployed several mirrors: F‑root (China Telecom), I‑root (CNNIC), J‑root (China Unicom with Verisign), L‑root (Century Unicom & ICANN), and additional mirrors approved by the Ministry of Industry and Information Technology in 2019 (F, I, K, L, J). These mirrors are operated by domestic ISPs and research institutes under government supervision.

Can the U.S. tamper with root DNS?

While ICANN is independent, the U.S. government could theoretically force changes to the A‑root zone file, potentially deleting entries for a country’s TLD (e.g., .cn), causing global resolution failures after caches expire.

How to mitigate such risks?

China maintains its own mirrors, ensuring that domestic queries are routed to local mirrors via anycast. It can choose not to synchronize deletions of .cn records, or even run an independent root server.

Other countries could adopt similar strategies, but the global community would likely restore missing records quickly.

Conclusion

The likelihood of the U.S. executing a wholesale root‑zone attack is low because it would damage its own credibility and control over the Internet. Nonetheless, DNS remains a critical infrastructure, and robust backup and anycast strategies help preserve resilience.

References

From Network Power to Network Strength (http://opinion.people.com.cn/n/2014/0624/c1003-25189448.html)

Analysis of U.S. Network Hegemony (http://www.wanfangdata.com.cn/details/detail.do?_type=perio&id=xxaqytxbm201410030)

Why are there only 13 DNS root servers? (https://www.zhihu.com/question/22587247)

Why 13 DNS root servers? (https://miek.nl/2013/november/10/why-13-dns-root-servers/)

https://root-servers.org

Initializing a DNS Resolver with Priming Queries (https://tools.ietf.org/html/draft-ietf-dnsop-resolver-priming-11)

Xu Hong: New Chapter in Global Internet Governance (https://zhuanlan.zhihu.com/p/23042167)

ICANN: IANA Functions (https://www.icann.org/zh/system/files/files/iana-functions-18dec15-zh.pdf)

Ruan Yifeng: Knowledge of Root Domains

Xu Peixi: Who Wins the IANA Transfer (https://mp.weixin.qq.com/s?__biz=MjM5Mzg0NTU0NQ==∣=2649564853&idx=2&sn=6b9e6efc2a96600456a71836dcead62b&scene=21#wechat_redirect)

Wang Wei appointed PTI board member (http://news.sina.com.cn/c/2017-12-25/doc-ifypwzxq6350205.shtml)

MIIT approval for CNNIC root mirrors (http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057709/n4704651/c7015545/content.html)

MIIT approval for ZDNS L‑root mirror (http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057709/n4704651/c7015527/content.html)

Wu Jianping: DNS root servers are not the internet’s “nuclear button” (https://mp.weixin.qq.com/s?__biz=MjM5MTgzNDk4Mw==∣=2652359881&idx=1&sn=ed8710ae67a57c7dc064c8cff659febf&scene=21#wechat_redirect)

ZDNS Mao Wei: Internet roots cannot cut China off (https://mp.weixin.qq.com/s?__biz=MjM5NzAxNjk2OQ==∣=2649539902&idx=1&sn=3282d2d6dfab2ef6d01e0a01ffcf8933&scene=21#wechat_redirect)