Afghanistan’s Internet: who has control of what?

Image of Bagram, Afghanistan. The air base is visible in the foreground, with the Hindu Kush mountain range in the background.

Bagram, formerly the site of the largest US military base in Afghanistan.

Over the past few weeks, the Taliban have taken control of substantially the
whole of Afghanistan, with just Kabul
Airport
and
the Panjshir Valley presently
controlled by the US Military and the National Resistance Front of
Afghanistan

respectively.

Yet the situation with Afghanistan’s internet infrastructure is quite different
to what anyone following the mainstream media might reasonably expect, as
Afghanistan’s key internet resources – domains, IP addresses, routing and
government communications – are controlled by a diverse set of entities subject
to Western jurisdictions.


Who is in control of the .af domain?

Presently, .af’s DNS is run using Anycast DNS
services

from Packet Clearing House, a San Francisco based
not-for-profit organisation, and Gransy, a Czech
registrar and registry services provider. Packet Clearing House provides free
Anycast DNS services
to
“developing-country ccTLD registries”, and Gransy provides free Anycast DNS
services
to ccTLDs with fewer than
10,000 domains – .af has around 6K domains and is well within Gransy’s
criteria for a free service.

% dig +short -t ns af
ns1.anycastdns.cz.
ns2.anycastdns.cz.
ns.anycast.nic.af.

% host ns.anycast.nic.af
ns.anycast.nic.af has address 204.61.216.13
ns.anycast.nic.af has IPv6 address 2001:500:14:6013:ad::1

% host ns1.anycastdns.cz
ns1.anycastdns.cz has address 185.38.108.108
ns1.anycastdns.cz has IPv6 address 2a00:fea0:dead::beef

% whois 204.61.216.13
NetRange:       204.61.208.0 - 204.61.217.255
CIDR:           204.61.208.0/21, 204.61.216.0/23
NetName:        WOODYNET-204-61-208-0-21
inetnum:        185.38.108.0 - 185.38.108.255
OrgName:        WoodyNet
OrgId:          WOODYN
Address:        2351 Virginia St
City:           Berkeley
StateProv:      CA
PostalCode:     94709-1315

% whois 185.38.108.108
netname:        NEROSO
descr:          NEROSO Inst., s.r.o.
descr:          Anycast DNS project
country:        CZ

Examining .af’s nameservers. NEROSO and WoodyNet are aliases for Gransy and Packet Clearing House respectively.

PCH & Gransy therefore control the resolution of .af domain names, and may
choose to honour or ignore DNS changes that the Taliban might make.
To keep the DNS operational, the Taliban is dependent on maintaining the
goodwill of PCH and Gransy, who appear to be operating an entirely pro bono DNS
service for the country.

However, during the Taliban’s previous administration Internet access was
prohibited on moral grounds. Were the Taliban to revert to this position and
decide that .af should be emptied, it would have no need of any DNS nor
goodwill.

Should that situation arise, PCH and Gransy are in a position to keep the .af
domains running, unless or until the Taliban have the credentials for a control
panel
at IANA, to change the name
servers for the ccTLD. The Taliban could contact IANA and ask for a change of
control, as happened when control of Afghanistan last
changed
; however
IANA is based in Los Angeles, and requests for ccTLD redelegation must
demonstrate that the requested change “serves the local Internet community’s
interest”.

Clarification (03/09/2021): since publishing this article, PCH contacted
us to us to clarify their position, and provided the following quote:

PCH provides DNS anycast service for Afghanistan, in the same way that we do
for 130 other countries. We receive DNS records from whatever name server is
deemed authoritative in the DNS root zone, and publish them globally. In the
case of .af, the name server is run by the Afghan Ministry of Communications.
That process has continued uninterrupted, and we don’t have any reason to
think that a change of control within the government will disrupt it.

Additionally,
since this article was published, IANA released a
statement

clarifying that the management of the .af ccTLD “has not changed”, so the
Taliban-controlled Afghan Ministry of Communications retains control.

For all .af domain owners, it is advantageous to have the DNS operated from
safe locations with reliable electricity supplies. There is precedence for
ccTLDs remaining stable through prolonged instability in the corresponding
country. For instance, bit.ly has been able to operate
throughout the Libyan revolution and the conflicts that have ensued.

It is also noteworthy that with the current DNS configuration at least two
thirds of the lookups from within Afghanistan for .af domains are resolved
outside the geographical perimeter of the Taliban’s control. Gransy, which runs
two of the three referenced nameservers, does not have a presence in
Afghanistan
; Packet Clearing House, which
runs the other nameserver, does.

What about the Afghan IP Address Space?

Almost 2000 netblocks exist with an AF country code, of which 1,911 are in the
IPv4 address space. In total, these netblocks comprise of 327,209 IPv4 addresses
which, at current market rates, are worth around $13 million.

Perhaps the most interesting of these are the netblocks delegated to Western
military bases. At the time of writing, some of those netblocks appear to still
have
services
running,
indicating that the Taliban has inherited, at least, some working Cisco kit.

A Cyberoam firewall 'Web Admin Console' login page, with username, password, and language fields.

A Cyberoam web interface found on a netblock with description ‘US Armed Forces Afghanistan’.

Both netblocks are announced by Afghan ISPs. Additionally, traceroutes
strongly suggest that the netblocks are still in use in Afghanistan.
Packets from the UK are routed via Kazakhstan and Pakistan:

% traceroute 117.55.204.100
traceroute to 117.55.204.100 (117.55.204.100), 30 hops max, 60 byte packets
[ ... ]
 9  149.14.126.178 (149.14.126.178)  126.801 ms  126.778 ms  126.787 ms
10  * * *
11  static.khi77.pie.net.pk (221.120.192.173)  128.740 ms  127.643 ms  127.937 ms
12  * * *
13  152.36.193.69 (152.36.193.69)  155.438 ms  155.575 ms  155.574 ms
[ ... ]

% traceroute 125.213.195.104
traceroute to 125.213.195.104 (125.213.195.104), 30 hops max, 60 byte packets
[ ... ]
 8  TNSPLUS-gw.transtelecom.net (188.43.12.249)  83.986 ms  83.923 ms  83.904 ms
 9  * * *
10  comp131-219.2day.kz (85.29.131.219)  104.124 ms  101.699 ms  103.120 ms
11  195.69.189.48 (195.69.189.48)  109.131 ms  108.522 ms  113.486 ms
[ ... ]

Plausibly, the US Military might adopt a scorched earth policy by logging back
in and encrypting everything they can, or follow the CIA’s lead in destroying
their former Afghan HQ through a large
explosion
.


Who is reading the Afghan Government’s electronic mail?

At least 34 Afghan government departments use web mail hosted in the US and
Germany by companies such as Google, Microsoft and Hostinger. For
example, moe.gov.af (the Afghan Ministry of Finance) and seventeen other
departments have MX records pointing to Gmail, while webmail.aop.gov.af, the
webmail service for the Administrative Office of the President, is a VPS at
Linode.

Pie chart showing mail servers by country. Afghanistan has 43.1%; the United States has 32.7%; Germany has 13.7%; Canada has 2.9%; the Netherlands has 1.3%; France has 1.3%.

.gov.af mail servers by country (calculated by counting MX records)

Through their influence over these companies, Western governments would be able
to read the majority of the Afghan government’s mail.


Where are Afghanistan’s web sites hosted?

This month’s Web Server
Survey

found 8,031 websites hosted in Afghanistan, and 23,205 sites within
Afghanistan’s .af country-code top-level domain (ccTLD). More than two-thirds
of the latter are hosted in the US, and over 2,000 are hosted in Germany. Less
than ten percent of .af sites are hosted in Afghanistan.

Nearly 1,000 of the .af sites are Afghan Government websites under the
.gov.af second-level domain – such as
president.gov.af
and
kabul.gov.af.
Less than half of these are hosted in Afghanistan, with the rest being hosted
in the US, Germany, Singapore, France, Canada, UK, Netherlands, Ireland and
India.


What about telecommunications and internet routing?

Afghanistan is landlocked and reliant on its
neighbours

or multinational satellite companies for internet connectivity. Internet and
electricity infrastructure has been damaged by explosions caused by the
Taliban

before they achieved control.

The best connected Afghan autonomous system (AS) is Afghan
Wireless
, an ISP that provides wireless internet
to over five
million

consumers and businesses. Afghan Wireless has a presence in multiple
international internet exchanges and peers with nearly 200 other networks from
many different countries, including the US, the UK, Germany, China, Russia, and
Pakistan. It was founded in 2002 as a joint venture between Telephone Systems
International Inc.
and Afghanistan’s Ministry of Communications and Information
Technology. Telephone Systems International Inc. is a US-based company with
headquarters in Florida, and Ehsan Bayat, the founder and chairman of Afghan
Wireless, is an Afghan-American dual citizen.

Generally, the Afghan Internet infrastructure seems quite analogous to the
Afghan financial infrastructure as reported by the Financial
Times
, where,
on one occasion, officials at the Afghan central bank had to explain to a group
of Talibs that the country’s $9bn in foreign reserves was unavailable because it
is held with the Federal Reserve Bank in New York and had been frozen by the US
government. Similarly, key aspects of the Afghan Internet are outside of the
Taliban’s direct control and may change through cooperation and negotiation or
adapt to route around them.