DNS SERVFAIL for servers with Cloudflare's name servers (gray and orange cloud) #172
Comments
|
Well hello again to persisting issue here and if anyone can access naive developer plz ask him handle dns proper cause chromium acts on its request differently. and i see some idiot spam genius who says its cipher its fingerprint, its alien tech plz let's fix lvl by lvl and you still email man? cause nowadays it can be fixed only by that type of dns thing i emailed you before. |
|
It's interesting that the IP address 127.154.0.92 is returned. All of 127.*.*.* is localhost, which is why ping reports a round-trip-time of <1 ms. In Turkmenistan the firewall injects 127.0.0.1, but I think this is the first time I've seen localhost addresses other than 127.0.0.1 being used. You say that direct plaintext DNS queries sent directly to a foreign resolver (such as 1.1.1.1 or 8.8.8.8) do not get false responses. That tells me that it is the Iranian ISP resolver that is creating the false DNS response. In other words, it's not like the familiar injection of the IP address 10.10.34.34 into DNS responses. If you look at a packet capture, do you see only 1 DNS response (127.*.*.*), or 2 responses (127.*.*.* and the real one)? Cloudflare makes their IP ranges public: https://www.cloudflare.com/ips/. I was going to guess that the ISP resolvers are replacing any DNS responses with an IP address in that range (orange cloud), but you say that it affects even websites that don't use Cloudflare for proxying but only for DNS service (gray cloud). In that case they may be filtering for upstream DNS queries addressed to ns1.cloudflare.com, ns2.cloudflare.com, etc. What's the reasoning? It doesn't make sense to me either. I would guess it's a mistake, maybe an attempt to block something else. |
|
These website couldn't be opened on different devices (PC, Android) nxdomain-noreach, dns prob, etc were their errors. On Irancell, a different ISP, no such problem was present at that day, but in another day I could observer a similar problem. And with a VPN they could be opened, so I don't think it was a problem from my part, it was ISP's fault.
In Wireshark what I could see was a single response contained a "no response" as a response for DNS queries to these particular hosts. Maybe the Windows itself replaces no response with local-addresses? I am not sure. But I couldn't see bogon IPs on Wireshark DNS queries either, which confuses me even more. Hopefully they repeat this, and this time I will share packets. @alirezaac It seems that they have focused their attention on DNS. I haven't used naive personally, but @Nyxil says that naive TLS handshaking fails in this topic klzgrad/naiveproxy#404 which has nothing to do with DNS. Also I can't check my email frequently because it's a TOR based email. Often, It becomes inaccessible . |
|
@arandomgstring well whatever it is working it has bug in android plugin that keep using 8.8.8.8 plain and they dont fix it, and it is working fine and that ssl error even |
|
Hello. Can this problem be solved? I have a domain set up on cloudflare and I created an a record for it, but since a few days ago when I test the subdomain ping in windows I get an error |
|
Does it work to use an alternative CDN? https://palitechsociety.blogspot.com/2022/11/xray-vless-ws-tls-gcore.html |
|
@MH140000 xx.xx.xx.xx yourdomain.com Ofcourse xx.xx.xx.xx is your server IP address, and yourdomain.com is your domain that I am not aware of. Then open cmd, and run ipconfig /flushdns. Ping your domain again. Do you get timeouts again? Ping your server IP address directly. Do you see timeouts? If so, you need to buy another VPS. |
@MH140000 can you be more specific about the error you see? Is it a timeout, or do you get IP addresses that start with 127 like in the first post? |
Ping request could not find host ***. Please check the name and try again. |
Yes. This service works, but unfortunately this service does not proxy the IP and there is a possibility of blocking the IP. |
|
@arandomgstring for the problem with datacenters, they are likely to to just let go of iranian datacenters and make a centralized point to take control and people still can use methods but with the same difficulty as before, at this point i'm going to use datacenters that powers some sensitive services like this github, google and other stuff they gonna need for later, if it will come successful this can be an alternative instead of using arvan. |
Did you follow my instruction? Ping the IP of your server directly; what is the result?! As I have already reported in this topic, they are returning "NULL" or loop back responses in DNS queries, and it can be solved quite easily. @alirezaac |
after nearly 3 hours its still stucked on Abort Let's Encrypt certificate status. |
|
@wkrp For Orange Cloud: And for gray cloud (which I have my personal website on): Obviously 192.168.1.1 corresponds to IP of router, which redirects requests to ISP's DNS resolver. At the beginning I became suspicious that maybe router is the origin of problem. But no, first of all, why it happens at certain hours to begin with? Secondly, I changed DNS servers of router to that of google and cloudflare, and everything works fine. Therefore, it's not router's fault. And finally, I added dnsleaktest IP to hostfile to forcefully open it with ISP's DNS resolver (without doing so, I couldn't open this website, again because of I received no response for DNS query of this website. So I presume, dnsleaktest is using cloudflare's DNS propagator too, on gray cloud, that is) and here is the result:
So these bad boys are the origin of problem. Interestingly, these DNS resolvers open google, github, etc just fine, so it's not like they are totally busted or anything. It just so happens that they have some problems with cloudflare, at certain hours (5:30 AM to 11:30 AM approximately). Suspicious, isn't it? |
|
@arandomgstring |
|
@Azadzadeh
|
|
@arandomgstring I don't understand how a SERVFAIL (which is RCODE=2) transforms into a 127.154.0.92 IP address. It's possible that there is something else going on. The dnsleaktest experiment is clever, but if I understand correctly it is inconclusive. The IP addresses 2.189.44.10 and 2.189.44.11 are reported by the dnsleaktest service as being the source addresses of honest DNS queries; i.e., ones that are not being tampered with and that are reaching the dnsleaktest servers. It could be that the queries that are being responded to with SERVFAIL (or whatever is resulting in 127.154.0.92) are handled differently. With a recent version of dig, you may be able to get a more specific error reason from the SERVFAIL responses. The same information will be available in Wireshark if you expand the dissection tree. It's a good idea to do a systematic test to try to falsify your hypothesis that the time of day has something to do with it. Something like this, to make a log of resolution results every 10 minutes: while true; do date -u --iso=sec; dig @192.168.1.1 $HOSTNAME; sleep 600; done | tee $HOSTNAME.log |
Now, I know why I was getting 127.154.0.92 even with SERVFAIL; it made no sense to me as well. I was using proxifier on my device which uses "Fake DNS" underhood. Even ipconfig /flushdns couldn't get rid of it; so I had to restart the device to see the "actual" response (what I saw in wireshark). I pinged these hosts, and the respond was "Ping request could not find host ***. Please check the name and try again." just like how @MH140000 #172 (comment) said. I did the test with dig command on another device with another IP outside of Iran:
Same goes for nslookup: And all of these results are consistent with SERVFAIL, I guess. So what's up with dnsleaktest website results?! And besides, I tested tci.ir which belongs to TCI ISP itself. |
well gaming community solves this with taklol and such dns services that have cache relay or any dns tools on domestic servers, so i guess you know next thing you can achieve with such technic is(emailed you before this might solve many problem but DOH on them is tricky too.) |
|
My servers are behind Cloudflare with proxy status as proxied (in other words, it is orange) and they are working with no problems in Iran. Can it be dependent on your V2Ray or web server configurations? |
works on mobile (irancell / mci) too? |
Oh, mea culpa. As I double-checked it. No, it doesn't work when using cellular data. |
No, a timeout and SERVFAIL are different. Timeout means you never received a DNS response packet. SERVFAIL means you received a DNS response packet with a specific response code. An upstream timeout could happen when you are using a recursive resolver and the upstream resolver times out. But if you get a SERVFAIL you will know it, because you receive a packet. Querying the IP addresses 2.189.44.10 and 2.189.44.11 doesn't really show anything. Those IP addresses do not appear to be configured to accept DNS queries from the general Internet. The fact that they appear in the dnsleaktest output only shows what IP addresses were used to send the recursive queries; it does not mean that those same IP addresses also receive queries. They may be recursive resolvers that only respond to queries from a limited set of source addresses. The servers may have multiple network cards, with different IP addresses for incoming or outgoing. The IP addresses you saw may be NAT gateways for a real DNS recursive resolver that resides on a private LAN. There are many possibilities; I don't think the timeouts tell us much. What I meant to ask you to do is to use dig with the server 192.168.1.1, the resolver that was producing SERVFAIL results in #172 (comment). If there is more information about the cause of the failure, it is in those packets. I am trying to understand now what remains of this question. The strange 127.*.*.* addresses were attributed to a Fake DNS proxifier. So the remaining mystery is that, with your router's built-in recursive DNS resolver, at certain times of day, for certain domain names associated with Cloudflare DNS hosting, you get SERVFAIL responses? If so, then some information gathering along the lines of #172 (comment) can help find the cause. |
As I checked with someone else from Iran using MCI (Hamrahe Aval) mobile operator, I was reported that this person has access to the free Internet using cellular data. Probably the first one was probably using another mobile operator (Irancell ?). |
I believe if they succeed in blocking our proxy in one network, they're gonna use it on other ISPs too, should the time comes. Our method should be resilient in every network. |
|
I creat new account and add a subdomain via cdn and proxy but when i ping
this, i got ping request can not found host
در تاریخ سهشنبه 20 دسامبر 2022، 9:12 Azadzadeh ***@***.***>
نوشت:
… As I checked with someone else from Iran using MCI (Hamrahe Aval) mobile
operator, I was reported that this person has access to the free Internet
using cellular data. Probably the first one was probably using another
mobile operator (Irancell ?).
I believe if they succeed in blocking our proxy in *one* network, they're
gonna use it on other ISPs too, should the time comes. Our method should be
resilient in *every* network.
—
Reply to this email directly, view it on GitHub
<#172 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACCWHPOQ4R2FO53OUIV6AT3WOFBL5ANCNFSM6AAAAAAS5YAXWE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@MH140000 |
|
Yes. I set dns about 3 days ago. With other vpn, i can ping this domain
در تاریخ سهشنبه 20 دسامبر 2022، 9:43 arandomgstring <
***@***.***> نوشت:
… @MH140000 <https://github.com/MH140000>
You should wait a little. Sometimes it might take 24h to 48h until DNS
propagation completes. Do another ping test with a VPN to see if you get
any results?
—
Reply to this email directly, view it on GitHub
<#172 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACCWHPPXZRWJLRHYLSWT2MDWOFFALANCNFSM6AAAAAAS5YAXWE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Wonderful. You might be able to get it work, unless they have blocked CDN IPs on IP level. To do it,, turn on VPN and if you are on windows run this command Now turn off VPN and ping again. This time, either you see normal pings which means you can connect to your personal VPN on that domain with no problem, or you will see timeouts which means you need to create another account and try again. Although I should add that, you can also ping those two IPv4s directly, without modifying hostfile. If they return timeouts, it also means you need another account. If they returned correct latencies, then you need to modify host file to make you proxy work |
|
It's about 2 AM in Iran. Right now they are responding with a Google IP (e.g. |
|
You sure? Why would they respond with google's IP when they can send ITA massenger's IP to get more fake traffic from people? That's even stranger than my experience. I believe we need several people to collectively gather data about DNS queries to get a verifiable result. I've written a bash code, that I hope people start using it for collecting more data about DNS poisoning, serverfail, etc. If you are on Windows, you should install WSL first to make it work, I don't like nslookup that much. Simply save this code in a file called "dns.bash" first, Then run |
|
@arandomgstring |
|
Thanks @arandomgstring. It will help a lot to have some systematic experimental results. You can also try looking at recent OONI measurements. The measurement results will show what IP address the domain name resolved to. From a quick scan, I only see "Confirmed" and "http-failure" OONI classifications (for twitter.com from Iran). I would expect to see some "dns-failure" if DNS were being tampered with as described in this thread. You may have to refine the search to include only a specific mobile ISP AS, etc.
|
|
@FinalityChanger @wkrp |
|
@wkrp Interestingly when there is no error, the response from ISP's DNS resolver is |
@arandomgstring |
I would like to see this from another point of view: that is they want to show or introduce or redefine a new type of the Internet for the people where there is no blocking (forwarding to "This is a blocked domain" page, or responding with 10.x.x.x), but instead, doing nothing! which would make it very difficult to investigate the problem for people, and people can't say the website/IP is blocked, and they can not complain. This, along the throttling, will make VPNs available but not stable. So, nobody could use (see video or upload files). So we see a change in the policy here. Maybe this is the reason why minister of the technology[!!] and communications[!!!] of regime says "do tests, there is no issue". But, the side effect of this is that it would make VPNs highly unstable, and we should use direct IP, or provide a private DNS server. However, with a private DNS server, there is a issue: dropping the DNS requests to/from foreign private servers. |
I don't think there is much to learn from the aggregate graphs at https://explorer.ooni.org/country/IR. I only wanted to suggest that, in addition to asking people to run their own test scripts, you can see if there are any existing OONI measurements for the domains you are interested in. Using a tool like jq you can extract just the DNS portion of the measurement JSON files, for inspecting many results at once. OONI has a blog post of download and mining large numbers of measurements.
I see. I was hoping there might be an Extended DNS Error with more information, but there is not. My guess is that the recursive resolver at 192.168.1.1 just had a random timeout while contacting the authoritative resolver, or something like that. |
It has been already known that servers behind Cloudflare's CDN are blocked, either at IP level or with DNS poisoning, nothing new here.
The servers without Cloudflare's CDN (aka gray cloud) which only use Cloudflare as their DNS propagator were fine till now, however, it's been at least two days since I am experiencing DNS poisoning for such servers in some ISPs (most notably in TIC or the so called Mokhaberat). This usually happens at ~5:30 AM till ~11AM. The solution is quite easy, one can either use host file or plain DNS requests from 8.8.8.8 or 1.1.1.1, both works fine and fix the issue.
That said, what's the reasoning behind such DNS poisoning in the first place? It will only disrupt the traffic of legitimate websites. Is it just some kind of mistake from their part? or are they testing something? Maybe they want to force users to use Arvancloud? Whatever their reasoning is,
if they actually make this change permanent, and they block even plain DNS requests from Cloudflare and Google (or make them useless with bogon IPs), inevitably people will be forced to use Arvancloud, linking their real life identity with the servers they own, which will put them in danger of making proxies in the first place. Host file could be a solution; but distribution of proxy among normal people will become harder, as normal people would need to modify their host file; which is easy but a pain nevertheless. At the worst case scenario, ISPs might only allow users to connect to foreign IPs that they have got through plain DNS request. That can potentially make host file useless (I guess? because with host file, DNS resolution will be done locally), although since many applications (e.g Browsers) cache DNS responses, that may or may not be feasible.
I tested a few proxy servers on cloud-flare with gray cloud; I can't obviously share either of their IP or domains. That said, even legitimate well-known websites are affected by this type of DNS poisoning. For example:
and nslookup & dig returned no result for this legitimate web server. This server is behind cloudflare CDN (orange cloud). I couldn't think of any way to find servers with gray cloud, except those of which I own.
The text was updated successfully, but these errors were encountered: