-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chinese social media sites weibo and sina are being blocked #86
Comments
All our VPN servers run their own DNS resolvers that do not block anything by default. Try using our service without any toggles set, or without using any custom DNS IPs. |
yes when i turn off your app and use my providers DNS IP's i am able to reach the site with no problem. In your app, when i connect to certain servers i am able to use weibo but the latency is so high since i am in south america the only one that works well is miami, florda. if i switch to japan or anywhere in asia everything works fine. for now i have created a new firefox profile that uses my providers dns ip's instead of yours because your app lets me tunnel an app but not with an particular instance of an app since i have many firefox browsers running with different setups. |
Some chinese websites can not reach because some mullvad server's DNS sucks: https://www.reddit.com/r/mullvadvpn/comments/10sht67/open_chinese_search_machines/ I made a shell script to test if target mullvad wireguard server can reach This script only test wireguard relays. It default outputs Los Angeles wireguard relays that can reach
Which means us-lax-wg-201, us-lax-wg-202, and us-lax-wg-203 can not reach If you want to test New York relays, you do
If you want to test if New York relays can reach In the past, the situation is much worse and about more than half of the wireguard relays can not reach What's interesting is that recently us-lax-wg-202 can not reach My script may have false positive due to not enough curl time, you can change the curl time with |
yes i tried this also. default setting on your app with no modifications
and using the default dns servers.
unfortunately i am also noticing more and more sites are blocking your
ip's. maybe it's due to a bigger more users using mullvad now. this also
happened when i was using another vpn that just opened but after a year or
two the user base grea a lot and their ip's stopped working.
…On Mon, Feb 27, 2023 at 5:29 AM Joshua ***@***.***> wrote:
All our VPN servers run their own DNS resolvers that do not block anything
by default. Try using our service without any toggles set, or without using
any custom DNS IPs.
—
Reply to this email directly, view it on GitHub
<#86 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A4GBYKTHQWEYMP6CJFZ7V5DWZR62DANCNFSM6AAAAAAVHPMWVE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
ok this is great thanks for looking into this. you can disregard my
previous message.
yes the chinese social media sites regularly change who they allow to use
their sites so it's not just your DNS servers. I am not sure why or when
they do this but it is a pain. Usually i use your hong kong server to
access the site then but they even blocked that one also, probably due to
the unrest between the two.
…On Sat, Mar 18, 2023 at 8:09 PM flyxyz123 ***@***.***> wrote:
Some chinese websites can not reach because some mullvad server's DNS
sucks:
https://www.reddit.com/r/mullvadvpn/comments/10sht67/open_chinese_search_machines/
I made a shell script to test if target mullvad wireguard server can
resolve www.baidu.com or not:
https://github.com/flyxyz123/config_local_arch/blob/master/home/xyz/.local/bin/mrt
This script only test wireguard relays. It default outputs Los Angeles
wireguard replays that can resolve www.baidu.com to stdout and
~/documents/logs/mrt_los_angeles_www.baidu.com.log. Currently, the
default outpus are:
us-lax-wg-101
us-lax-wg-102
us-lax-wg-103
us-lax-wg-104
us-lax-wg-301
us-lax-wg-302
us-lax-wg-303
us-lax-wg-401
us-lax-wg-402
us-lax-wg-403
us-lax-wg-404
us-lax-wg-405
Which means us-lax-wg-201, us-lax-wg-202, and us-lax-wg-203 can not
resolve www.baidu.com
If you want to test New York relays, you do mrt -l 'New York' which
outputs:
us-nyc-wg-303
us-nyc-wg-501
us-nyc-wg-502
us-nyc-wg-503
us-nyc-wg-504
us-nyc-wg-505
us-nyc-wg-601
us-nyc-wg-602
us-nyc-wg-604
us-nyc-wg-605
If you want to test if New York relays can resolve www.baomitu.com, you
do mrt -l 'New York' -w www.baomitu.com
In the past, the situation is much worse and about more than half of the
wireguard relays can not resolve www.baidu.com. About a month ago the
situation become better but still not all relays are good.
—
Reply to this email directly, view it on GitHub
<#86 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A4GBYKTFZK3VSEBGKTCUKG3W4ZMEHANCNFSM6AAAAAAVHPMWVE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
sorry one last question, if use another dns server like what some redditors
suggested, doesn't that then make my traffic visible to my isp? so for
example i changed one instance of firefox to use cloudfare and ran your
command line to see if all was ok and it says i am "leaking dns"
information. Does this mean now my isp can only see which sites i am
visiting but not the traffic since i am still routing through our vpn?
…On Sat, Mar 18, 2023 at 8:09 PM flyxyz123 ***@***.***> wrote:
Some chinese websites can not reach because some mullvad server's DNS
sucks:
https://www.reddit.com/r/mullvadvpn/comments/10sht67/open_chinese_search_machines/
I made a shell script to test if target mullvad wireguard server can
resolve www.baidu.com or not:
https://github.com/flyxyz123/config_local_arch/blob/master/home/xyz/.local/bin/mrt
This script only test wireguard relays. It default outputs Los Angeles
wireguard replays that can resolve www.baidu.com to stdout and
~/documents/logs/mrt_los_angeles_www.baidu.com.log. Currently, the
default outpus are:
us-lax-wg-101
us-lax-wg-102
us-lax-wg-103
us-lax-wg-104
us-lax-wg-301
us-lax-wg-302
us-lax-wg-303
us-lax-wg-401
us-lax-wg-402
us-lax-wg-403
us-lax-wg-404
us-lax-wg-405
Which means us-lax-wg-201, us-lax-wg-202, and us-lax-wg-203 can not
resolve www.baidu.com
If you want to test New York relays, you do mrt -l 'New York' which
outputs:
us-nyc-wg-303
us-nyc-wg-501
us-nyc-wg-502
us-nyc-wg-503
us-nyc-wg-504
us-nyc-wg-505
us-nyc-wg-601
us-nyc-wg-602
us-nyc-wg-604
us-nyc-wg-605
If you want to test if New York relays can resolve www.baomitu.com, you
do mrt -l 'New York' -w www.baomitu.com
In the past, the situation is much worse and about more than half of the
wireguard relays can not resolve www.baidu.com. About a month ago the
situation become better but still not all relays are good.
—
Reply to this email directly, view it on GitHub
<#86 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A4GBYKTFZK3VSEBGKTCUKG3W4ZMEHANCNFSM6AAAAAAVHPMWVE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
i do not have the mrt command in my bin and does not work. i am on arch
linux.
…On Mon, Mar 20, 2023 at 10:58 AM pete slamm ***@***.***> wrote:
sorry one last question, if use another dns server like what some
redditors suggested, doesn't that then make my traffic visible to my isp?
so for example i changed one instance of firefox to use cloudfare and ran
your command line to see if all was ok and it says i am "leaking dns"
information. Does this mean now my isp can only see which sites i am
visiting but not the traffic since i am still routing through our vpn?
On Sat, Mar 18, 2023 at 8:09 PM flyxyz123 ***@***.***>
wrote:
> Some chinese websites can not reach because some mullvad server's DNS
> sucks:
> https://www.reddit.com/r/mullvadvpn/comments/10sht67/open_chinese_search_machines/
>
> I made a shell script to test if target mullvad wireguard server can
> resolve www.baidu.com or not:
> https://github.com/flyxyz123/config_local_arch/blob/master/home/xyz/.local/bin/mrt
>
> This script only test wireguard relays. It default outputs Los Angeles
> wireguard replays that can resolve www.baidu.com to stdout and
> ~/documents/logs/mrt_los_angeles_www.baidu.com.log. Currently, the
> default outpus are:
>
> us-lax-wg-101
> us-lax-wg-102
> us-lax-wg-103
> us-lax-wg-104
> us-lax-wg-301
> us-lax-wg-302
> us-lax-wg-303
> us-lax-wg-401
> us-lax-wg-402
> us-lax-wg-403
> us-lax-wg-404
> us-lax-wg-405
>
> Which means us-lax-wg-201, us-lax-wg-202, and us-lax-wg-203 can not
> resolve www.baidu.com
>
> If you want to test New York relays, you do mrt -l 'New York' which
> outputs:
>
> us-nyc-wg-303
> us-nyc-wg-501
> us-nyc-wg-502
> us-nyc-wg-503
> us-nyc-wg-504
> us-nyc-wg-505
> us-nyc-wg-601
> us-nyc-wg-602
> us-nyc-wg-604
> us-nyc-wg-605
>
> If you want to test if New York relays can resolve www.baomitu.com, you
> do mrt -l 'New York' -w www.baomitu.com
>
> In the past, the situation is much worse and about more than half of the
> wireguard relays can not resolve www.baidu.com. About a month ago the
> situation become better but still not all relays are good.
>
> —
> Reply to this email directly, view it on GitHub
> <#86 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/A4GBYKTFZK3VSEBGKTCUKG3W4ZMEHANCNFSM6AAAAAAVHPMWVE>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***>
>
|
|
I'm not working for mullvad. I'm a hobbyist user, I don't have too much technical knowledge so my answers maybe incorrect.
All my following answers assume you are using default mullvad. If you use 1.1.1.1, you will not have DNS problems visiting chinese sites. Only mullvad DNS have DNS problems visiting chinese site. My scripts is to test mullvad DNS when using mullvad DNS, not when using 1.1.1.1. This means if there's no problems other than DNS problems, if you use 1.1.1.1 and run my script, it will always show all mullvad servers can reach chinese sites.
My choice is to not use 1.1.1.1, I use default mullvad DNS, and when there's a problem, I change mullvad server, my scripts is just tell me what servers are good. |
Sorry I thought you worked for mullvad. I really appreciate you taking the
time to write this script and all the help you provided.
I feel a bit guilty because i have been coding for many many years but I
offloaded this task to what I thought was mullvad support. Since i am
paying for this service it falls into their hands to fix it.
Again i thank you and will dl your code from github and if needed will let
you know if i have anything meaningful in the ways of modifications to
either extend the functionality or ... but it seems like you have
everything under control.
Thanks again for your time. It's unfortunate that mullvad is using
unreliable dns servers since they provide great services otherwise.
…On Mon, Mar 20, 2023 at 11:04 PM flyxyz123 ***@***.***> wrote:
I'm not working for mullvad. *I'm a hobbyist user, I don't have too much
technical knowledge so my answers maybe incorrect.*
if use another dns server like what some redditors suggested, doesn't that
then make my traffic visible to my isp? so for example i changed one
instance of firefox to use cloudfare and ran your command line to see if
all was ok and it says i am "leaking dns" information. Does this mean now
my isp can only see which sites i am visiting but not the traffic since i
am still routing through our vpn?
All my following answers assume you are using default mullvad.
If you use 1.1.1.1, you will not have DNS problems visiting chinese sites.
Only mullvad DNS have DNS problems visiting chinese site. My scripts is to
test mullvad DNS when using mullvad DNS, not when using 1.1.1.1. This means
if there's no problems other than DNS problems, if you use 1.1.1.1 and run
my script, it will always show all mullvad servers can reach chinese sites.
If you use 1.1.1.1, your DNS query can be seen by cloudflare and your ISP,
your traffic can not be seen by them. This means "your ISP can only see
which sites you are visiting but not the traffic." You can do encrypted DNS
to prevent your ISP to see your DNS query:
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/, but
cloudflare can still see your DNS query,and I'm not familiar with this.
My choice is to not use 1.1.1.1, I use mullvad DNS, and when there's a
problem, I change mullvad server, my scripts is just tell me what servers
are good.
—
Reply to this email directly, view it on GitHub
<#86 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A4GBYKQ7HYUT7SW6D3BT75TW5ESFZANCNFSM6AAAAAAVHPMWVE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I am not sure if ISP can see your DNS query when using mullvad and set custom DNS server as 1.1.1.1. I did more search and some people say that after set custom DNS server as 1.1.1.1, DNS query is inside the VPN tunnel, so ISP won't see your DNS query. (https://www.reddit.com/r/mullvadvpn/comments/o5pzv5/when_using_a_custom_dns_server_are_those_dns/) I also edited my old incorrect respond to avoid misleading anyone. If DNS queries are inside VPN tunnel, although cloudflare can see your DNS queries, I do not think it matters much tho. |
Allow me to fill in the blanks from the serverside of things. On
Let's figure out which servers are authoritative (responsible) for
Let's try resolving
It appears we can't reach the majority of the servers that are authoritative for this hostname. Running the same task on a completely different server (
Conclusion/Theorizing:
If you absolutely need to connect via a relay that can't resolve these domains you can configure a custom DNS to have your connections be routed through the relay but have DNS queries resolved by an external server. See the link below. In order to get you the right support it's better to reach out to our support at Hope this answers your questions :) |
Thanks for the testing. This has happened in the past with sites in China
using various vpn's or even trying to connect directly from my usa ip. I'm
not sure why china does this sporadically or without reason but during my
investigation last year i also found that it was on their end.
I am not sure how big the user base is for mullvad but i found when using a
new vpn things would work fine but when more users started using the vpn
this would start to happen. It could be someone using mullvad maliciously
which is causing it.
I will contact mullvad support but i am pretty sure they won't be able to
help with this as it's on china's end.
…On Wed, Mar 22, 2023 at 3:32 AM Oskar Almlöv ***@***.***> wrote:
Allow me to fill in the blanks from the serverside of things.
On us-lax-wg-202 we cannot resolve www.baidu.com:
***@***.***:~$ dig www.baidu.com
[...]
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19987
[...]
Let's figure out which servers are authoritative (responsible) for
baidu.com:
***@***.***:~$ dig baidu.com NS +shortns2.baidu.com.ns7.baidu.com.dns.baidu.com.ns3.baidu.com.ns4.baidu.com.
Let's try resolving www.baidu.com by asking these servers directly:
***@***.***:~$ \
for hostname in $(dig baidu.com NS +short); do
> echo $hostname
> dig @$hostname www.baidu.com +short || echo "Timed out"
> done
ns4.baidu.com.
Timed outns2.baidu.com.
Timed outns3.baidu.com.
Timed outns7.baidu.com.www.a.shifen.com.
It appears we can't reach the majority of the servers that are
authoritative for this hostname.
Running the same task on a completely different server (se-sto-wg-009)
yields very different results:
ns4.baidu.com.www.a.shifen.com.dns.baidu.com.www.a.shifen.com.ns2.baidu.com.www.a.shifen.com.ns3.baidu.com.www.a.shifen.com.ns7.baidu.com.www.a.shifen.com.
Conclusion/Theorizing:
- The authoritative servers for baidu.com appears to, from a DNS
perspective, be configured correctly.
- Some of our relays cannot reach the authoritative servers for
baidu.com. Or the response from the authoritative servers can't reach
some of our relays. Either way the relay sends a query and does not get a
response.
- Since the queries are leaving our relays as they should, we can't
really do anything else. Someone or something is dropping our queries or
the answers to our queries on the way. Speaking from experience this is
most likely because there is some blocklist in use that is blocking traffic
from known VPN IPs.
In order to get you the right support it's better to reach out to our
support at ***@***.*** since our support team does not have a
presence on GitHub.
—
Reply to this email directly, view it on GitHub
<#86 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A4GBYKXLZBJJ7IU3GWERMSTW5K2KDANCNFSM6AAAAAAVHPMWVE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
do you have a dns server that blocks nothing? I am unable to reach the two biggest social media sites in china when using mullvad. When mullvad is disabled, i can reach them fine.
Please provide a dns that blocks nothing. no adware, malicious sites, etc... thanks.
The text was updated successfully, but these errors were encountered: