Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure DNS (DoH/DoT) blocking in Indonesia 2023-12-30 #319

Open
wkrp opened this issue Dec 30, 2023 · 3 comments
Open

Secure DNS (DoH/DoT) blocking in Indonesia 2023-12-30 #319

wkrp opened this issue Dec 30, 2023 · 3 comments
Labels
Indonesia

Comments

@wkrp
Copy link
Member

wkrp commented Dec 30, 2023
edited
Loading

Copied from #316 (comment):

On December 30th 2023, some ISPs have blocked access to DoH/DoT domain

Our DNS service [dns.bebasid.com] is also affected

Aside PT Netciti Persada, PT Jaringan Sarana Nusantara (JSN) also started to blackholling DoH from their DNS, it seems Kominfo started to roll this to every ISPs

Thanks to National DNS regulation, changing plain DNS won't work so you are stuck with ISP DNS that is blocking access to DoH/DoT domain as you can see the result of nslookuping to Google DNS is hijacked to each ISP's DNS.

If you want to use DoH/DoT, writting the [resolver] domain on host file will work

A mobile web browser showing the error: "This site can't be reached. dnscheck.tools's server IP address could not be found."

Mobile web browser options: Use secure DNS → Choose another provider → Custom: https://security.cloudflare-dns.com/dns-query.

Transcription below.

~ $ curl -v https://security.cloudflare-dns.com/dns-query
* processing: https://security.cloudflare-dns.com/dns-query
*   Trying 0.0.0.0:443...
* connect to 0.0.0.0 port 443 failed: Connection refused
* Failed to connect to security.cloudflare-dns.com port 443 after 135 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to security.cloudflare-dns.com port 443 after 135 ms: Couldn't connect to server

Wtf is this

~ $ curl -v dns.bebasid.com
* processing: dns.bebasid.com
*   Trying 0.0.0.0:443...
* connect to 0.0.0.0 port 443 failed: Connection refused
* Failed to connect to dns.bebasid.com port 443 after 5260 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to dns.bebasid.com port 443 after 5260 ms: Couldn't connect to server

Transcription below.

~ $ nslookup dns.bebasid.com
nslookup dns.google
nslookup cloudflare-dns.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   dns.bebasid.com
Address: 0.0.0.0

Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   dns.google
Address: 0.0.0.0

Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   cloudflare-dns.com
Address: 0.0.0.0
@wkrp wkrp added the Indonesia label Dec 30, 2023
@wkrp wkrp mentioned this issue Dec 30, 2023
Open
@merdekaid
Copy link

merdekaid commented Dec 30, 2023
edited
Loading

Copied from #316 (comment):

On December 30th 2023, some ISPs have blocked access to DoH/DoT domain
Our DNS service [dnscheck.tools] is also affected
Aside PT Netciti Persada, PT Jaringanku Sarana Nusantara (JSN) also started to blackholling DoH from their DNS, it seems Kominfo started to roll this to every ISP operated in Indonesia.
Thanks to National DNS regulation, changing plain DNS won't work so you are stuck with ISP DNS that is blocking access to DoH/DoT domain as you can see the result of nslookuping to Google DNS is hijacked to each ISP's DNS.
If you want to use DoH/DoT, writting the [resolver] domain on host file will work

A mobile web browser showing the error: "This site can't be reached. dnscheck.tools's server IP address could not be found."

Mobile web browser options: Use secure DNS → Choose another provider → Custom: https://security.cloudflare-dns.com/dns-query.

Transcription below.

~ $ curl -v https://security.cloudflare-dns.com/dns-query
* processing: https://security.cloudflare-dns.com/dns-query
*   Trying 0.0.0.0:443...
* connect to 0.0.0.0 port 443 failed: Connection refused
* Failed to connect to security.cloudflare-dns.com port 443 after 135 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to security.cloudflare-dns.com port 443 after 135 ms: Couldn't connect to server

Wtf is this

~ $ curl -v dns.bebasid.com
* processing: dns.bebasid.com
*   Trying 0.0.0.0:443...
* connect to 0.0.0.0 port 443 failed: Connection refused
* Failed to connect to dns.bebasid.com port 443 after 5260 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to dns.bebasid.com port 443 after 5260 ms: Couldn't connect to server

Transcription below.

~ $ nslookup dns.bebasid.com
nslookup dns.google
nslookup cloudflare-dns.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   dns.bebasid.com
Address: 0.0.0.0

Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   dns.google
Address: 0.0.0.0

Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   cloudflare-dns.com
Address: 0.0.0.0

Apologize for the correction, our DNS service is (dns.bebasid.com), not dnscheck.tools. dnscheck.tools is just a benchmark website to check if a DNSSEC and DNS performance and its not owned by us.

Anyway there's some inconsistent blocking on DoH/DoT service in Indonesia

These ISPs are confirmed to block Secure DNS service in Indonesia although its not consistent:

  • PT Mora Telematika Indonesia only blocks Google DoH/DoT by blackholling 8.8.8.8 and 8.8.4.4 on BGP level and 9.9.9.9 is also affected. (Fortunately, they forgot to blackhole 149.112.112.112 thus Quad9 still works)
  • PT Neticiti Persada only rely on port blocking yet the DNS that is currently affected is Cloudflare, Google, Quad9, and Adguard going to port 443 and 853.
  • PT Jaringanku Sarana Nusantara (JSN) blocks every DoH/DoT domain on its DNS however the IP is not affected as you can see the screenshot above

For PT Mora Telematika Indonesia:

For PT Netciti Persada:

Other ISPs that are suspected to follow latest Kominfo censorship suggestion to block popular DoH/DoT according to that video:

Also I suspect biggest telco here (PT Telkom Indonesia) at least have attempted before to block Cloudflare's DoH/DoT but they aren't blocking it anymore for now:

@merdekaid
Copy link

merdekaid commented Dec 31, 2023
edited
Loading

Also correction, the ISP is named PT Jaringanku Sarana Nusantara, not just Jaringan.

They are crazy for doing this.

@merdekaid
Copy link

merdekaid commented May 1, 2024
edited
Loading

PT Aplikasnusa Lintasarta also started to restrict DoH/DoT too, mainly popular one like Google, Cloudflare, AdGuard, Quad9 by blackholling it on their DNS, since port 53 is redirected as its mandated by Kominfo under National DNS, you will be stuck by their DNS blocking DoH/DoT domain

image

Not only that, I got a report that they are also redirect port 53 on IP Transit level, making whoever transit to them cannot change their DNS and have DoH/DoT blocked on their network

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Indonesia
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wkrp @merdekaid