Jump to content
Not connected, Your IP: 3.238.174.50

Recommended Posts

Posted ... (edited)

Hi, folks,
I observe a strange behavior when trying to bypass DNS-based site blocking in Russia. The name flibusta.is gets unexpectedly resolved to the ban site lawfilter.ertelecom.ru.

I use openvpn under Debian Linux.
OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 31 2020
Configuration files are downloaded from airvpn.org generator.
By default, /etc/resolv.conf contains the following:
nameserver 192.168.1.1
When I connect to VPN, the settings do not change. My browser (Firefox 84) is configured to use DNS over HTTPS, but I can also change /etc/resolv.conf to use the Cloudflare DNS:
nameserver 1.1.1.1

Now, I run tcpdump to capture all DNS exchange and try to open flibusta.is in the browser.
Here's what I get:
19:32:41.326041 Out ethertype IPv4 (0x0800), length 73: 10.7.213.47.41548 > 1.1.1.1.53: 38651+ A? flibusta.is. (29)
19:32:41.326052 Out ethertype IPv4 (0x0800), length 73: 10.7.213.47.41548 > 1.1.1.1.53: 2303+ AAAA? flibusta.is. (29)
19:32:41.345679 Out ethertype IPv4 (0x0800), length 84: 10.7.213.47.37238 > 1.1.1.1.53: 25045+ A? lawfilter.ertelecom.ru. (40)
19:32:41.345690 Out ethertype IPv4 (0x0800), length 84: 10.7.213.47.37238 > 1.1.1.1.53: 13267+ AAAA? lawfilter.ertelecom.ru. (40)
19:32:41.471163  In ethertype IPv4 (0x0800), length 100: 1.1.1.1.53 > 10.7.213.47.37238: 25045 1/0/0 A 188.186.157.49 (56)
19:32:41.619187  In ethertype IPv4 (0x0800), length 149: 1.1.1.1.53 > 10.7.213.47.41548: 2303 0/1/0 (105)
19:32:41.619205  In ethertype IPv4 (0x0800), length 128: 1.1.1.1.53 > 10.7.213.47.37238: 13267 0/1/0 (84)
19:32:41.619214  In ethertype IPv4 (0x0800), length 89: 1.1.1.1.53 > 10.7.213.47.41548: 38651 1/0/0 A 81.17.19.227 (45)


10.7.213.47 is the address of the VPN interface. The request seems to go through VPN to Cloudflare, but for some reason it resolves to lawfilter.ertelecom.ru. This response gets inserted between request and the correct response (the last line).
But this doesn't happen every time. Sometimes, after re-establishing VPN connection, tcpdump captures the correct response:
19:53:46.028205 Out ethertype IPv4 (0x0800), length 73: 10.20.213.58.38277 > 1.1.1.1.53: 10615+ A? flibusta.is. (29)
19:53:46.028224 Out ethertype IPv4 (0x0800), length 73: 10.20.213.58.38277 > 1.1.1.1.53: 4978+ AAAA? flibusta.is. (29)
19:53:46.121195  In ethertype IPv4 (0x0800), length 89: 1.1.1.1.53 > 10.20.213.58.38277: 10615 1/0/0 A 81.17.19.227 (45)


So, basically, there are two things I can't understand. First, why the browser seems to ignore DOH settings, sending requests via plain UDP. But it is not related to VPN, so, let's not bother ourselves with this one. The second question is how the DNS request sent via VPN gets a spoofed response from the provider's blocker? Am I simply doing something wrong?
 

Edited ... by fruchtenstein

Share this post


Link to post
5 hours ago, fruchtenstein said:

Now, I run tcpdump to capture all DNS exchange and try to open flibusta.is in the browser.


tcpdump is not the right tool to troubleshoot DNS. Try dig.

$ dig a in flibusta.is +trace


On Debian, this is not installed by default.

# apt-get install dns-utils


Try your luck with that, see if you're getting more out of it.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...