Open Bug 1593176 Opened 5 years ago Updated 2 years ago

Default DNS-over-HTTPS resolver mozilla.cloudflare-dns.com is blocked in Russia

Categories

(Core :: Networking: DNS, defect, P3)

Product:
Core
Component:
Networking: DNS
Version:
Firefox 84
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: iam, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged][trr])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Default Firefox DNS-over-HTTPS resolver mozilla.cloudflare-dns.com is partially blocked (censored) in Russia since its introduction.

Currently mozilla.cloudflare-dns.com resolves to 104.16.248.249, 104.16.249.249, 2606:4700::6810:f9f9, 2606:4700::6810:f8f9 IP addresses.

One IPv4 address, 104.16.249.249, shared the address with ineedusersmore.net domain, which has been added to the global registry of blocked internet resources in Russia on 18.12.2016. Many ISP with Deep Packet Inspection systems would not block this address for mozilla.cloudflare-dns.com requests (SNI inspection is performed), but not all of them have properly configured DPIs or at all.
Another address, 104.16.248.249, has been added to the registry explicitly by IP address on 03.12.2016, and requests to it are filtered, including mozilla.cloudflare-dns.com requests.
IPv6 addresses are not blocked, but IPv6 availability level in Russia among consumer ISP is very low.

The reason for why 104.16.248.249 is in registry is unknown. It has been added with the «суд;2-946/13» court decision, which is usually used to ban gambling websites and mobile applications. Right now (01.11.2019) it contains 6739 IP addresses.

Roscomnadzor, the organization responsible for internet censorship in Russia, blocks literally millions of IP addresses, domains and web sites for any fictitious reasons, and is very hard to communicate with. They do not care of collateral damage and the laws is nothing for them. It's easier to just change the IP addresses of mozilla.cloudflare-dns.com than to try to communicate with them, due to technical reasons (their email server does not accept mails from most of the internet servers) and for your mental health.

https://ntc.party/t/popular-websites-and-services-which-are-blocked-in-russia/135 ← list of blocked websites and services for you to understand Russian situation and Roscomnadzor's indifference.
https://reestr.rublacklist.net/record/396247/ and https://reestr.rublacklist.net/record/405503/ ← blacklist records which include resolver IP addresses, by Roscomsvodoba (roscomfreedom) organization.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Networking: DNS
Product: Firefox → Core

I think Cloudflare will change the IPs eventually.
But as a more permanent solution, we probably need more progress with ESNI

Depends on: 1590863
Priority: -- → P3
Whiteboard: [necko-triaged][trr]

(In reply to Valentin Gosu [:valentin] (he/him) from comment #2)

I think Cloudflare will change the IPs eventually.
But as a more permanent solution, we probably need more progress with ESNI

See also my comment on ESNI in Russia: https://bugzilla.mozilla.org/show_bug.cgi?id=1540061#c4

ipv6 is also blocked on at least one provider (MGTS https://bgp.he.net/AS25513 ). rutracker.org has ipv6 addr which is blocked. I suppose it was blocked because of my actions, BTW(( And then it was also blocked in MTS (AS8359) again because of my actions(( Anyway. The DPI fakes TLS answer with their TLS cert with common name "MGTS" and "Internet Widgits Pty Ltd" (sic!, yes those are not even domains). Also I suppose now it also blocks the answer from real ip (as before both DPI answer and real answer from real server were there, but DPI answer was first (faster), etc, so TCP out of order, etc). See image: https://habrastorage.org/getpro/habr/post_images/140/ae8/4e2/140ae84e2bc2c6965f2e896ef2cc5bb6.png

rutracker.org. 158 IN AAAA 2a03:42e0::214

So, I wanted to propose an idea to block and skip those certificates... good idea, is not it? ha-ha)) So I will give you those certs in links to https://lapo.it/asn1js/#MIICYzCCAcwCCQDmdGWC5wMwizANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJSVTELMAkGA1UECAwCTU8xDzANBgNVBAcMBk1vc2NvdzENMAsGA1UECgwETUdUUzELMAkGA1UECwwCSUIxDTALBgNVBAMMBE1HVFMxHjAcBgkqhkiG9w0BCQEWD25vcmVwbHlAbWd0cy5ydTAeFw0xODEyMjExODE0MTZaFw0xOTEyMjExODE0MTZaMHYxCzAJBgNVBAYTAlJVMQswCQYDVQQIDAJNTzEPMA0GA1UEBwwGTW9zY293MQ0wCwYDVQQKDARNR1RTMQswCQYDVQQLDAJJQjENMAsGA1UEAwwETUdUUzEeMBwGCSqGSIb3DQEJARYPbm9yZXBseUBtZ3RzLnJ1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKcN9WzmJEqUSUXFYy8Mn4ueQiohDm_jxHqmQAH0xzHPH02Fw54sgfod1ycWORRPpyT2HtmAPMIobwH3lT73hXuiMcEButGwLNgJimbaaWDQrX01AEbn5eUFUZt3FPggDlxB36upXbLUTdqrP3tDuyly0MXVM6PWR5cmyk2-wDsQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAMTDe-tKzlk4xgZD6-UQVPYsedz-YcLR3LRpv_i8XT_kZI8f-taWnYMaHgAVrDPFDVkaFJ81HGScdiRkVCzkQiBrgrnhwnz0IrIFv9bd0eoqKp8Ahbzc0YvU4IU2VaMyzBAdLiA3GG9XGFI5d577POfwLhK1JKr_4I65IUS0ggP7
and
https://lapo.it/asn1js/#MIICATCCAWoCCQD1ui5gnJHbtDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTE0MTAxMzEyNDYwM1oXDTE0MTExMjEyNDYwM1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt4kaNpv6pBCK9BAVr8y7FgNkrvwtAOwfjR8HZwkHwk0xgbjt7UJQVvqdlTVOhEIscwVSKQAGrw9d0pfjRjgNZWNbw2KKfEjc5J4eByLnCrG0DtAfohgyLVppv8n5T0UgCH4AT3XPVLj_qdenv7ySbrNPdIq8TTlDVv-0Awsu8KcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBnYRFTWiLxrCbU3AQjLaEfGN6Kb1yf1Y2xxm_XkYPEoCN23zy3Yt3674KElO3Z0TJv3pda-4WN41OnuYE1Vgatlhai_lgxJBfMkZ94IljnLs7uj5AfYQiffcx_GVlxkEQXHDsyERWJmJjS_0swu7crz2O0Ip6IF30ILSBaRPBt3w

I will propose that to Chromium as well.)))
What do you think?))

(In reply to val.zapod.vz from comment #4)

ipv6 is also blocked on at least one provider

IPv6 is getting censored in Russia in general, but not in mozilla.cloudflare-dns.com case, since it's not added to the registry of blocked websites as a domain name, but only as a IPv4 address.

it would help if the DNS responses that where signed and could be validated i.e. DNSSEC
this would help detection of manipulation

both cloudflare, NextDNS and Other resolvers support DNSSEC

why is it important :
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

https://bugzilla.mozilla.org/show_bug.cgi?id=1609835

(In reply to John Jones from comment #6)

it would help if the DNS responses that where signed and could be validated i.e. DNSSEC
this would help detection of manipulation

both cloudflare, NextDNS and Other resolvers support DNSSEC

why is it important :
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

https://bugzilla.mozilla.org/show_bug.cgi?id=1609835

What? No, DNS from provider is not manipulated, what are you talking about? There is a DPI in ,edia core of provider that blocks https with fake packets. DNSSEC will not help.

And some ip are blocked by ip, there is a blackhile route that dropes all packets (so ping will not work and (as ping can turned off) telnet on 443 port).

The problem still persists. Is it possible to change IP addresses of mozilla.cloudflare-dns.com?

Version: 68 Branch → Firefox 84

(In reply to ValdikSS from comment #9)

The problem still persists. Is it possible to change IP addresses of mozilla.cloudflare-dns.com?

Probably not. That's on Cloudflare.
You can try using some of the other DoH servers here: https://github.com/curl/curl/wiki/DNS-over-HTTPS

I suppose any cloudflare ip can become their DNS server. Just like youtube and mail.google.com have the same IPs.

BTW, you can ask Cloudflare to change IPs here https://github.com/cloudflare/go

The problem still persists, December 2021.

Severity: normal → S3
No longer depends on: 1590863
You need to log in before you can comment on or make changes to this bug.