Default DNS-over-HTTPS resolver mozilla.cloudflare-dns.com is blocked in Russia
Categories
(Core :: Networking: DNS, defect, P3)
Tracking
()
People
(Reporter: iam, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged][trr])
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Steps to reproduce:
Default Firefox DNS-over-HTTPS resolver mozilla.cloudflare-dns.com is partially blocked (censored) in Russia since its introduction.
Currently mozilla.cloudflare-dns.com resolves to 104.16.248.249, 104.16.249.249, 2606:4700::6810:f9f9, 2606:4700::6810:f8f9 IP addresses.
One IPv4 address, 104.16.249.249, shared the address with ineedusersmore.net domain, which has been added to the global registry of blocked internet resources in Russia on 18.12.2016. Many ISP with Deep Packet Inspection systems would not block this address for mozilla.cloudflare-dns.com requests (SNI inspection is performed), but not all of them have properly configured DPIs or at all.
Another address, 104.16.248.249, has been added to the registry explicitly by IP address on 03.12.2016, and requests to it are filtered, including mozilla.cloudflare-dns.com requests.
IPv6 addresses are not blocked, but IPv6 availability level in Russia among consumer ISP is very low.
The reason for why 104.16.248.249 is in registry is unknown. It has been added with the «суд;2-946/13» court decision, which is usually used to ban gambling websites and mobile applications. Right now (01.11.2019) it contains 6739 IP addresses.
Roscomnadzor, the organization responsible for internet censorship in Russia, blocks literally millions of IP addresses, domains and web sites for any fictitious reasons, and is very hard to communicate with. They do not care of collateral damage and the laws is nothing for them. It's easier to just change the IP addresses of mozilla.cloudflare-dns.com than to try to communicate with them, due to technical reasons (their email server does not accept mails from most of the internet servers) and for your mental health.
https://ntc.party/t/popular-websites-and-services-which-are-blocked-in-russia/135 ← list of blocked websites and services for you to understand Russian situation and Roscomnadzor's indifference.
https://reestr.rublacklist.net/record/396247/ and https://reestr.rublacklist.net/record/405503/ ← blacklist records which include resolver IP addresses, by Roscomsvodoba (roscomfreedom) organization.
Comment 1•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Comment 2•5 years ago
|
||
I think Cloudflare will change the IPs eventually.
But as a more permanent solution, we probably need more progress with ESNI
(In reply to Valentin Gosu [:valentin] (he/him) from comment #2)
I think Cloudflare will change the IPs eventually.
But as a more permanent solution, we probably need more progress with ESNI
See also my comment on ESNI in Russia: https://bugzilla.mozilla.org/show_bug.cgi?id=1540061#c4
Comment 4•5 years ago
|
||
ipv6 is also blocked on at least one provider (MGTS https://bgp.he.net/AS25513 ). rutracker.org has ipv6 addr which is blocked. I suppose it was blocked because of my actions, BTW(( And then it was also blocked in MTS (AS8359) again because of my actions(( Anyway. The DPI fakes TLS answer with their TLS cert with common name "MGTS" and "Internet Widgits Pty Ltd" (sic!, yes those are not even domains). Also I suppose now it also blocks the answer from real ip (as before both DPI answer and real answer from real server were there, but DPI answer was first (faster), etc, so TCP out of order, etc). See image: https://habrastorage.org/getpro/habr/post_images/140/ae8/4e2/140ae84e2bc2c6965f2e896ef2cc5bb6.png
rutracker.org. 158 IN AAAA 2a03:42e0::214
So, I wanted to propose an idea to block and skip those certificates... good idea, is not it? ha-ha)) So I will give you those certs in links to https://lapo.it/asn1js/#MIICYzCCAcwCCQDmdGWC5wMwizANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJSVTELMAkGA1UECAwCTU8xDzANBgNVBAcMBk1vc2NvdzENMAsGA1UECgwETUdUUzELMAkGA1UECwwCSUIxDTALBgNVBAMMBE1HVFMxHjAcBgkqhkiG9w0BCQEWD25vcmVwbHlAbWd0cy5ydTAeFw0xODEyMjExODE0MTZaFw0xOTEyMjExODE0MTZaMHYxCzAJBgNVBAYTAlJVMQswCQYDVQQIDAJNTzEPMA0GA1UEBwwGTW9zY293MQ0wCwYDVQQKDARNR1RTMQswCQYDVQQLDAJJQjENMAsGA1UEAwwETUdUUzEeMBwGCSqGSIb3DQEJARYPbm9yZXBseUBtZ3RzLnJ1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKcN9WzmJEqUSUXFYy8Mn4ueQiohDm_jxHqmQAH0xzHPH02Fw54sgfod1ycWORRPpyT2HtmAPMIobwH3lT73hXuiMcEButGwLNgJimbaaWDQrX01AEbn5eUFUZt3FPggDlxB36upXbLUTdqrP3tDuyly0MXVM6PWR5cmyk2-wDsQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAMTDe-tKzlk4xgZD6-UQVPYsedz-YcLR3LRpv_i8XT_kZI8f-taWnYMaHgAVrDPFDVkaFJ81HGScdiRkVCzkQiBrgrnhwnz0IrIFv9bd0eoqKp8Ahbzc0YvU4IU2VaMyzBAdLiA3GG9XGFI5d577POfwLhK1JKr_4I65IUS0ggP7
and
https://lapo.it/asn1js/#MIICATCCAWoCCQD1ui5gnJHbtDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTE0MTAxMzEyNDYwM1oXDTE0MTExMjEyNDYwM1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt4kaNpv6pBCK9BAVr8y7FgNkrvwtAOwfjR8HZwkHwk0xgbjt7UJQVvqdlTVOhEIscwVSKQAGrw9d0pfjRjgNZWNbw2KKfEjc5J4eByLnCrG0DtAfohgyLVppv8n5T0UgCH4AT3XPVLj_qdenv7ySbrNPdIq8TTlDVv-0Awsu8KcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBnYRFTWiLxrCbU3AQjLaEfGN6Kb1yf1Y2xxm_XkYPEoCN23zy3Yt3674KElO3Z0TJv3pda-4WN41OnuYE1Vgatlhai_lgxJBfMkZ94IljnLs7uj5AfYQiffcx_GVlxkEQXHDsyERWJmJjS_0swu7crz2O0Ip6IF30ILSBaRPBt3w
I will propose that to Chromium as well.)))
What do you think?))
(In reply to val.zapod.vz from comment #4)
ipv6 is also blocked on at least one provider
IPv6 is getting censored in Russia in general, but not in mozilla.cloudflare-dns.com case, since it's not added to the registry of blocked websites as a domain name, but only as a IPv4 address.
Comment 6•5 years ago
|
||
it would help if the DNS responses that where signed and could be validated i.e. DNSSEC
this would help detection of manipulation
both cloudflare, NextDNS and Other resolvers support DNSSEC
why is it important :
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
Comment 7•5 years ago
|
||
(In reply to John Jones from comment #6)
it would help if the DNS responses that where signed and could be validated i.e. DNSSEC
this would help detection of manipulationboth cloudflare, NextDNS and Other resolvers support DNSSEC
why is it important :
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
What? No, DNS from provider is not manipulated, what are you talking about? There is a DPI in ,edia core of provider that blocks https with fake packets. DNSSEC will not help.
Comment 8•5 years ago
|
||
And some ip are blocked by ip, there is a blackhile route that dropes all packets (so ping will not work and (as ping can turned off) telnet on 443 port).
The problem still persists. Is it possible to change IP addresses of mozilla.cloudflare-dns.com?
Comment 10•4 years ago
|
||
(In reply to ValdikSS from comment #9)
The problem still persists. Is it possible to change IP addresses of mozilla.cloudflare-dns.com?
Probably not. That's on Cloudflare.
You can try using some of the other DoH servers here: https://github.com/curl/curl/wiki/DNS-over-HTTPS
Comment 11•4 years ago
|
||
I suppose any cloudflare ip can become their DNS server. Just like youtube and mail.google.com have the same IPs.
Comment 12•4 years ago
|
||
BTW, you can ask Cloudflare to change IPs here https://github.com/cloudflare/go
Reporter | ||
Comment 13•3 years ago
|
||
The problem still persists, December 2021.
Updated•2 years ago
|
Description
•