dns

Basic DNS Filter Evasion: HOSTS file

Background:

Various ISPs such as Sky and BT use DNS manipulation to spoof responses that forwards requests to their proxy server instead of the correct response.

Taking BT as an example a request for a blocked site has been seen to return an IP from within this netblock instead;

inetnum: 213.120.234.0 - 213.120.235.255
netname: BT-UKIP-IPV4-INFRASTRUCTURE
descr: POP
country: GB
admin-c: BS1474-RIPE
tech-c: BS1474-RIPE
status: ASSIGNED PA
remarks: Please send abuse notification to [email protected]
remarks: New netname
mnt-by: BTNET-MNT
mnt-lower: BTNET-MNT
mnt-routes: BTNET-MNT
source: RIPE # Filtered

Sky commonly reports back with IPs from;

inetnum: 90.207.238.128 - 90.207.238.191
netname: SKY-IRONMAN-VIRTUALISATION-LAN
descr: Sky Network Services
country: GB
admin-c: BBH-RIPE
tech-c: BBH-RIPE
status: ASSIGNED PA
mnt-by: BSKYB-BROADBAND-MNT
source: RIPE # Filtered

Initial research indicates that even attempting to use 3rd Party DNS servers on some ISPs elicits a spoofed response which indicates that these ISPs are intercepting and monitoring ALL DNS queries you make. This presents a variety of concerns such as the accuracy of SPF, DNS-SEC or TXT responses but that’s a topic for another time.

Circumnavigation:

If you discover that you are getting faked responses and are unable to reach the correct webserver follow the steps below.

  • Get the A Record
    • Navigate to a website such as http://www.dnsstuff.com/tools
    • Look for the DNS Lookup tool
      dns_lookup
    • In the text box enter the URL you are trying to reach (e.g. www.google.com)
    • Select A from the record type
    • Submit the request and make a note of the IP address returned.
  • Edit the Hosts file
    • Windows
      • Start notepad.exe as an Administrator
      • Open C:\Widnows\System32\drivers\etc\hosts
      • Add the URL and the IP address in the format shown below;
        173.194.34.67 www.google.com
      • Save the file ensuring that a file suffix isn’t appended
    • Linux / Mac
      • Open /etc/hosts as the superuser with your editor of choice (vim!)
      • Add the URL and the IP address in the format shown below;
        173.194.34.67 www.google.com
      • Save the file ensuring that a file suffix isn’t appended
  • Testing
    • Load up a cmd prompt (Ctrl + R, type cmd, press return)
    • Type nslookup www.google.com
    • Ensure you receive the IP address you entered in the hosts file

 

If the ISP is using BGP filtering methods, Deep Packet Inspection (DPI) or a transparent proxy then this still may not work as they’ll detect traffic going to the blocked IP subnet and act accordingly.

Keep an eye on our How to Evade Blocks page and follow @STCPI on Twitter for more methods to discover and evade Internet censorship.

sky_block_torrent_freak

Publicity Leads to an unblock for TorrentFreak

2 days after TorrentFreak posted about Web filtering in the UK Sky has caved and admitted to yet another over blocking mistake and has recategorized torrentfreak.com so it is now reachable.

In the opening of their article the BBC clearly state that overblocking is affecting lots of other legitimate websites;

filters are intended to allow parents to ensure children cannot view adult content.

But the automatic blocking of all file-sharing sites meant that news site TorrentFreak and other legitimate sites were also blocked.

BBC

Whilst this is a victory for TorrentFreak.com there are still plenty of other site owners that may not know if they have been blocked and are losing revenue or being blocked from providing the help they are trying to provide.

Read the full story here: http://www.bbc.co.uk/news/technology-25638872

TorrentFreak Blocked

TorrentFreak.com the self described home of breaking news about File-sharing, copyright and privacy is the latest website to fall victim to UK Internet filter overblocking.

UK Prime Minister David Cameron wants all Internet providers to block porn by default, to protect the children. This filtering requirement is controversial for a number of reasons, not least due to ISPs’ filters targeting a wide range of other content too. Sky’s newly launched Broadband Shield, for example, blocks numerous legitimate file-sharing related sites including uTorrent and BitTorrent.com, download portals for Linux distributions, and even TorrentFreak.TorrentFreak.com

If you are able to reach the page you can read the full write up here, if you can’t reach the page maybe it’s time to start looking at ways to evade the filters?