dns

Basic DNS Filter Evasion: HOSTS file

Background:

Various ISPs such as Sky and BT use DNS manipulation to spoof responses that forwards requests to their proxy server instead of the correct response.

Taking BT as an example a request for a blocked site has been seen to return an IP from within this netblock instead;

inetnum: 213.120.234.0 - 213.120.235.255
netname: BT-UKIP-IPV4-INFRASTRUCTURE
descr: POP
country: GB
admin-c: BS1474-RIPE
tech-c: BS1474-RIPE
status: ASSIGNED PA
remarks: Please send abuse notification to [email protected]
remarks: New netname
mnt-by: BTNET-MNT
mnt-lower: BTNET-MNT
mnt-routes: BTNET-MNT
source: RIPE # Filtered

Sky commonly reports back with IPs from;

inetnum: 90.207.238.128 - 90.207.238.191
netname: SKY-IRONMAN-VIRTUALISATION-LAN
descr: Sky Network Services
country: GB
admin-c: BBH-RIPE
tech-c: BBH-RIPE
status: ASSIGNED PA
mnt-by: BSKYB-BROADBAND-MNT
source: RIPE # Filtered

Initial research indicates that even attempting to use 3rd Party DNS servers on some ISPs elicits a spoofed response which indicates that these ISPs are intercepting and monitoring ALL DNS queries you make. This presents a variety of concerns such as the accuracy of SPF, DNS-SEC or TXT responses but that’s a topic for another time.

Circumnavigation:

If you discover that you are getting faked responses and are unable to reach the correct webserver follow the steps below.

  • Get the A Record
    • Navigate to a website such as http://www.dnsstuff.com/tools
    • Look for the DNS Lookup tool
      dns_lookup
    • In the text box enter the URL you are trying to reach (e.g. www.google.com)
    • Select A from the record type
    • Submit the request and make a note of the IP address returned.
  • Edit the Hosts file
    • Windows
      • Start notepad.exe as an Administrator
      • Open C:\Widnows\System32\drivers\etc\hosts
      • Add the URL and the IP address in the format shown below;
        173.194.34.67 www.google.com
      • Save the file ensuring that a file suffix isn’t appended
    • Linux / Mac
      • Open /etc/hosts as the superuser with your editor of choice (vim!)
      • Add the URL and the IP address in the format shown below;
        173.194.34.67 www.google.com
      • Save the file ensuring that a file suffix isn’t appended
  • Testing
    • Load up a cmd prompt (Ctrl + R, type cmd, press return)
    • Type nslookup www.google.com
    • Ensure you receive the IP address you entered in the hosts file

 

If the ISP is using BGP filtering methods, Deep Packet Inspection (DPI) or a transparent proxy then this still may not work as they’ll detect traffic going to the blocked IP subnet and act accordingly.

Keep an eye on our How to Evade Blocks page and follow @STCPI on Twitter for more methods to discover and evade Internet censorship.