64

I am helping run a website that has been blocked for political reasons by the same Russian agency that has previously tried blocking Telegram (RosKomNadzor). This is not the first time it happens, and previously we would just change the domain, but this has its own implications and loss in readership.

They are blocking only the domain name, not the IP (we're using Cloudflare anyways). We're using HTTPS, but ISPs are still somehow able to get the DNS information about a request coming our way from their clients. Technically, we can suggest our readers to configure their /etc/hosts, but that is not a viable option.

Is there something that could be done on our server's side to encrypt/obfuscate the DNS information without users making any changes/installing software? Or is waiting for DNS over HTTPS to become mainstream our only option?

From Russia with love.

Mary
  • 583
  • 3
  • 7
  • 11
    If we believe our (possibly biased) western newspapers, this sounds like a dangerous activity, especially if you're still based in Russia. Take care! From France, with love. – Eric Duminil Jan 24 '21 at 21:14
  • 1
    Recent versions of Firefox (probably Chrome too) already support DNS over HTTPS. So if your users have recent versions of browsers, the don't need to install anything, just to turn on this option. The question is, how do you tell them to do that? – raj Jan 24 '21 at 22:59
  • @EricDuminil thanks but it is not as bad as it may appear, especially compared to Belarus in Aug 2020. – Mary Jan 25 '21 at 00:24
  • 3
    @EricDuminil It's not as dangerous as it seems. RKN just sends you angry emails and if you don't remove the content they don't like, they simply make ISPs block the site (they use SNI detection). – forest Jan 25 '21 at 01:40
  • 8
    @EricDuminil My take on it is that the Western press is severely hampered by an inability of its reporters to read Russian above a grade school level. This forces them to write formulaic stories based on headlines. So when the headlines say that Telegram is banned, they assume the government is going to do what it takes to stop people from using it. You have to read far into the story to learn that what the ban really means is that now the supermarket employees have to help grandma install a VPN on her phone so she can resume ordering groceries via Telegram. – David42 Jan 25 '21 at 15:41
  • Maybe some of Cloudflare toolsmight mitigate this problem in certain circumstances, like their project [Galileo](https://www.cloudflare.com/galileo/) and their [Workers infrastructure](https://workers.cloudflare.com/)? – Celso Bessa Jan 25 '21 at 18:33
  • 3
    @David42 there's a great quote by Saltykov-Schedrin: The severity of Russian laws is mitigated by the non-binding nature of their implementation. After Telegram was "banned", it was still one of the most popular messaging apps here with even some government officials having public channels there ¯\_(ツ)_/¯ – Mary Jan 27 '21 at 02:50

7 Answers7

59

Unfortunately, circumventing censorship is better addressed on the client side, so there aren't many server side settings that could help with that. You could advise your users to use a VPN, Tor, and/or public DNS with DNS-over-HTTPS (RFC 8484) or DNS-over-TLS (RFC 7858).

You make the assumption that the censorship method has something to do with DNS, but have you actually tested this? Did you know that the server name indication (SNI, RFC 6066, 3) in the ClientHello is unencrypted and may also be used to block the TLS connection? Luckily, TLS Encrypted Client Hello (draft-ietf-tls-esni-09) is on its way and can help with that. More reading on the subject:

(We don't usually add any greetings to our Q/A posts, but your 007 reference is golden!)

Community
  • 1
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thanks alot, I'll check that – Mary Jan 24 '21 at 10:41
  • 6
    Russian ISPs are well known to use DNS spoofing as a first line of government-mandated censorship. – fraxinus Jan 24 '21 at 21:52
  • 4
    They use SNI, at least last I checked. For sites blocked due to RKN, you can get around them by disabling SNI client-side (obviously this only works for sites with only one host on the IP), unless things changed recently. It's not a real solution, but at least it shows that they do indeed use SNI. – forest Jan 25 '21 at 01:41
  • > *you can get around them by disabling SNI client-side (obviously this only works for sites with only one host on the IP)* < — out of interest, what happens if you send spoofed or omitted SNI, but include the `Host` header as normal? Is that a viable long-term strategy, especially if applied only to a finite, small set of sites? – JamesTheAwesomeDude Jan 25 '21 at 02:28
  • 7
    @JamesTheAwesomeDude The server will respond with the certificate for the spoofed (or “SNI-less” default, if configured) domain name (assuming it has it!). This technique is called Domain Fronting, for your further research. – Jacob Krall Jan 25 '21 at 02:50
  • 1
    @JacobKrall when you say "The server will respond with the certificate for the spoofed domain name", are talking about CloudFlare in particular, or about CDNs in general? I ask, because I know this is something some CDNs (notably Google and Amazon's) have stopped supporting semi-recently. – James_pic Jan 25 '21 at 10:16
  • 1
    "Luckily, TLS Encrypted Client Hello (draft-ietf-tls-esni-09)" Except that exactly for this reason, some governments are already banning or planning to ban TLS 1.3 completely and DoH. See https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/ for one example. – Patrick Mevzek Jan 25 '21 at 21:53
  • *but your 007 reference is golden!* "Eye" see what you did there. – Davy M Jan 26 '21 at 16:17
  • How did they do [this](http://ahtribune.com/) ? – Keith McClary Jan 26 '21 at 17:09
  • @JacobKrall I meant to ask specifically after how [commodity/commercial/OOTB] web servers these days react to a client who is Domain Fronting. Do they reject the mismatched Host/SNI? If not, might facilitating this be a valuable addition to, say, Firefox, for use in such countries — as a complement to DoH and an alternative ESNI that works with _current_ server-side TLS stacks **without raising as many red flags**? – JamesTheAwesomeDude Jan 27 '21 at 00:46
  • @KeithMcClary they've seized the domain; they're the "rightful" owners of it, now. [`com`∈`us`](https://www.wired.com/2012/03/feds-seize-foreign-sites/); any CA would have no default objections to issuing the FBI a certificate of DNS ownership of the site. – JamesTheAwesomeDude Jan 27 '21 at 00:54
  • @JamesTheAwesomeDude: How could one check a mismatch between `Host` and SNI? It's only SNI that is unencrypted; they can't see the `Host` header. – Esa Jokinen Jan 27 '21 at 05:04
  • @EsaJokinen I was referring to the web servers: > *how [do] web servers these days react… Do they reject the mismatched Host/SNI?* < — I find it entirely plausible that some "secure defaults" being pushed in the industry might reject such a mismatched request as a symptom of a MitM or other foul play. But, _if not_, then it means that we *could* implement Domain Fronting in today's browsers, **on today's Internet, right now** — without having to petition the IETF, then wait 10 years for such upgrades to be standardized, coded, banned/blocked by , and implemented by servers (in that order) – JamesTheAwesomeDude Jan 27 '21 at 19:42
19

Most of Russian providers implement Inquisition requests by intercepting DNS traffic and changing it on the fly (and it's pretty easy since it's unencrypted), effectively using the man-in-the-middle scheme, for instance, all of the Ertelecom-affiliated ISPs are using this method. In this case (which can be easily determined by just comparing client-side resolved IP vs the real IP) nothing can be done from server side: even if you'll implement DNSSEC and signed answers will start to flow, all this technique will do is breaking the client-side name resolving stack entirely, when it comes to your domain (however, this is purely a theory, but you can easily prove I'm wrong; if I am).

Unffortunately, all of the available solutions to bypass DNS MitM needs to be applied to the client side, not the server one.

drookie
  • 8,051
  • 1
  • 17
  • 27
  • 3
    DoH may help (DNS over Https), but that's also a client side thing. – Aleks G Jan 24 '21 at 18:45
  • 3
    If I were setting this up as Russia I'd intercept DNS and kill the DNSSEC records for everything, thus making it appear to any piece of software inside that DNSSEC does not exist on the public internet. – joshudson Jan 25 '21 at 04:06
5

Russian government-mandated censorship is known to use DNS spoofing (that's how select porn sites are blocked).

They also use packet filters based on IP address/range (that's how they tried and failed to block Telegram).

An idea: time-based domain name!

RosComNadzor are a government agency, so they should be somewhat slow to respond.

DOS them! Example:

etc...

You'll need a new domain name every week ($10) and your lovely RosKomNadzor bureaucrats are not really that much operative.

Your users should remember to add the last Sunday date to the domain name. If the things get worse, you can as well go faster and just a bit more expensive (you can as well negotiate a better price for that much domains).

At some point, they can as well adapt their procedures to your scheme. You have to change it only a little bit.

fraxinus
  • 524
  • 2
  • 5
  • 4
    Well, this is sort of what we're doing already, changing domain names. Doing that proactively rather than reactively sounds like an interesting idea. – Mary Jan 25 '21 at 00:26
  • 6
    To supplement this method, you could provide users with a [bookmarklet](https://en.wikipedia.org/wiki/Bookmarklet) that automatically takes them to the correct domain name. – Nonny Moose Jan 25 '21 at 03:03
  • 23
    How far in the future are you going to register domains? Nothing prevents me or an agency to register any of the upcoming free domains. This is actually more dangerous. People will believe they access the legit website while it is not. They can be provided false information, credentials can be gathered and/or be tracked to the smallest detail! – eKKiM Jan 25 '21 at 08:22
  • You could have another website with a different domain that just displays the latest domain to use. This one may not get censored and allow you to keep users up to date with non predictable domains like blabla-hjk345.com, it could even just show "hjk345" and if your users know what to do with that information it would work. – Oylex Jan 25 '21 at 15:25
  • In addition to what @eKKiM says, if you register domains in advance, following a pattern, the government would be able to block _future domains_ in advance - possibly countering your advantage of them moving slow. – mgarciaisaia Jan 25 '21 at 21:47
  • Depending on how loyal your visitors are, you could set up a newsletter or some mechanism of notification and move domains every two weeks - letting people know which one the next domain would be. – mgarciaisaia Jan 25 '21 at 21:48
  • Yes, the method has its vulnerabilities. It will only work for a while and then it will have to be modified. The good thing is that it can be modified with ease and RosComNadzor will have to adapt. They are a government regulatory body, not a quick-response team. – fraxinus Jan 25 '21 at 22:54
5

Make your content available through IPFS! https://ipfs.io/ It's a decentralized version of the internet. Where each client who visits your site, stores copies of your content on their machine.

Decentralized Web

Nick Bonilla
  • 151
  • 2
  • This is also a good option, because one of the targets of IPFS is to prevent censorship. As far as I know, Brave is the only browser that supports IPFS (is based on Chromium, so it shouldn't be too hard to switch from Chrome and derivates). – Lemon Jan 25 '21 at 16:43
  • 1
    This is rather interesting, but doesn't this make it easy to tamper with the contents? Also, this is incompatible with dynamic content. For these reasons, I'd prefer using Tor. – Esa Jokinen Jan 26 '21 at 12:51
  • 2
    With IPFS, The URL to your content, is a Hash of the content itself. Hashes prevent tampering because all URLs are a Hash of the content that you're getting, so if you tamper content, the URL of that content would have a different Hash and therefore nobody would request it. See: https://docs.ipfs.io/concepts/hashing/ "the content itself is used to form an address" – Nick Bonilla Jan 26 '21 at 19:07
4

Is there something that could be done on our server's side to encrypt/obfuscate the DNS information without users making any changes/installing software?

No, because DNS requests are processed by dedicated name servers and as such they are not routed through your web server.

Or is waiting for DNS over HTTPS to become mainstream our only option?

Pretty much; DNS-over-HTTPS was designed to enhance privacy, thwart censorship, and prevent attacks such as those you described. It is supported by recent versions of Google Chrome and Firefox (on the desktop at least) so in theory most of your users should already be able to use it.

Allen Stubberud
  • 41
  • 1
1

You could do what Telegram did. It requires making a mobile app out of the website. Then you can change your IP address whenever blocked and send the new one to the app by a push notification, which is a channel that can’t be inspected and censored, only disabled completely which RKN is unwilling to do.

Roman Odaisky
  • 111
  • 1
  • 1
    We have a channel in Telegram & they are banning the domain name rather than the ip address. – Mary Jan 27 '21 at 02:47
0

Bypassing DNS Censorship

Acquire several dozen domain names from different registrars, or more if you can afford it. Set up HTTPS and CDN on all of these domains. Ensure your site accepts all of these domains in your virtual host settings. Give different batches of users different places to learn the alternate domain names on shared sites like github and gitlab in different accounts. This means if one of the users is a mole, only a percentage of your users will be blocked.

This method is not perfect, no single solution will be. Maybe the censorship is slower than your userbase picking up the new domain names.

As others mentioned, you can also encourage your users to utilize Tor if it is not blocked in their country. This means you would have to allow Tor in your CDN settings.

Aaron
  • 2,809
  • 2
  • 11
  • 29