Closed JJenkx closed 2 years ago
Is the list format I am using supported?
https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-blocked-ips.txt
this test is being performed on a secondary user profile
If InviZible is only installed in the main profile in VPN mode, it may or may not work, depending on the rom. It should definitely work in Root mode.
whois -h whois.1e100.net
You should also be aware that DNSCrypt does not actually block IP, but DNS if it resolves to the specified IP. So pay attention to the DNS cache.
Edit2: I discovered that dnscrypt does not accept ranges at all.
For anyone stumbling onto this, here is how I converted the CIDR notation IP list into a list for DNSCrypt.
See: scripts and files used below for this example
touch $HOME/completely.expanded.single.ips.txt && cat $HOME/ip.list.CIDR.notation.txt | while IFS= read -r line ; do $HOME/Scripts/cidrtoip "$line" >>$HOME/completely.expanded.single.ips.txt; done
touch $HOME/converted.to.dnscrypt.format.txt && cat $HOME/completely.expanded.single.ips.txt | perl -0777 -pe 's/^(\d+\.\d+\.\d+.)(0)(?:\1\d+|\n)+(?<=255)/$1*\n/gim' | perl -0777 -pe 's/(?<!\n)\n(?=\d)/\n\n/gim' > $HOME/converted.to.dnscrypt.format.txt
The file with the properly formatted schema for "ip-blacklist.txt" will be "converted.to.dnscrypt.format.txt"
Backup InviZible Pro to a zip file.
Paste the contents from file "converted.to.dnscrypt.format.txt" into IZBackup.zip/app_data/dnscrypt-proxy/ip-blacklist.txt
Save zip file
Restore from zip
These are the scripts and files used
cat $HOME/Scripts/cidrtoip
#!/usr/bin/env bash
############################
## Methods
############################
prefix_to_bit_netmask() {
prefix=$1;
shift=$(( 32 - prefix ));
bitmask=""
for (( i=0; i < 32; i++ )); do
num=0
if [ $i -lt $prefix ]; then
num=1
fi
space=
if [ $(( i % 8 )) -eq 0 ]; then
space=" ";
fi
bitmask="${bitmask}${space}${num}"
done
echo $bitmask
}
bit_netmask_to_wildcard_netmask() {
bitmask=$1;
wildcard_mask=
for octet in $bitmask; do
wildcard_mask="${wildcard_mask} $(( 255 - 2#$octet ))"
done
echo $wildcard_mask;
}
check_net_boundary() {
net=$1;
wildcard_mask=$2;
is_correct=1;
for (( i = 1; i <= 4; i++ )); do
net_octet=$(echo $net | cut -d '.' -f $i)
mask_octet=$(echo $wildcard_mask | cut -d ' ' -f $i)
if [ $mask_octet -gt 0 ]; then
if [ $(( $net_octet&$mask_octet )) -ne 0 ]; then
is_correct=0;
fi
fi
done
echo $is_correct;
}
#######################
## MAIN
#######################
OPTIND=1;
getopts "f" force;
shift $(( OPTIND-1 ));
for ip in $@; do
net=$(echo $ip | cut -d '/' -f 1);
prefix=$(echo $ip | cut -d '/' -f 2);
do_processing=1;
bit_netmask=$(prefix_to_bit_netmask $prefix);
wildcard_mask=$(bit_netmask_to_wildcard_netmask "$bit_netmask");
is_net_boundary=$(check_net_boundary $net "$wildcard_mask");
if [ $force != 'f' ] && [ $is_net_boundary -ne 1 ]; then
read -p "Not a network boundary! Continue anyway (y/N)? " -n 1 -r
echo ## move to a new line
if [[ $REPLY =~ ^[Yy]$ ]]; then
do_processing=1;
else
do_processing=0;
fi
fi
if [ $do_processing -eq 1 ]; then
str=
for (( i = 1; i <= 4; i++ )); do
range=$(echo $net | cut -d '.' -f $i)
mask_octet=$(echo $wildcard_mask | cut -d ' ' -f $i)
if [ $mask_octet -gt 0 ]; then
range="{$range..$(( $range | $mask_octet ))}";
fi
str="${str} $range"
done
ips=$(echo $str | sed "s, ,\\.,g"); ## replace spaces with periods, a join...
eval echo $ips | tr ' ' '\012'
fi
done
(Note: ip.list.CIDR.notation.txt should have a blank newline at begging and end of file)
cat $HOME/ip.list.CIDR.notation.txt
31.13.24.0/21
31.13.64.0/18
45.64.40.0/22
66.220.144.0/20
69.63.176.0/20
69.171.224.0/19
74.119.76.0/22
102.132.96.0/20
103.4.96.0/22
129.134.0.0/16
147.75.208.0/20
157.240.0.0/16
173.252.64.0/18
179.60.192.0/22
185.60.216.0/22
185.89.216.0/22
204.15.20.0/22
Here is what my current ip-blacklist.txt looks like https://github.com/JJenkx/Personal/blob/main/ip-blacklist.txt
Edit: it seems to be blocking pings to the addresses specified in the list. I am still investigating
Edit2: I believe this is specific to the browser (Vanadium) or maybe even specific to the GrapheneOS implementation of Vanadium. Terminal Pings to the IP addresses and visits to facebook.com on IceRaven browser both result in IPs being successfully blocked. I believe now that this should be closed unless I am missing something
I added the IP entries below, one per line, to list in Menu > DNSCrypt Settings > Pattern-based IPblocking (IP blacklist)
I have Tor and I2P routing disabled and only have "Protect NDS with DNSCRYPT" box checked off for this test.
I am using GrapheneOS with Android 12 and this test is being performed on a secondary user profile (full second profile, not work profile or similar). I expected not to be able to load facebook.com, and for a split second, facebook.com shows as unreachable when the browser (Vanadium) has all data cleared before this test. After that split second facebook.com loads up and the IP addresses contained in the list also show up under the main DNS tab of this app. Is the list format I am using supported? If these are not supported, is there a way to generate supported ranges for facebook owned IPs?
This is the command I used to generate the list. aggregate6 is a pip program