SmartDNS features, use...

[siliconhippy]

I was redirected from here...

https://www.reddit.com/r/SmartDNS/comments/787snc/build_your_own_smartdns_using_sniproxydnsmasq/

So good to see this continues, having read the ESNI TLS1.3 comments 😂 Looks better than the netflix-proxy setup by ab77 !

1. So this means I can set up my own smartDNS server in a VPS like OVH...but is there a tutorial or Youtube video available for noobs that answer:

A. Will there be will any data traffic load on this smartDNS server? VPN servers have all the data traffic load resulting in big egress data bills ! B. How can we have multiple geo unlocking (the other charm besides no speed kill as for VPNs), e.g., iPlayer UK, Netflix US, Hotstar India etc? C. How many users can access this smartDNS server, and any special setup?

[oakaigh]

@siliconhippy :) Please PLEASE be prepared for DDoS attacks in the first place.

• Either you should setup iptables rules that ONLY allow certain users to send requests to your sniproxy server or make sniproxy listen on an atypical port. (Caveat: requires extra port redirection on client side)

• Multiple geo-unlocking is impossible without deploying servers in different geolocations.

• Not all VPS providers can guarantee Netflix access as Netflix has already blocked IP addresses owned by popular hosting providers.

[siliconhippy]

@PantherJohn

Thanks for responding.

What do you think of this really simple and cheap solution?

1. Set up DNS on your device per mgorven:

https://serverfault.com/questions/391914/is-there-a-way-to-use-a-specific-dns-for-a-specific-domain

2. Set up regular proxy servers in each geolocked region.

The target website (e.g., Netflix, US) most likely won't block traffic from a small VPS ( those $1/month mom and pop ones) and you should receive desired traffic without any complicated sniproxy setup.

These "regular" proxies only need to forward traffic blindly to and from the target site, after receiving the specific DNS requests parsed by the device dnsmasq, without having to analyze various IPs and domains or traffic patterns.

3. Only pay for traffic bandwidth that needs geo unlocking and forward all other traffic to a stable DNS server of your choice ( Google, Open DNS, CloudFlare etc.)

Avoid speed killing and bandwidth expensive VPNs with above simple selective approach.

[oakaigh]

@siliconhippy afaik, sniproxy is so-far the most user-friendly tool to bypass geo-blocking. (no kidding) Yes, if you are NOT in China the solution you proposed is definitely okay.

Here's another story: In case you are in that communists' country you may also need to encrypt your web traffic -- see shadowsocks/shadowsocks-libev. Simply wrap your normal HTTP traffic (to sniproxy) inside the tunnel (ss-tunnel) and you are ready to go.

[siliconhippy]

Jared,

Appreciate comments 😎 I am saving this page as network security/bypass overview ! So looks like my hunch can work out !

1. Can you kindly give me a link(s) for setting up the simple proxy server per geo location to be unlocked, per my suggestion?

2. Re: shadowsocks, here are other countries too, likely more paranoid now !

https://www.reddit.com/r/VPN/comments/9e3k7t/isps_have_blocked_all_vpns_how_to_bypass/

3. Do you think the ultimate would be Wireguard in Linux kernel by year end plus TLS1.3 ( no SNI leaks)?

How is WG today (doesn't yet work on ARM yet)? Does it slow down connections on non AES machines?

Cheers, 😁

[oakaigh]

@siliconhippy

Sample configuration

Here's a minimum sample configuration file. Not sure if it fits your needs.

# Security matters, if sniproxy is running on a public server 
# PLEASE change `root' to `nobody'
user root
group root

pidfile /var/run/sniproxy.pid

# Replace "127.0.0.2" with either a public DNS server address (e.g. 1.1.1.1, 8.8.8.8)
# or the address your local DNS resolver listens on (recommended for faster dns lookup)
# if not specified, nameservers are selected from /etc/resolv.conf
resolver {
    nameserver 127.0.0.2
    # ipv6 resource records have the priority
    mode ipv6_first
}

error_log {
    syslog daemon
    priority emergency
}

listen 443 {
    protocol tls
    # do you need TCP Fast Open? it's disabled by default
    #fastopen yes
    reuseport yes
    table awesome
}

listen 0.0.0.0 80 {
    protocol http
    #fastopen yes
    reuseport yes
}

table awesome {
    # Use addresses returned by the nameserver
    (.*.|)netflix.com                       *:443
    # Use [ipaddr/domain]:port specified by the user
    (.*.|)nflxvideo.net                     52.37.219.6:443
    # Connect to the destination server using the same port the frontend listens
    (.*.|)nflxso.net                        occ-0-1007-1009.1.nflxso.net
    ^s\\.hulu\\.com$                       *
    ^play\\.hulu\\.com$                  *

    # Block UC Irvine's admission page
    # Exception: services.admissions.uci.edu
    ^services\\.admissions\\.uci\\.edu$     *:8443
    (.*.|)admissions\\.uci\\.edu     0.0.0.0
    .*                      *   
}

table {
    .*                      *
}

TCP Fast Open

Note that TCP Fast Open is a fancy feature that ONLY in some cases can accelerate TCP connections (bypassing the infamous 3-way handshake). But in this world of probability TFO packets are frequently dropped by middleboxes, which in turn forces your connection to fallback to the regular 3-way handshake, boom! adding additional round-trip time. It's up to you whether to enable it or not.

TCP Fast Open has not yet been merged to this repo but you can still try it here

sniproxy, man!

To get a more comprehensive view of the configurable options I recommend you to take a look at the man page (or man sniproxy) shipped along with the installation package .

[siliconhippy]

Thanks, man 😃 Will look at it.