Open arandomgstring opened 2 years ago
mehdifirefox
commented
2 years ago دوستان دقت کردید همه دارید از مشکلات عجیب صحبت میکنین ولی هنوز نمیدونیم چه خبره
برای تست سایت tiktok.com هم عالیه همه سرورها توانایی باز کردن این سایت رو ندارن نیاز به کانفیگ مخصوص هست
Friends Notice All You're talking about weird problems But we still don't know what's going on
To test tiktok.com is great too Not all servers have the ability to open this site.
free-the-internet
commented
2 years ago Guys I don't know what's exactly up with nekoray, I don't know the technical details, but it makes very odd issues with windows applications and some games. Try out the following project and the problems with gaming goes away; however, the ping fluctuations, which have become worse since a few days ago, still occur https://github.com/MetaCubeX/Clash.Meta There is an example configuration file in this issue: #150
Sometimes it creates a TUN interface, but it can't manage it correctly after multiple VPN Mode restarts. In this case you can restart Windows or you can once disable and re-enable the its TUN interface.
free-the-internet
commented
2 years ago @free-the-internet
How do you want to decide if I am downloading a huge software from a foreign server, or I have my storage for my cameras abroad, or I am watching a video on a non-blocked foreign server, or as a company I deliver my video calling service with combination of external and internal servers? (Of course this is possible after that there is just so called Intranet, and all the services are available inside the country).
Isn't this decision like, super easy peasy (without intranet)? First of all, how many Iranian people have camera abroad and use their personal PC/IP to save that data? Yes, no one. Besides, cameras shouldn't be using https protocol at all, it would be very slow and inefficient. They use UDP from my understanding, which is already almost blocked (or rather heavily limited) from/to foreign servers in Iran; quic protocol works from google though. Wireguard is not working.
And just how many video calling services from outside of Iran are allowed? Even back then, when Telegram was not censored, its video calling was censored. Now almost everything with some very few exceptions in some regions are censored. I have heard Skype works sometimes for some people but it gets disconnected very frequently. The same goes for video streaming services. Youtube, dailymotion, twitch, hulu, netflix, crounchy roll, just to name a few, are all already blocked. If you are aware of any video streaming service outside of Iran that is not already blocked let me know!
As for downloading a huge software from a foreign server, that's actually a valid question. The answer is, they have already limited this. You can't download a huge file from foreign server, you get completely disconnected from Internet after a few gigabytes (~2-3) for a few seconds to a few minutes; and you might be reconnected after a while but that needs a DNS resolution in itself, therefore, the volume of DNS resolution wouldn't look weird; and you can resume your download, automatically or manually. Not to mention as I said, all operation system along with their third party application do DNS resolutions randomly. If from a client, no DNS resolution comes that would be very weird indeed, no? Which is why if you turn on V2RayNG on an android device which leaks no DNS, you might get your proxy server blocked, because no DNS resolution would come out of that device which looks interesting.
Of-course, if they match IP address of DNS resolutions that would be much better than volume; and I started this topic with that assumption, in the very first post.
Also I restarted Windows and reinstalled nekoray. This time I saw no leaking on Firefox; but some games couldn't be opened.
At the end I agree with you that there is clear signs of VPN usage. However, we don't know how they manage their system. This is a cat and mouse game, usually they are the first one that perform the next move.
arandomgstring
commented
2 years ago @mehdifirefox
Can you use a config that is not able to open tiktok.com, and capture your proxy packets with Wireshark so that we know what's going on?
mehdifirefox
commented
2 years ago I use free servers, the site could not be opened. But geph opened the site
On Tue, 22 Nov 2022, 20:27 arandomgstring, @.***> wrote:
@mehdifirefox https://github.com/mehdifirefox
Can you use a config that is not able to open tiktok.com, and capture your proxy packets with Wireshark so that we know what's going on?
— Reply to this email directly, view it on GitHub https://github.com/net4people/bbs/issues/156#issuecomment-1323981671, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF26MY35FF5HKBITMBD6SYTWJT3RNANCNFSM6AAAAAASCQMN7M . You are receiving this because you were mentioned.Message ID: @.***>
alirezaac
commented
2 years ago Guys I don't know what's exactly up with nekoray, I don't know the technical details, but it makes very odd issues with windows applications and some games. Try out the following project and the problems with gaming goes away; however, the ping fluctuations, which have become worse since a few days ago, still occur https://github.com/MetaCubeX/Clash.Meta There is an example configuration file in this issue: #150
I had talked about game issues, its nat type problem, and some games have problem with some ip mapping of your tun. like dota2 is fine, wow had problem, if its other problems its better to talk in #150 if its not related to dns.
alirezaac
commented
2 years ago @mehdifirefox
Can you use a config that is not able to open tiktok.com, and capture your proxy packets with Wireshark so that we know what's going on?
Hearing this on people that they can not open instagram, some cant whatsapp, could not reproduce this with the same config but that is weird which is sus with dns too.
ignoramous
commented
2 years ago If anyone has any idea how we can force DNS look ups for all applications through proxy on either of Windows, Linux, Mac, Android, IOS, they will be more than welcome. Maybe there is a V2rayClient that can do that? Tell me about it. Thank you.
For Android specifically, see https://github.com/jigsaw-code/intra and its fork (that I co-develop) which supports DNSCrypt https://github.com/celzero/rethink-app
alirezaac
commented
2 years ago If anyone has any idea how we can force DNS look ups for all applications through proxy on either of Windows, Linux, Mac, Android, IOS, they will be more than welcome. Maybe there is a V2rayClient that can do that? Tell me about it. Thank you.
For Android specifically, see https://github.com/jigsaw-code/intra and its fork (that I co-develop) which supports DNSCrypt https://github.com/celzero/rethink-app
well can you have it sided by another tun? nope we only need it to be rooted.
mehdifirefox
commented
2 years ago NaiveProxy
If anyone has any idea how we can force DNS look ups for all applications through proxy on either of Windows, Linux, Mac, Android, IOS, they will be more than welcome. Maybe there is a V2rayClient that can do that? Tell me about it. Thank you.
For Android specifically, see https://github.com/jigsaw-code/intra and its fork (that I co-develop) which supports DNSCrypt https://github.com/celzero/rethink-app
well can you have it sided by another tun? nope we only need it to be rooted.
یعنی باید روت باشه که بشه استفاده کرد از rethink-app ؟ میشه جای NaiveProxy رو گرفت؟
That means it must be rooted to be used rethink-app ? Can you replace NaiveProxy?
ignoramous
commented
2 years ago With Rethink, one cannot use another VPN app unless it exposes a SOCKS5 endpoint like Orbot or Psiphon (Rethink can forward to a SOCKS5 address). Intra does not support SOCKS5 forwarding. Both Intra and Rethink do not support nor need root.
alirezaac
commented
2 years ago @arandomgstring i just sent you the email. @ignoramous thanks i just tested it trying to reproduce the problem again.
Hearing this on people that they can not open instagram, some cant whatsapp, could not reproduce this with the same config but that is weird which is sus with dns too.
well this just popped up, no url can be opened(with v stuff which is working 10 days so far) and only telegram workin(well this is using ips only not domains told ya it's like dns) but no its not leaking, its temporary like hours and keeps come and goin , it's not depended on network provider, both iphone and androids had the same issues,only telegram is alive on them during the problem. i can't reproduce this with v2 fam but i keep hearing and seeing this on people.
alirezaac
commented
1 year ago Well this way of gathering information in one place like bbs repo is wrong they can simply check it here, after the conversation they started to block all google DOH anycast ips, and so many working DOH, (and they didn't even checked the tls DOT :D) so i think we found their weakness, and they are trying now :)
arandomgstring
commented
1 year ago @alirezaac I don't think it's the case. As I said before, google DOH for many users was already blocked. It just so happened that you could use it to some extent, and then you experienced this type of censorship. But why should we care? As long as you send your DNS queries to VPS server itself, everything would be fine, no?
The type of censorship Chinese people talking about is a bit different. I think some Chinese applications on android devices generate random traffic to some unknown, most likely foreign IPs owned by China's goverment. Those IPs expect the data from domestic IP, but since V2rayN proxy every foreign IP by default, they get caught. This is just a theory though!
arandomgstring
commented
1 year ago @wkrp I know I might be wasting your time, but please answer this question of mine.
Do you know if an ISP inject some random packet to an Android device, how does Android respond back? I know that on Linux we can either ignore (deny) it or reject it with a packet. How does other operation systems respond to such packets by default? Especially if that packet has a foreign IP address. Windows, Android, IPhone, how they respond? Let me give you an example:
Imagine that I am an ISP, and I inject a packet with a foreign IP address to my client's device. If that device, by default, reject my forged packet, then I would expect my client send a "rejection" packet to that IP address through me. But if the user, with its domestic IP that I have given to him/her doesn't respond back, and if that user has alive TCP connections, then I would simply assume that they are using a VPN. Optionally, my injected packets can come from real foreign servers. Now if the user actually respond through a proxy and not its domestic IP, I can see the proxy's IP address on my foreign server, no? Simply comparing proxy's IP on my foreign server versus IP address of active TCP connection of the user is more than enough to prove that IP is being used as a proxy.
I mean consider a user who is connected to IP p.p.p.p for a long amount of time and he/she sends rejection packets to my foreign server through p.p.p.p . I see p.p.p.p on my server, and I see that the user is connected to p.p.p.p! It cost me nothing to do this simple comparison and ban p.p.p.p .
Of course, all of this is based on assumption that these operation system by default send rejection packets. Somehow, I think it is the case, which explains why some ISPs in Iran inject random packet to users' devices. Now, if the answer is NO and all systems by default simply ignore such packets (instead of rejecting them), then could ISP in theory use a malicious domestic application to simulate such behavior? For example, let's say we have a domestic messenger that sends information through a well-known port. Now, ISP send a packet with foreign IP address through that port. Of course, the application will send a "rejection" packet back by design. Now, V2rayN understands that it should not proxify domestic IPs, but it cannot understand that a rejection packet destined to a foreign server is actually the work of government, it will proxify it and thus it exposes the IP address of proxy server. It is very very simple actually! And they don't even need to use domestic applications. Any application that send rejection packet is more than enough.
cross-hello
commented
1 year ago Forging source ip :142.250.199.68( Google), source port : 443
Send to Android client(termux ssh):
Though Android will send back response, not via traffic agent server.
arandomgstring
commented
1 year ago @cross-hello
Thank you so much. But can you elaborate a bit more? Did you send those forged packet to an open port of Android device (just like how ISP does), or a closed one? Note that every time we open a new connection in an operation system, a random port (usually ports with big number like 10000 or something) is opened and ISP receive/send data from/to it. I think you sent packets to closed ports, and still Android responded back, yes? and by traffic agent, you mean you turned a VPN on, however, it did not proxify Android responses (rejection packets)? Or did I misunderstood?
cross-hello
commented
1 year ago free-the-internet
commented
1 year ago @alirezaac Can you use the format bellow (or silimar one) to explain your DNS problem?
lo: DnsReq --> ISP // request to resolve the IP of my proxy
ISP DnsRes --> lo // IP of my proxy resolved
lo: SYN --> proxy // opening the connection to my proxy server (e.g. naiveproxy)
proxy: SYN-ACK --> lo
lo: ACK --> proxy
lo: ClientHello --> proxyWe understood the problem of @arandomgstring , but yours, not at all. You already wrote many posts, but still its unclear fro me your problem with DNS which can resolved by DoH. Thanks. Feel free to write in Persian. But please take care of the punctuation in which language you are using to describe your problem.
arandomgstring
commented
1 year ago @cross-hello
It actually don't proxify rejection packet.
That's very strange, isn't it? How does VPN client recognize these packets from other packets? I think you have captured these packets a bit too soon, maybe you got them before they arrive at "default gateway" of android system. I am saying this, because in your picture, the source IP of android system is just a private IP, not something that an ISP usually assign to a system; or perhaps you anonymized that IP (and I can't see it), but in reality you can see the IP address? Another possibility that I can think of, is perhaps you connected your android device to internet via a Wifi router. Then that would make sense if source address of packets sent by android becomes a private IP address. Can you run a curl, wget (or anything similar) command on android device, to see that if their packets become proxified correctly, and this is just rejection packets that are not proxified? If nothing get proxified, that would just mean that you are capturing them too soon. But if they get actually proxified, then we should think of an explanation as to why VPN client doesn't capture and proxify these packets.
BTW, if you haven't anonymized those packets, and this is a real android device (not a simulator), remove your picture and hide MAC address of your devices in Ethernet II layer. It can potentially lead to your real identity.
wkrp
commented
1 year ago Do you know if an ISP inject some random packet to an Android device, how does Android respond back? I know that on Linux we can either ignore (deny) it or reject it with a packet. How does other operation systems respond to such packets by default? Especially if that packet has a foreign IP address. Windows, Android, IPhone, how they respond?
It depends more on the firewall configuration than on the operating system. Any operating system can respond to unsolicited packets with RST, or nothing—it depends on how the local firewall is configured. I don't know what the default for Android is, or if there even is a default.
Some background here: https://nmap.org/book/determining-firewall-rules.html#fw-rules-SYN
One helpful feature of the TCP protocol is that systems are required by RFC 793 to send a negative response to unexpected connection requests in the form of a TCP RST (reset) packet. The RST packet makes closed ports easy for Nmap to recognize. Filtering devices such as firewalls, on the other hand, tend to drop packets destined for disallowed ports. In some cases they send ICMP error messages (usually port unreachable) instead.
If you really care to find out, you can check the responses to the T5, T6, and T7 probes in nmap-os-db.
I mean consider a user who is connected to IP p.p.p.p for a long amount of time and he/she sends rejection packets to my foreign server through p.p.p.p . I see p.p.p.p on my server, and I see that the user is connected to p.p.p.p! It cost me nothing to do this simple comparison and ban p.p.p.p .
I would be surprised if a VPN worked this way. The physical network interface and the VPN interface are bound to different IP addresses. If something sends a probe to the physical network interface, the receiver of the probe will not just send the reply over the VPN interface. There could be some subtlety I am missing or some point I don't understand, but I don't think the attack you describe is viable.
I will mention, however, that there have been routing vulnerabilities discovered that have to do with ambiguities between VPN IP addresses and physical interface addresses. The one I am thinking of is https://breakpointingbad.com/2020/05/25/Vintage-Protocol-Nonsense.html. But it's not the same as what you described; among other things "the attacker also needs to be on the same local network as the victim."
arandomgstring
commented
1 year ago @wkrp Thank you. I just realized that my first assumption about rejection packets was incorrect. As you put it correctly
It depends more on the firewall configuration than on the operating system. Any operating system can respond to unsolicited packets with RST, or nothing—it depends on how the local firewall is configured
The thing is, firewall can reject or deny packets sent to closed ports, not the opened ones. Basically a firewall will not even look at opened ports, much less already established connections. If we are already receiving packets on say port 20000 (on local port android device) from proxy server, ISP can do a simple MITM attack to that port, without even considering firewall; not matter what operation system we are talking about. For example ISP can send a forged TLS Server Hello with spoofed IP to that port. VPN client will receive this (just like how it will receive other packets from proxy server), but it has no idea where (which application) to route this packet. So I presume, either that packet will be ignored (most likely), or in the worst case scenario a rejection packet will be sent (if the VPN client route that packet to an application anyway) which ultimately gives away the proxy server IP. Due to the symmetric nature of NAT which is used by android under-hood, my bet is that it will be ignored, but I'd like to do a simple test to confirm this.
The problem is, I have no idea how to get opened port of ISP, on which user receives information from. The thing is, when a user opens a local port say A on its system and send information through it, because of commercial grade NAT of ISP, another port B will assigned to user such that a very simplified version of flow of information becomes like this
user's local IP (127.0.0.1:A) --> user's gateway [VPN gateway] (192.168.1.1) --> IP behind NAT assigned to user by ISP (192.1.1.1) --> ISP commercial grade NAT map this to another IP address & port (1.2.3.4:B) --> Proxy Server's IP
I am unaware of port B to mimic ISP MITM attack from proxy server. On V2ray access log, I see B = 0 for all connections which honestly makes no sense. In reality B is chosen randomly. I know how to get this remote port B in php REMOTE_PORT flag; but I have no idea how to get this in V2ray. What I am trying to do is as follows:
When a user establishes connection to proxy server, proxy server sends forged TLS server hello packets to the user with spoofed IP (as if ISP has done a MITM attack here). The spoofed IP belongs to my second VPS on which I log packets received from port 443. If I see my proxy server IP on logs, that would be a very fatal type of attack which can detect proxies with 100% certainty. If I receive nothing, that would be a relief. As you can see this attack is closely connected to https://github.com/net4people/bbs/issues/159 . If people has suggested that idea 10 years ago (CensorSpoofer), and that is indeed possible, then I see no reason as to why this type of attack is impossible. If this type of attack is impossible, then CensorSpoofer is simply something to laugh at; or maybe it would be possible to make it work but that would be very complicated.
Edited: I just realized that since my proxy server is behind NGINX I get port zero for all connections; my bad.
ghost
commented
1 year ago I see a bunch of people mention they use Windows 10. assuming you are using the latest and up to date version of Windows 10, you will still benefit from using Windows 11, specially in terms of security. There is literally no reason to use Windows 10 unless you are forced by your corporate environment.
if encrypted DNS is blocked in Iran, first use a stealth proxy to create a TUN or TAP adapter, system-wide, then use DoH in Microsoft Edge settings.
to do that, you can use https://github.com/Fndroid/clash_for_windows_pkg
you can use YogaDNS to force all DNS requests to go over the stealth proxy's TUN/TAP adapter too.
mehdifirefox
commented
1 year ago I see a bunch of people mention they use Windows 10. assuming you are using the latest and up to date version of Windows 10, you will still benefit from using Windows 11, specially in terms of security. There is literally no reason to use Windows 10 unless you are forced by your corporate environment.
if encrypted DNS is blocked in Iran, first use a stealth proxy to create a TUN or TAP adapter, system-wide, then use DoH in Microsoft Edge settings.
to do that, you can use https://github.com/Fndroid/clash_for_windows_pkg
you can use YogaDNS to force all DNS requests to go over the stealth proxy's TUN/TAP adapter too.
Is there a simple way to get full training
I just can't open some sites I have no problem at all.
ghost
commented
1 year ago I see a bunch of people mention they use Windows 10. assuming you are using the latest and up to date version of Windows 10, you will still benefit from using Windows 11, specially in terms of security. There is literally no reason to use Windows 10 unless you are forced by your corporate environment. if encrypted DNS is blocked in Iran, first use a stealth proxy to create a TUN or TAP adapter, system-wide, then use DoH in Microsoft Edge settings. to do that, you can use https://github.com/Fndroid/clash_for_windows_pkg you can use YogaDNS to force all DNS requests to go over the stealth proxy's TUN/TAP adapter too.
Is there a simple way to get full training
I just can't open some sites I have no problem at all.
Full training for what?
mehdifirefox
commented
1 year ago I see a bunch of people mention they use Windows 10. assuming you are using the latest and up to date version of Windows 10, you will still benefit from using Windows 11, specially in terms of security. There is literally no reason to use Windows 10 unless you are forced by your corporate environment. if encrypted DNS is blocked in Iran, first use a stealth proxy to create a TUN or TAP adapter, system-wide, then use DoH in Microsoft Edge settings. to do that, you can use https://github.com/Fndroid/clash_for_windows_pkg you can use YogaDNS to force all DNS requests to go over the stealth proxy's TUN/TAP adapter too.
Is there a simple way to get full training I just can't open some sites I have no problem at all.
Full training for what?
problem dns YogaDNS or ....
arandomgstring
commented
1 year ago @lulMeow
Incompatibility of some drivers and applications, unnecessary ads (Widgets), beauty over usability (e.g in context (right click) menu), etc are just a few problems present in Windows 11. That said, Windows 11 uses the same core as Windows 10 so I see no real benefit in term security (both are super insecure, even you disable every single suspicious feature of Windows in registry). However, at the end of day I presume it's just matter of taste to choose 10 over 11 or vice versa. For security I suggest people to use the so called unholy trinity of tail + Hidden VM + whonix, where hard disk is encrypted by varacrypt.
ghost
commented
1 year ago @lulMeow
Incompatibility of some drivers and applications, unnecessary ads (Widgets), beauty over usability (e.g in context (right click) menu), etc are just a few problems present in Windows 11. That said, Windows 11 uses the same core as Windows 10 so I see no real benefit in term security (both are super insecure, even you disable every single suspicious feature of Windows in registry). However, at the end of day I presume it's just matter of taste to choose 10 over 11 or vice versa. For security I suggest people to use the so called unholy trinity of tail + Hidden VM + whonix, where hard disk is encrypted by varacrypt.
You really have no idea what you are talking about, do you? 🤦♂️
driver/application incompatibility? okay, name the exact application or driver that you claim to be incompatible with Windows 11 but compatible with Windows 10.
ads and widgets? widgets isn't "ads", it's a platform for people to create 3rd party widgets, publish, share and let others use them. all of that can be turned off with a toggle of a button in Taskbar settings of Windows 11.
right-click menu isn't a problem.
suspicious settings? oh, are you one of those people that think Windows is spying on you and at the same time use Google, Iphone, Android etc. or even Internet? heh right. then you go ahead and disable all problem reporting and diagnostics in OS, after that cry that why Windows is having this or that problem.
Whonix, lol right, it's a mess, I've tested it extensively, even getting it to set the correct time in the OS is a pain after a while, over the unreliable and unstable and easily blocked TOR network.
Veracrypt? it's a joke compared to what Bitlocker in Windows has to offer. using hardware encryption of TPM 2.0. in case you don't know, it stops real life attacks. Bitlocker provides total protection of the entire Windows ecosystem with XTS-AES 256
Multi-Key Total Memory Encryption on Windows 11 22H2
Smart App Control
Support for new TLS Cipher Suites for Schannel https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-11
Extended Hardware-enforced Stack Protection https://www.microsoft.com/en-us/security/blog/2021/06/25/windows-11-enables-security-by-design-from-the-chip-to-the-cloud/
And more security features that you can research about yourself. start by reading the official Windows Blog
and awesome features such as Windows Subsystem for Android, my favorite.
ghost
commented
1 year ago I see a bunch of people mention they use Windows 10. assuming you are using the latest and up to date version of Windows 10, you will still benefit from using Windows 11, specially in terms of security. There is literally no reason to use Windows 10 unless you are forced by your corporate environment. if encrypted DNS is blocked in Iran, first use a stealth proxy to create a TUN or TAP adapter, system-wide, then use DoH in Microsoft Edge settings. to do that, you can use https://github.com/Fndroid/clash_for_windows_pkg you can use YogaDNS to force all DNS requests to go over the stealth proxy's TUN/TAP adapter too.
Is there a simple way to get full training I just can't open some sites I have no problem at all.
Full training for what?
problem dns YogaDNS or ....
YogaDNS has official documentation you can find here: https://www.yogadns.com/docs/
all the configurations can be done using the GUI, no coding involved.
arandomgstring
commented
1 year ago @lulMeow
I think it is not the place to discuss about Windows 10 vs 11. But to answer your question briefly, I couldn't get touchpad & webcam of my Laptop working on Windows 11, whereas the opensource driver of Linux (or windows 10) had no problem with it. The patch for these drivers came a few months later, however. The last time I checked, you couldn't remove news widget of Windows 11, it might have been changed. I call it ad, just like other undeleteable applications of windows. If I haven't chosen say edge as my browser, I should have the full right to fully get rid of it; but it is not possible. You need to do 100 tricks and still it leaves its traces. On say Ubuntu you can delete the whole kernel if you want to, and I even don't call Ubuntu secure. Finally, I think you are the one who has no idea about what you are talking about. First of all, you can use Bitlocker on top of VeraCrypt (it's overkill though). The reason people use VeraCrypt is the feature of "hidden volumes". With this feature, you can save data on your hard disk and pretend that your hard disk is empty and nothing has been written over it. So government (or other entities) cannot force you to give them the key of your hard disk, because they see "nothing". There are other features that I let you to read for yourself if you want to. Even a simple search for finding personal apps on start menu send packets to Bing. Finally I use google, clearnet websites (github for example, lol), Windows, android, and other operation systems. When it comes to security however, I'd stop doing so. Whonix is not for daily usage, I don't know what you expected when you installed it; but if you advise people to use Windows for security, maybe, just maybe, you should think twice about your suggestion. I do apologize, but I have nothing else to add.
ghost
commented
1 year ago @lulMeow
I think it is not the place to discuss about Windows 10 vs 11. But to answer your question briefly, I couldn't get touchpad & webcam of my Laptop working on Windows 11, whereas the opensource driver of Linux (or windows 10) had no problem with it. The patch for these drivers came a few months later, however. The last time I checked, you couldn't remove news widget of Windows 11, it might have been changed. I call it ad, just like other undeleteable applications of windows. If I haven't chosen say edge as my browser, I should have the full right to fully get rid of it; but it is not possible. You need to do 100 tricks and still it leaves its traces. On say Ubuntu you can delete the whole kernel if you want to, and I even don't call Ubuntu secure. Finally, I think you are the one who has no idea about what you are talking about. First of all, you can use Bitlocker on top of VeraCrypt (it's overkill though). The reason people use VeraCrypt is the feature of "hidden volumes". With this feature, you can save data on your hard disk and pretend that your hard disk is empty and nothing has been written over it. So government (or other entities) cannot force you to give them the key of your hard disk, because they see "nothing". There are other features that I let you to read for yourself if you want to. Finally I use google, clearnet websites (github for example, lol), Windows, android, and other operation systems. When it comes to security however, I'd stop doing so. Whonix is not for daily usage, I don't know what you expected when you installed it; but if you advise people to use Windows for security, maybe, just maybe, you should think twice about your suggestion. Do apologize, but I have nothing else to add.
You were simply misinformed and said Windows 11 has no security benefits over Windows 10, so I showed you it does and there are plenty.
Patches came out? okay then, so there is no problem, good.
Disabling Widgets has always been an option in Windows 11's settings page, maybe you didn't look?
well, what you call something doesn't mean it really is that, for what it's worth, I can call Github a goat lol.
oh, you want to have the full right to get rid of it? well start by saying that to Google for not letting you do it on Android or ChromeOS, and tell it to Apple for not letting you do it on MacOS and IPhones.
Edge is the safest and best browser in the market now. completely de-googled so Google won't be mining your data, using Chromium open source with hundreds of Microsoft's contributions to the project to make it safer and better, incorporating security features of Windows like WDAG, stack protection, SmartScreen and many more. unlike TOR which is based on old version of Firefox and instead of focusing on security, they focus on privacy while being vulnerable. unlike Brave, doesn't call Google endpoints and isn't a crypto infested browser, or won't support manifest v2 after its official end of life (which has security and privacy implications).
Using Bitlocker on top of Veracrypt? please tell me you are joking.
Bitlocker uses SecureBoot, so it performs pre-boot checks to verify the OS hasn't been corrupted/tampered with a bootkit. Third party encryption software and tools such as Veracrypt break this secure chain of trust which, flows from the firmware (UEFI) to Windows bootloader and then to BitLocker. it is critical for this chain of trust to exist in order to prevent an entire category of attack against Windows systems.
Windows IS secure, always use latest version of Windows and keep it up to date at all times, its NT kernel is secure too, which is in fact an OS, originally developed by UNIX developers, is an operation system for operation systems, for example, that's the reason we have Windows Subsystem for Linux and Android. it's a huge subject to talk about.
Veracrypt or its hidden partitions won't help you when the government come knocking on your door, the same books and guides that you are reading about to keep yourself secure, they can read it too and they have more resources.
in this day and age, it's impossible to hide from agencies such as NSA, Mossad etc. if they really want to get you.
arandomgstring
commented
1 year ago @lulMeow
I said I won't add anything, so I won't however,
in this day and age, it's impossible to hide from agencies such as NSA, Mossad etc. if they really want to get you.
Interesting, please tell me how they can do it? Just send me a link regarding breaking unholy trinity. Just a single link with technical info will suffice :)
ghost
commented
1 year ago @lulMeow
I said I won't add anything, so I won't however,
in this day and age, it's impossible to hide from agencies such as NSA, Mossad etc. if they really want to get you.
Interesting, please tell me how they can do it? Just send me a link regarding breaking unholy trinity. Just a single link with technical info will suffice :)
Sorry, don't have any links bookmarked regarding that
wkrp
commented
1 year ago The thing is, firewall can reject or deny packets sent to closed ports, not the opened ones. Basically a firewall will not even look at opened ports, much less already established connections. If we are already receiving packets on say port 20000 (on local port android device) from proxy server, ISP can do a simple MITM attack to that port, without even considering firewall; not matter what operation system we are talking about. For example ISP can send a forged TLS Server Hello with spoofed IP to that port. VPN client will receive this (just like how it will receive other packets from proxy server), but it has no idea where (which application) to route this packet. So I presume, either that packet will be ignored (most likely), or in the worst case scenario a rejection packet will be sent (if the VPN client route that packet to an application anyway) which ultimately gives away the proxy server IP.
I still do not understand the attack you are describing. But you may have a few misconceptions. You seem to think that port numbers are a global resource, shared between all a host's active connections; but the same port number can be used in simultaneous connections to different IP addresses. Just because the proxy client has an established connection to a proxy server IP address with a source port of 20000, does not mean that it will accept packets with destination address 20000 from other IP addresses. The identifier for a connection is a complete 4-tuple (src IP, src port, dst IP, dst port), not just a single port number. If an attacker sends a packet from an unrelated IP address, and the proxy client sends back any response packet, the response packet will surely go to the attacker's IP address, not the IP address associated with any other ongoing connection.
An attacker should not be able to inject a TLS Server Hello into the middle of an established VPN connection—if it can, the VPN is no good. (For one thing, a VPN connection is encrypted, and the attacker does not know what key to use to encrypt any injected contents.) To inject contents into a TCP connection at all, you need to know at least the complete 4-tuple, which means an injecting attacker would have to already know the proxy server's IP address, which was the goal of the attack (if I understand you correctly).
arandomgstring
commented
1 year ago @wkrp
First let me to clarify one thing. The goal of attack is not finding IP of proxy server, ISP is already well aware of proxy server's IP along all other IPs that user is directly connected to them. ISP uses this attack to check if an IP which client is communicating with, is a proxy server, or a normal website. Is it clear now, or should I rephrase it a bit more?
Consider a client who is connected to N different IPs, on M ports, directly. ISP injects forged packets to an opened port of client IP, to see how it reply back. Based on client's response, ISP can decide that if one those N IPs is a proxy server's IP or not.
Just because the proxy client has an established connection to a proxy server IP address with a source port of 20000, does not mean that it will accept packets with destination address 20000 from other IP addresses. The identifier for a connection is a complete 4-tuple (src IP, src port, dst IP, dst port), not just a single port number
Exactly. To begin with ISP has full access over 4-tuple (src IP, src port, dst IP, dst port) as the middle man, for what it's worth, ISP has to know it, otherwise it can't forward packets between client and proxy, back and forth. In other words, ISP knows
IP of android client (source IP), port of android client (source port) IP of proxy server (destination IP), port of proxy server (destination port) (which is usually chosen 443 to imitate a normal website)
And this 4-tuple (src IP, src port, dst IP, dst port) is not encrypted because it exist on IP layer on TCP/IP model. We just encrypt everything above TCP layer (i.e application layer).
What ISP doesn't know however, is that if destination IP belongs to a proxy server or a normal website. If ISP found a guilty IP, it can easily block it, so ISP tries to uncover which IPs belong to proxy servers
If an attacker sends a packet from an unrelated IP address, and the proxy client sends back any response packet, the response packet will surely go to the attacker's IP address, not the IP address associated with any other ongoing connection.
That's the point! The question is, does VPN agent proxify client's response first? i.e Does attacker receive client's response from proxy server, or from the client directly? How does a global VPN agent decide, whether to proxify a packet or not?!
For example, lets say attacker injects a sync packet to client's IP. ISP, as an attacker, can easily do that, and it is doing that as we speak. Now the client wants to send a RST packet to attacker's IP (i.e ISP here). Does VPN agent knows, this response shouldn't be proxified? It doesn't know. So VPN agent encrypt this RST packet, and send it to proxy server. Proxy server will decrypt client response and forward it to attacker's IP. While ISP, as the attacker, expect to receive RST packet from the client himself/herself, ISP will receive RST packet from proxy server! So ISP simply block proxy server, easy peasy. That is it.
For example:
Client's IP = A
Client's Port = B
Proxy server's IP = C
Proxy server's Port = D
Attacker's IP = E
Attacker's Port = F
A random port = G
A:B establish connection to C:D. ISP as the middle man, send a packet from E:F to A:B.
It expects to receive a packet (of any kind, doesn't matter) from A:B and not anywhere else.
If A:B reply to E:F we are good. If instead of A:B, C:G send a packet to E:F,
while A:B is connected to C:D, that's a sufficient condition to block C. @wkrp
First let me to clarify one thing. The goal of attack is not finding IP of proxy server, ISP is already well aware of proxy server's IP along all other IPs that user is connected to. ISP uses this attack to check if an IP which client is communicating with, is a proxy server, or a normal website. Is it clear now, or should I rephrase it a bit more?
Consider a client who is connected to N different IPs, on M ports, directly. ISP injects forged packets to an opened port of client IP, to see how it reply back. Based on client's response, ISP can decide that if one those N IPs is a proxy server's IP or not.
Just because the proxy client has an established connection to a proxy server IP address with a source port of 20000, does not mean that it will accept packets with destination address 20000 from other IP addresses. The identifier for a connection is a complete 4-tuple (src IP, src port, dst IP, dst port), not just a single port number
Exactly. To begin with ISP has full access over 4-tuple (src IP, src port, dst IP, dst port) as the middle man, for what it's worth, ISP has to know it, otherwise it can't forward packets between client and proxy, back and forth. In other words, ISP knows
IP of android client (source IP), port of android client (source port) IP of proxy server (destination IP), port of proxy server (destination port) (which is usually chosen 443 to imitate a normal website)
And this 4-tuple (src IP, src port, dst IP, dst port) is not encrypted because it exist on IP layer on TCP/IP model. We just encrypt everything above TCP layer (i.e application layer).
What ISP doesn't know however, is that if destination IP belongs to a proxy server or a normal website. If ISP found a guilty IP, it can easily block it, so ISP tries to uncover which IPs belong to proxy servers
If an attacker sends a packet from an unrelated IP address, and the proxy client sends back any response packet, the response packet will surely go to the attacker's IP address, not the IP address associated with any other ongoing connection.
That's the point! The question is, does VPN agent proxify client's response first? i.e Does attacker receive client's response from proxy server, or from the client directly? How does a global VPN agent decide, whether to proxify a packet or not?!
For example, lets say attacker injects a sync packet to client's IP. ISP, as an attacker, can easily do that, and it is doing that as we speak. Now the client wants to send a RST packet to attacker's IP (i.e ISP here). Does VPN agent knows, this response shouldn't be proxified? It doesn't know. So VPN agent encrypt this RST packet, and send it to proxy server. Proxy server will unencrypt client response and forward it to attacker's IP. While ISP, as the attacker, expect to receive RST packet from the client himself/herself, ISP will receive RST packet from proxy server! So ISP simply block proxy server, easy peasy. That is it.
For example: Client's IP = A Client's Port = B Proxy server's IP = C Proxy server's Port = D Attacker's IP = E Attacker's Port = F A random port = G A:B establish connection to C:D. ISP as the middle man, send a packet from E:F to A:B. It expects to receive a packet (of any kind, doesn't matter) from A:B and not anywhere else. If A:B reply to E:F we are good. If instead of A:B, C:G send a packet to E:F, while A:B is connected to C:D, that's a sufficient condition to block C.
What if you block Iran's IP range in Firewall?
https://github.com/cloudcraftteam/Import-firewall-blocklist
included the PowerShell script and text file containing entire Iran's IP range. after that, enable Firewall logging for dropped/blocked connections to view the results.
You can use this PowerShell script to easily view Firewall logs https://github.com/dstreefkerk/PowerShell/blob/master/Get-WindowsFirewallLog.ps1
arandomgstring
commented
1 year ago @lulMeow
Oh, ISP should be a fool to use domestic IPs to use this method, since V2ray users already use direct connection to domestic IPs and they are well aware of it. No, No! ISP uses foreign IPs, that by default, get proxified by VPN agent. And since we are talking about a government, they can have hundreds (in IPv4 range), and millions (in IPv6 range) IPs, so that we will never know which IPs are being used in this method. What pains me more, is that this method is super simple and has efficiently of 100%.
The only way to combat this, is to proxify trusted IPs. That's a shame though, because a website such as youtube has literally hundreds of IPs, so proxifying based on IP is not viable.
ghost
commented
1 year ago @lulMeow Oh, ISP should be a fool to use domestic IPs to use this method, since V2ray users already use direct connection to domestic IPs and they are well aware of it. No, No! ISP uses foreign IPs, that by default, get proxified by VPN agent. And since we are talking about a government, they can have hundreds (in IPv4 range), and millions (in IPv6 range) IPs, so that we will never know which IPs are being used in this method.
But why V2Ray users use direct connection to domestic IPs?
for example, I'm in Iran, use VLess/VMess/Trojan etc. to connect to a remote server located in Europe or U.S. I can use plain text Cloudflare DNS servers in the router/modem. now I block entire Iran's IP range in Windows Firewall, and since inbound connections are already blocked by default in Firewall rules (unless there is a specific allow rule), no Iran's IP can connect to my client. even if it's a foreign IP, it still can be automatically dropped because of the inbound block rule by default.
So please explain what's wrong with that scenario and if there is any security holes in it.
you can harden your client further by
wkrp
commented
1 year ago @arandomgstring rather than worry about an imagined attack, I encourage you to run some of your own experiments to convince yourself whether it is or is not really possible.
Here is something to think about. Remove the complication of a VPN and just think about a host with two physical network interfaces: eth0 with address A.A.A.A and eth1 with address B.B.B.B. Suppose a third party sends a SYN to A.A.A.A. How does the host decide whether to send the response RST packet on the eth0 or eth1 interface, and how does it decide what source address to use? It is the same situation with a VPN, except that one of the network interfaces is a virtual interface, not a physical interface.
This thread has gotten off track, and its original purpose was not very clear to begin with. I think it's a good time to end the discussion until someone has some concrete observations. If you suspect there is some interaction between DNS queries and TCP blocking, the way to investigate it is to design and run an experiment. State a clear hypothesis: "TCP connections to IP addresses that that have not been returned in a DNS response in the past X seconds will be blocked by RST injection within Y seconds." Design an experiment to try to find evidence against the hypothesis. Run it multiple times at different times of day keep a written table of observations.
arandomgstring
commented
1 year ago @lulMeow
But why V2Ray users use direct connection to domestic IPs?
Mostly because of this issue https://github.com/net4people/bbs/issues/129#issuecomment-1308102504 (I suppose this issue doesn't concern Iran yet, it might affect Iran in future, read @wkrp explanation in that topic too) and more importantly some domestic IPs only allow IPs from inside, not outside. For example you can't open downloadly.ir with a VPN. You need an Iranian IP. To use banks, and other type of domestic services, it's better to use domestic IP, for a better speed at very least. So we split connections to two sides, for domestic IPs we don't use proxy, and we connect them directly, for all other IPs we use proxy. It even "mixes" traffic of client, so the danger of getting proxy server blocked reduces.
Since inbound connections are already blocked by default in Firewall rules (unless there is a specific allow rule), no Iran's IP can connect to my client.
Well I am more concerned about Smartphones (android, IPhone), not Windows and Linux; because I have been informed that servers tend to get blocked more often when android devices connect to them. In smartphones, setting up a secure environment is much harder.
At any rate, blocking all incoming connections doesn't easily save you from forged packets sent by ISP. When you open an outbound connection to any foreign IP (for example your proxy server) ISP forward packets from proxy server to your device. So ISP can forge and send packet to your device in place of proxy server as the middle man (MITM attack) in that outgoing connection. For example it can send RST packet to abort the connection, as it does now (naiveproxy's users in Iran has been affected by this type of attack, they get RST packet, therefore they cannot do a complete SSL handshake).
However, Windows and Linux and MacOS are not that helpless. Some routers maintain a cache, in which destination IPs of user is saved. If any IP (except for what we have in the cache) try to send packet to router, router will ignore it. I am not sure if all routers do this though. When we talk about Smartphone which use their Sim-card to connect to internet, the story is very different. I will check your links, though your third advise "Disabling Multicast DNS" is exactly what I told people to do in this topic. It doesn't address the new problem that I said in this topic though.
ghost
commented
1 year ago @lulMeow
But why V2Ray users use direct connection to domestic IPs?
Mostly because of this issue #129 (comment) (I suppose this issue doesn't concern Iran yet, it might affect Iran in future, read @wkrp explanation in that topic too) and more importantly some domestic IPs only allow IPs from inside, not outside. For example you can't open downloadly.ir with a VPN. You need an Iranian IP. To use banks, and other type of domestic services, it's better to use domestic IP, for a better speed at very least. So we split connections to two sides, for domestic IPs we don't use proxy, and we connect them directly, for all other IPs we use proxy. It even "mixes" traffic of client, so the danger of getting proxy server blocked reduces.
Since inbound connections are already blocked by default in Firewall rules (unless there is a specific allow rule), no Iran's IP can connect to my client.
Well I am more concerned about Smartphones (android, IPhone), not Windows and Linux; because I have been informed that servers tend to get blocked more often when android devices connect to them. In smartphones, setting up a secure environment is much harder.
At any rate, blocking all incoming connections doesn't easily save you from forged packets sent by ISP. When you open an outbound connection to any foreign IP (for example your proxy server) ISP forward packets from proxy server to your device. So ISP can forge and send packet to your device in place of proxy server as the middle man (MITM attack) in that outgoing connection. For example it can send RST packet to abort the connection, as it does now (naiveproxy's users in Iran has been affected by this type of attack, they get RST packet, therefore they cannot do a complete SSL handshake).
However, Windows and Linux and MacOS are not that helpless. Some routers maintain a cache, in which destination IPs of user is saved. If any IP (except for what we have in the cache) try to send packet to router, router will ignore it. I am not sure if all routers do this though. When we talk about Smartphone which use their Sim-card to connect to internet, the story is very different. I will check your links, though your third advise "Disabling Multicast DNS" is exactly what I told people to do in this topic. It doesn't address the new problem that I said in this topic though.
Thanks, I reviewed that post. currently, the situation in Iran is extreme and unusual, so users in Iran should be extra careful, Iran has always been an unsafe place even prior to the protests. for the time being, refrain from accessing any local endpoints, blocking the entire IP range of Iran in Firewall is good starting point.
Remove apps belonging to Iranian companies and banks, totally unsafe.
use a computer like Windows to have full control over your incoming and outgoing data as much as possible, IPhone is totally out of the question, but Android can be rooted to give you extra freedom on things you can change.
Do NOT download any files, from any Iranian website, whether it's download.ir, soft98.ir etc.
they can not be trusted and they could contain malware, always download your programs from official sources. if on Windows, use Winget which checks file hashes automatically.
when it comes to your OS, it's even more important to make sure it's from the original source and not some 3rd party website ending with .ir. and check your local certificate stores with Signcheck. to prevent MiTM attacks. software you download from Iranian websites, besides having malware, can also contain root certificates so that after you install them, it's game over (in some cases, even if you use VPN)
you can check certificate store of your phone too to make sure there isn't any bad certificates in it, but I'm not sure how Smartphones handle the authenticity of certificates and if one of them goes rouge, how soon the OTA can be issued to revoke them.
Like I said, it's an extreme situation, habits should be changed. hopefully the regime will be changed and all this won't be necessary any longer.
p.s when I mention Iran, I'm talking about regular Iranians and the terrorist islamic republic together, since they can disguise themselves as normal people or force people to do things on behalf of the regime, so it's a zero-trust situation.
free-the-internet
commented
1 year ago For example: Client's IP = A Client's Port = B Proxy server's IP = C Proxy server's Port = D Attacker's IP = E Attacker's Port = F A random port = G A:B establish connection to C:D. ISP as the middle man, send a packet from E:F to A:B. It expects to receive a packet (of any kind, doesn't matter) from A:B and not anywhere else. If A:B reply to E:F we are good. If instead of A:B, C:G send a packet to E:F, while A:B is connected to C:D, that's a sufficient condition to block C.
Drop all incoming SYN packets. This is easy in Linux, maybe also Windows. But I don't know Android or iPhone. Also, I think it's possible to keep track of the already established connections, and drop the others in Linux. You can keep your device behind NAT, maybe?
ghost
commented
1 year ago For example: Client's IP = A Client's Port = B Proxy server's IP = C Proxy server's Port = D Attacker's IP = E Attacker's Port = F A random port = G A:B establish connection to C:D. ISP as the middle man, send a packet from E:F to A:B. It expects to receive a packet (of any kind, doesn't matter) from A:B and not anywhere else. If A:B reply to E:F we are good. If instead of A:B, C:G send a packet to E:F, while A:B is connected to C:D, that's a sufficient condition to block C.Drop all incoming SYN packets. This is easy in Linux, maybe also Windows. But I don't know Android or iPhone. Also, I think it's possible to keep track of the already established connections, and drop the others in Linux. You can keep your device behind NAT, maybe?
I just tried a better solution and testing it right now on Windows 11. with this solution, not only you drop all unknown IP connections using any protocol, but also get a permanent and native kill switch.
so based on IPSec policy in Windows, follow this answer: https://superuser.com/a/268914/1752038
Add your V2Ray/Xray/Proxy's IP Address to the permit list, add your custom DNS (like Cloudflare's) to the permit list, then block all connections from any source and destination IPs.
if you want to allow localhost, then there is another solution here: https://superuser.com/a/1398411/1752038
So now if the islamic regime tries to send your client a SYN packet or any kind of packet at all, it will be automatically dropped, no matter if they use Iranian IP or foreign IP address. (I find this method to be more robust than the previous solution I suggested that used Firewall to block entire Iran's IP range)
the only connections that are allowed will be Cloudflare's 1.1.1.1,1.0.0.1 and your V2Ray proxy's address.
Please do let me know if there is any problem with this approach.
@arandomgstring
alirezaac
commented
1 year ago For example: Client's IP = A Client's Port = B Proxy server's IP = C Proxy server's Port = D Attacker's IP = E Attacker's Port = F A random port = G A:B establish connection to C:D. ISP as the middle man, send a packet from E:F to A:B. It expects to receive a packet (of any kind, doesn't matter) from A:B and not anywhere else. If A:B reply to E:F we are good. If instead of A:B, C:G send a packet to E:F, while A:B is connected to C:D, that's a sufficient condition to block C.Drop all incoming SYN packets. This is easy in Linux, maybe also Windows. But I don't know Android or iPhone. Also, I think it's possible to keep track of the already established connections, and drop the others in Linux. You can keep your device behind NAT, maybe?
Well i was doing this with a pie box to act as physical firewall and dns. and my phones mitigated by this but the problem these days are phones and if you read on people simple solutions they keep changing clients on android to randomly solve this. maybe some clients fakedns are mitigating them. and the so called BROOK thing that is getting hype have some strategies for dns maybe thats why its making people more satisfied however i didn't test it yet.
arandomgstring
commented
1 year ago @free-the-internet @alirezaac @lulMeow
As @wkrp correctly pointed out, this imaginary attack that I described is completely off topic and they are totally right, so It might be better if we discuss it somewhere else. At any rate, I am planning to conduct this imaginary attack on myself; it takes some time though until I find correct setup. Just to point out a few things,
@free-the-internet note that ISPs are not limited to sync packets, they can send any packet they wish. For example they can send a TLS server hello with attacker's IP. VPN agent has no idea if this TLS server hello comes from a normal website seen by user, or attacker's IP. Because it doesn't maintain a cache for this purpose.
@lulMeow That's a nice solution. Same can be done on Linux with IPtables rules. That said, what if ISP expect you to send a reply packet and if you don't they automatically ban the foreign not whitelisted IP you have used the most temporarily, and then permanently?
@alirezaac Correct. I am telling people, on desktop we are totally free to defend against such attacks. Hell, we can open a wireshark and capture any packet injected to our system, and bust them, easy; on smartphones though ...
Anyway I am planning to share internet with my Laptop's Hotspot and connect my android device to it, then I will try to inject packets to my android device, here, my laptop would be first hop of android so I expect it to work. I will be using Scapy for IP spoofing. If I find any success (or failure if you will) I will share it in another post. If you can and have enough time, you might try it yourself. IP and opened port of android device can be seen in Wireshark, with a simple one liner you can inject packets to android, and finally if you install pcap you can see if android has received those injected packets or not.
@wkrp I won't be discussing this issue here any longer. That said, I did a simple research and found this useful article https://www.cs.cmu.edu/afs/cs/academic/class/15441-f01/www/assignments/P2/htmlproj2_split/node5.html An old one for sure, but educational nonetheless. About your question, it seems that gateway interface route any packets based on port after calling ip_input(). So a socket listening to port 1000 receive any packets, even packets with spoofed IP addresses, in a bare bone system. Furthermore, In the case of multiple interfaces, packet will be routed to interfaces with least metric, at that point ip_input() will be called. Some configurations may prevent this, as other noted, however. And yes I am omitting NAT, prerouting, mangle, filter, etc in between.
ghost
commented
1 year ago @lulMeow That's a nice solution. Same can be done on Linux with IPtables rules. That said, what if ISP expect you to send a reply packet and if you don't they automatically ban the foreign not whitelisted IP you have used the most temporarily, and then permanently?
I don't think they do that, unless there is a proof.
ISP can't expect every client to reply back to any request. what protocol do you have in mind that they might use?
because first of all, that'd be unsolicited traffic, blocked by Edge Traversal in Firewall, and second, your computer is behind NAT router.
so, unless you put your computer in DMZ and turn firewall off, no unsolicited connection should come through.
Even Google can't just send a random connection to my computer, only my computer can initiate the connection and then expect a reply, because unsolicited traffic is blocked by default in most rules.
Windows Firewall is a stateful firewall, which is better than stateless, and TCP SYN will be blocked from outside if not first initiated by the user.
check how many rules aren't blocking Edge Traversal
Get-NetFirewallRule | Where-Object {$_.EdgeTraversalPolicy -notmatch "Block"}
then set Edge Traversal to block for all of them
Get-NetFirewallRule | Where-Object {$_.EdgeTraversalPolicy -notmatch "Block"} | ForEach-Object { Set-NetFirewallRule -Name $_.Name -EdgeTraversalPolicy Block}
I don't think there is anything to worry about if you configure your client properly :)
0x391F
commented
1 year ago Perhaps. I always use ipconfig /flushdns before any test. Unless Firefox has some kind of inner-caching for dns requests I can't find any other explanation for what I have demonstrated about dns leaking.
Firefox have its internal DNS cache. You can view, clear dns cache in about:networking#dns, lookup dns in about:networking#dnslookuptool
Forgive me for opening a new topic regarding this issue, however I think it is worth of a topic of its own. At the beginning, findings of @alirezaac in this topic https://github.com/net4people/bbs/issues/153 made no sense to me. But after further investigation I found some very useful information that I like to share. This issue https://github.com/net4people/bbs/issues/154 is related too.
Tl;dr: So in a nutshell ISPs expect their users establish connection with IPs that which was requested through plain DNS, if that doesn't happen; TCP connections are severed by RST packets.
As @free-the-internet correctly puts it
Indeed, DNS resolution happens at the very beginning of every domain related connection so what causes blockage of TLS Handshake to proxy server, when IP and domain of proxy server is not blocked? Why DOH alleviates this problem; but it cannot solve it completely? And why TLS fingerprint does not help?
First of all, note that DNS resolution has nothing to do with IP & domain of proxy server itself. Why?! Because from @alirezaac or my images we can clearly see that TCP connection is already established to proxy server. If it were the case of DNS poisoning or something, we couldn't even establish connection to proxy server itself to begin with. Moreover, we can simply add IP & domain of proxy server in host file (or DNS configuration of client proxy) to resolute proxy's domain locally, and believe it or not, it solves nothing which further proves my point.
Secondly, DOH and other types of encrypted DNS resolutions are completely or partly blocked in Iran. I have personally checked Google and Cloudflare DNS DOH servers in YogaDNS and can confirm this on Mokhaberat and Irancell ISPs. Please do share your finding. So DOH in itself is not much of help; unless we somehow get access to it (I will explain more down below).
So inevitably, users are forced to use plain DNS on normal circumstances. Either of ISP's DNS resolver, which gives bogon IPs for blocked servers https://github.com/net4people/bbs/issues/154, or plain DNS google & Cloudflare or other configured DNS servers are used. There is a catch with plain DNS requests. ISPs can monitor these plain DNS requests and this is a big problem. According to my investigations (please share your findings regarding this issue), when a user wishes to visit a domain I hypothesis:
ISP matches IP address of requested domain (ISP knows it through plain DNS) with the IP of newly established connections. If they are the same, nothing out of ordinary happens. However, lets assume a scenario where the user requests Youtube.com on their browser through plain DNS. ISP sees that the requested IP is 142.250.185.110 (youtube's ip); however user sends no sync packet to 142.250.185.110 at all, rather it continues to take data from another IP (IP of proxy server). It is a very clear sign of using a proxy; when this happens ISP sends RST packets to user and destroys the connection; user tries to reestablish connection to proxy server but ISP sends RST packets to proxy server and we receive no server hello. Since the network traffic is mixed up, ISP won't block proxy IP at the beginning, because consider this scenario: User download a file from a whitelisted website and at the same time opens a blocked site, the traffic is similar to former case, and if ISP were to block that IP many whitelisted Iranian websites would be affected at the same time. But by utilizing this method they can artificially "pause" a traffic, especially if that traffic comes from other countries. I personally tested this by downloading Ubuntu ISO (which is whitelisted) on client side and opened a blocked site. The downloading process stopped abruptly in the mid way, and no matter how many times I used download manager to continue the download, I saw the error of "the web-server refuses connection". I pinged the link which I was download from, and it was fine. I used a VPN and successfully continued downloading the file. I assume the fact that web-server was refusing to give me more packets is a clear sign of ISP sending RST packet to Ubuntu server and download manager not receiving server hello under hood. Caching all user DNS requests is wasteful and costful on ISP part, so after a certain timeout (maybe a few seconds), when no sync packet is sent by user to the requested IP address of a certain domain, they destroy TCP connections and forget previous DNS requests. Another thing that which probably further proves my point, is the fact 2 years ago, when all VPNs stopped working a VPN called "Your Freedom VPN Client" could work on DNS mode, presumably using private DNS resolver for IPs.
Solution: I might be very wrong about the whole procedure of blockage, after all it's all but guesswork. That said, it's very clear that when DNS requests are encrypted we face not such problems. But again we return to the very first problem, DOH is blocked, at least for well known servers.
Client potentially put all correct IP addresses and domains of their favorite websites on host file so that DNS resolution happens locally. The problem is not all applications respect host file and I know no way of forcing apps to use host file. Let me know if there is any. It seems to me that browsers randomly use host file sometime and some times not.
Using DOH of not very well known web-servers might be a temporary solution, but they will eventually be blocked.
Perhaps running DNSencrypt server on proxy server would be optimal solution. I haven't done this yet, let me know if anyone has done this and what results were.