fortuna
commented
6 months ago I'll note that blocking of encrypted DNS has been reported in 2022: https://github.com/net4people/bbs/issues/114
Open fortuna opened 6 months ago
fortuna
commented
6 months ago I'll note that blocking of encrypted DNS has been reported in 2022: https://github.com/net4people/bbs/issues/114
wkrp
commented
6 months ago Thanks @fortuna, this is a great thing to find.
This is an archival copy: https://archive.org/details/KominfoFGD20231204
The "Kominfo" of the YouTube channel name is the Indonesian Ministry of Communications and Informatics, "responsible for communications, information affairs, and Internet censorship."
Does anyone speak Indonesian who can pick out some of the important points? (In particular, do you know anything about the "TKPPSE" or "RPZ" acronyms mentioned?) EDIT 2023-12-20: RPZ is Response Policy Zone, TKPPSE is Tata Kelola Pengendalian Penyelenggara Sistem Elektronik "Electronic System Operator Control Governance".
I skimmed through the visuals and noted a few interesting timestamps:
| timestamp | comment | screenshot |
|---|---|---|
| 0:00:52 | Site to report content complaints: http://aduankonten.id. Or WhatsApp 0811 922 4545, or email aduankonten@mail.kominfo.go.id. | |
| 1:17:50 | List of regulations relating to content blocking (dasar hukum penanganan konten): Pasal 40 ayat (2), Pasal 96, Pasal 14 ayat (1), Pasal 18, Peraturan K/L Terkait. | |
| 1:21:42 | Pipeline for website and social media blocking (mekanisme pemblokiran situs dan media sosial). | |
| 1:25:19 | This slide claims 2,501,070 domains and subdomains were blocked as of 2023-12-01. 1:30:55 shows a breakdown by category: the top two are gambling (perjudian) at 1,247,987 and pornography (pornografi) at 1,213,840). | |
| 1:26:45 | Slide shows a "Sistem DNS RPZ Kominfo" with IP addresses 103.154.123.130 and 139.255.196.202. | |
| 1:33:00 | Slide shows a "TKPPSE system" and marks installation points on a map of Indonesia. | |
| 1:37:53 | A "Kominfo RPZ basic synchronization and configuration guide" (Panduan sinkronisasi dan konfigurasi dasar RPZ kominfo) with links to a form http://bit.ly/FormKoneksiRPZ → Google Forms (archive) and a private Telegram group https://t.me/c/1526604311/1. | |
| 1:40:17 | Another mention of the RPZ IP addresses 103.154.123.130 and 139.255.196.202 and what looks like a DNS zone configuration file. | |
| 1:46:36 | Another mention of "TKPPSE", as a component alongside "DNS filtering" and "IP blocking". | |
| 1:52:41 | A diagram labeled "BGP blackhole". | |
| 1:57:18 | A node labeled "DNS Trust+ Master" with the IP addresses 103.154.123.130 (already seen for "RPZ") and 27.54.116.6. | |
| 2:40:25 | During the Q&A session, one of the speakers says something about RPZ being a real-time system, with some kind of synchronization every 1,000 seconds. There are also QR codes pointing to https://t.me/c/1526604311/1 (the private Telegram group from 1:37:53) and https://me-qr.com/dCuKk8Cc (archive). |
lepz0r
commented
6 months ago I did not see any mention of SNI-based blocking.
But some ISPs also do SNI-based blocking here now
wkrp
commented
6 months ago In particular, do you know anything about the "TKPPSE" or "RPZ" acronyms mentioned?
iMAP and OONI have high-quality reports about blocking in Indonesia:
I did not find the acronyms RPZ and TKPPSE in them, but there are definitions of PSE and Trust+/TrustPositif. PSE is a legal class of online service operators who are obliged to register themselves with the government, comply with takedown requests, etc. TrustPositif is a (DNS?) filtering application, operational since 2010.
Private Electronic System Operators (PSE) Ministerial Regulation No 5 of 2020
The law came into effect in November 2020 to replace and consolidate Kominfo Regulations No 19 of 2014 on Handling of Internet Sites Containing Negative Content and No 36 of 2014 on Registration of Electronic System Operators.47 The law requires private electronic system operators (penyelenggara sistem elektronik or PSE) to register themselves with Kominfo before providing any service to internet users.
Through the single registration system, a PSE must disclose how their system works and the kinds of user information they collect, store, and process. The law does not only apply to domestic operators but also to foreign private PSEs that have users in Indonesia. Failing registration, Kominfo would block the websites of private PSEs in Indonesia.48
https://ooni.org/post/2022-state-of-internet-censorship-indonesia/#trustpositif-by-kominfo
TrustPositif by Kominfo
As of September 2022, the Indonesian Ministry of Information and Communication (Kominfo) has blocked over 1,000,000 websites through TrustPositif,52 a filtering application that has been operational since 2010 per Ministerial Regulation No 19 of 2014. The majority of the blocked websites fall under the categories of gambling and pornography. Other categories of blocked websites include online scams, intellectual property violations, and “negative content” recommended by related-sector agencies. There have been reported cases of newly registered domain names being falsely pre-blocked on TrustPositif.53 An official from Kominfo claims that the blocks are based on citizen reports.54
The Freedom on the Net 2023 report for Indonesia is also full of a lot of good analysis. I do not find TSPPKE or RPZ in it, but it mentions TrustPositif and another, newer system called DNS Whitelist Nusantara:
https://freedomhouse.org/country/indonesia/freedom-net/2023#A
In July 2022, the Pengelola Nama Domain Internet Indonesi (PANDI) and the APJII proposed the implementation of national Domain Name System (DNS) filtering technology, such as DNS Whitelist Nusantara and TrustPositif. This would enable the government to limit public access to certain types of content.42 Critics of the proposal likened it to China’s highly repressive filtering system, known as the Great Firewall.43
wkrp
commented
6 months ago The Freedom on the Net 2023 report for Indonesia is also full of a lot of good analysis. I do not find TSPPKE or RPZ in it, but it mentions TrustPositif and another, newer system called DNS Whitelist Nusantara
Footnote 42 of the Freedom on the Net report links to a PowerPoint presentation (20220729021540.pdf) by Mohamad Shidiq Purnama at the Indonesia Network Operators Group (IDNOG) Workshop and Conference 2022, on the topic of a national DNS system.
Indonesia National DNS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
fortuna
commented
6 months ago I figured out what RPZ is. From A warm welcome to DNS:
RPZ: Response Policy Zone is a framework for blocking, dropping queries or spoofing responses based on domain names, response IP addresses or nameservers used during resolution. It has long lived as an ISC Technical Note, and failed to become an IETF standard. It is nevertheless very useful, and there is an industry of RPZ providers. Policies are described by zones and are typically transmitted over IXFR.
merdekaid
commented
6 months ago National DNS has actually been implemented since 2015
You can read it here https://www.kominfo.go.id/index.php/content/detail/4991/Kominfo+Finalisasi+DNS+Nasional/0/sorotan_media
So basically the current system is, every ISP must redirect port 53 to their own server, their own server must be synchronized to Kominfo's RPZ server so it can update the blocking efficiently.
Indonesian cannot change their DNS settings without using encrypted DNS, so if we want to use custom filtering service such as NextDNS or ControlD, we usually rely on DoH/DoT
ThePhoenix576
commented
6 months ago Indonesian cannot change their DNS settings without using encrypted DNS, so if we want to use custom filtering service such as NextDNS or ControlD, we usually rely on DoH/DoT
True. And that means that if those protocols get blocked, then we'll have to probably use a VPN to tunnel DNS queries lol
wkrp
commented
6 months ago I figured out what RPZ is.
So basically the current system is, every ISP must redirect port 53 to their own server, their own server must be synchronized to Kominfo's RPZ server so it can update the blocking efficiently.
I see—so RPZ (Response Policy Zone) is a semi-standard way of representing DNS filtering/blocking rules as DNS information itself, such that the rules can be transmitted/synchronized with a zone transfer (AXFR/IXFR).
So we may take as a working hypothesis that the DNS blocklist in Indonesia is centrally managed and stored in Response Policy Zone format. Each individual ISP synchronizes the local blocklists in its own DNS resolvers with a master RPZ server periodically. (Every 1,000 seconds?)
Maybe, then, it's possible to interrogate the RPZ masters, or download the entire blocklist with a zone transfer? I tried port scanning 103.154.123.130, 139.255.196.202, and 27.54.116.6, but did not find udp/53 responsive on any of them.
The Trust+ / TrustPositif label also seems to have to do with DNS filtering. But I'm not sure if it's the same as the RPZ system, or something additional to it. @DarkMProgrammer, @ThePhoenix576, do you know, is Trust+ the name for the RPZ-based rule specification and synchronization system, or is Trust+ a different system? Slide 5 of the IDNOG 2022 slides mentions an "anti phishing" database separate from the Trust+ list, so maybe there is more than one database. One of the slides in the focus group discussion refers to both RPZ and TrustPositif:
Untuk setting konfigurasi dasar bind untuk menjadi slave pada RPZ kominfo berikut tahapan nya:
Untuk mengaktifkan slave RPZ zone maka kita harus mengedit file named.conf atau file yang memuat konfigurasi zone. Tambahkan parameter berikut di file konfigurasi zone:
zone "trustpositifkominfo" { type slave; file "db.trustpositifkominfo"; masters { 103.154.123.130; 139.255.196.202; }; allow-query { any; }; };Note: Masters IP yang digunakan lebi dari satu.
To set the basic bind configuration to become a slave to the RPZ kominfo, here are the steps:
To enable the RPZ zone slave, we must edit the named.conf file or the file that contains the zone configuration. Add the following parameters in the zone configuration file:
Note: More than one Masters IP is used.
wkrp
commented
6 months ago @DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.
This is one of the slides that mentions TKPPSE (timestamp 1:33:00):
Sistem TKPPSE
TKPPSE Virtual Borderline
- TKPPSE telah dipasang pada 147 site di 27 Provinsi
- TKPPSE dipasang pada jaringan internet Indonesia sebagai metode filtering dan kedaulatan digital Indonesia
TKPPSE System
- TKPPSE has been installed on 147 sites in 27 Provinces
- TKPPSE is installed on Indonesia's internet network as a method of filtering and Indonesia's digital sovereignty
ThePhoenix576
commented
6 months ago The Trust+ / TrustPositif label also seems to have to do with DNS filtering. But I'm not sure if it's the same as the RPZ system, or something additional to it. @DarkMProgrammer, @ThePhoenix576, do you know, is Trust+ the name for the RPZ-based rule specification and synchronization system, or is Trust+ a different system? Slide 5 of the IDNOG 2022 slides mentions an "anti phishing" database separate from the Trust+ list, so maybe there is more than one database. One of the slides in the focus group discussion refers to both RPZ and TrustPositif:
I don't know for sure. I haven't looked into it that much. @DarkMProgrammer might know more about this thing though.
@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.
Tata Kelola Pengendalian Penyelenggara Sistem Elektronik
It seems to refer to their blocking system to "protect" the digital world . or something like that. I don't know if it's specific to one of their blocking systems or something like that though.
wkrp
commented
6 months ago @DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.
Tata Kelola Pengendalian Penyelenggara Sistem Elektronik
It seems to refer to their blocking system to "protect" the digital world . or something like that. I don't know if it's specific to one of their blocking systems or something like that though.
I see. So the name is not really specific. I wonder if TKPPSE is something like the TSPU in Russia, government-managed DPI black boxes installed at ISPs.
ThePhoenix576
commented
6 months ago @DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.
Tata Kelola Pengendalian Penyelenggara Sistem Elektronik It seems to refer to their blocking system to "protect" the digital world . or something like that. I don't know if it's specific to one of their blocking systems or something like that though.
I see. So the name is not really specific. I wonder if TKPPSE is something like the TSPU in Russia, government-managed DPI black boxes installed at ISPs.
Yeah, idk for sure. But I'm not liking where this country is going with them wanting to block DoT/H etc lol. Thankfully they drew the line with VPNs. But we all know that they can change their minds in an instant.
merdekaid
commented
6 months ago @DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.
This is one of the slides that mentions TKPPSE (timestamp 1:33:00):
Sistem TKPPSE
TKPPSE Virtual Borderline
- TKPPSE telah dipasang pada 147 site di 27 Provinsi
- TKPPSE dipasang pada jaringan internet Indonesia sebagai metode filtering dan kedaulatan digital Indonesia
TKPPSE System
- TKPPSE has been installed on 147 sites in 27 Provinces
- TKPPSE is installed on Indonesia's internet network as a method of filtering and Indonesia's digital sovereignty
It's the DPI middlebox which responsible to send TCP RST (for https) and sending 302 redirection to national blockpage (http://lamanlabuh.aduankonten.id) for http.
If you don't know, every Indonesian DPI mechanism have the same behaviour such as:
Here is for example when we tested port 25565 with the Host header of hypixel.net, a Minecraft server that Indonesian government don't like.
If the DPI is deployed by each ISP, there most likely won't have same mechanism as some ISP here love putting ads lol
ThePhoenix576
commented
6 months ago If the DPI is deployed by each ISP, there most likely won't have same mechanism as some ISP here love putting ads lol
Oh look ! Ads !
But anyways, I really do hope that they won't block DoT/H lol. Public DNS like Google DNS is far more reliable than our ISPs DNS servers lol
merdekaid
commented
6 months ago I figured out what RPZ is.
So basically the current system is, every ISP must redirect port 53 to their own server, their own server must be synchronized to Kominfo's RPZ server so it can update the blocking efficiently.
I see—so RPZ (Response Policy Zone) is a semi-standard way of representing DNS filtering/blocking rules as DNS information itself, such that the rules can be transmitted/synchronized with a zone transfer (AXFR/IXFR).
So we may take as a working hypothesis that the DNS blocklist in Indonesia is centrally managed and stored in Response Policy Zone format. Each individual ISP synchronizes the local blocklists in its own DNS resolvers with a master RPZ server periodically. (Every 1,000 seconds?)
Maybe, then, it's possible to interrogate the RPZ masters, or download the entire blocklist with a zone transfer? I tried port scanning 103.154.123.130, 139.255.196.202, and 27.54.116.6, but did not find udp/53 responsive on any of them.
The Trust+ / TrustPositif label also seems to have to do with DNS filtering. But I'm not sure if it's the same as the RPZ system, or something additional to it. @DarkMProgrammer, @ThePhoenix576, do you know, is Trust+ the name for the RPZ-based rule specification and synchronization system, or is Trust+ a different system? Slide 5 of the IDNOG 2022 slides mentions an "anti phishing" database separate from the Trust+ list, so maybe there is more than one database. One of the slides in the focus group discussion refers to both RPZ and TrustPositif:
Untuk setting konfigurasi dasar bind untuk menjadi slave pada RPZ kominfo berikut tahapan nya: Untuk mengaktifkan slave RPZ zone maka kita harus mengedit file named.conf atau file yang memuat konfigurasi zone. Tambahkan parameter berikut di file konfigurasi zone:
zone "trustpositifkominfo" { type slave; file "db.trustpositifkominfo"; masters { 103.154.123.130; 139.255.196.202; }; allow-query { any; }; };Note: Masters IP yang digunakan lebi dari satu.
To set the basic bind configuration to become a slave to the RPZ kominfo, here are the steps: To enable the RPZ zone slave, we must edit the named.conf file or the file that contains the zone configuration. Add the following parameters in the zone configuration file: Note: More than one Masters IP is used.
The DNS Transfer only permitted for ISP DNS here, they have an ACL going to port 53 so outsider can't do AXFR command.
Feel free to contact me on slashy(at)bebasid.com if you want more info
merdekaid
commented
6 months ago If the DPI is deployed by each ISP, there most likely won't have same mechanism as some ISP here love putting ads lol
Oh look ! Ads !
But anyways, I really do hope that they won't block DoT/H lol. Public DNS like Google DNS is far more reliable than our ISPs DNS servers lol
It's not about reliable outside server anymore, it's about freedom of information and human right.
Indonesian are very restricted to customize their network by Kominfo due to National DNS regulation. They can't enjoy custom filtering, ad-blocking DNS, or even host their own DNS because of this.
It's not only international port 53 that got redirected, the local one too because Kominfo/ISP afraid people is hosting DNS on local VPS server and use them at home.
Ironically, National DNS actually against our consitution which guaranteed freedom of expression and human rights
wkrp
commented
6 months ago The DNS Transfer only permitted for ISP DNS here, they have an ACL going to port 53 so outsider can't do AXFR command.
I see. The ACL must be the reason for the Google Form (archive) linked at 1:37:53 in the focus group video. A field on the form asks for the IP addresses that will be used for RPZ zone transfers.
Alamat IP Publik DNS Server (Jika sudah ada)
RPZ sistem kominfo adalah sebuan DNS server yang berisi sebuah zone yang dapat direplikasi (transfer zone). Untuk dapat melakukan transfer zone, ISP harus terlebih dahulu meregister Source IP yang akan melakukan transfer ke sistem RPZ kominfo. Mohon memasukkan IP yang dimaksud ke dalam dform di bawah ini (maksimal 4 IP). Jika informasi ini belum ada, dapat disusulkan melalui Whatsapp Message ke sdr. Riko Rahmada
- IP 1:
- IP 2:
- IP 3:
- IP 4:
DNS Server Public IP Address (If already exist)
Kominfo RPZ system is a DNS server that contains a zone that can be replicated (transfer zone). To be able to transfer zones, ISPs must first register the Source IP that will transfer to the Kominfo RPZ system. Please enter the IP in question into the dform below (maximum 4 IPs). If this information does not exist, it can be proposed via Whatsapp Message to Br. Riko Rahmada
- IP 1:
- IP 2:
- IP 3:
- IP 4:
merdekaid
commented
6 months ago The DNS Transfer only permitted for ISP DNS here, they have an ACL going to port 53 so outsider can't do AXFR command.
I see. The ACL must be the reason for the Google Form (archive) linked at 1:37:53 in the focus group video. A field on the form asks for the IP addresses that will be used for RPZ zone transfers.
Alamat IP Publik DNS Server (Jika sudah ada)
RPZ sistem kominfo adalah sebuan DNS server yang berisi sebuah zone yang dapat direplikasi (transfer zone). Untuk dapat melakukan transfer zone, ISP harus terlebih dahulu meregister Source IP yang akan melakukan transfer ke sistem RPZ kominfo. Mohon memasukkan IP yang dimaksud ke dalam dform di bawah ini (maksimal 4 IP). Jika informasi ini belum ada, dapat disusulkan melalui Whatsapp Message ke sdr. Riko Rahmada
- IP 1:
- IP 2:
- IP 3:
- IP 4:
DNS Server Public IP Address (If already exist)
Kominfo RPZ system is a DNS server that contains a zone that can be replicated (transfer zone). To be able to transfer zones, ISPs must first register the Source IP that will transfer to the Kominfo RPZ system. Please enter the IP in question into the dform below (maximum 4 IPs). If this information does not exist, it can be proposed via Whatsapp Message to Br. Riko Rahmada
- IP 1:
- IP 2:
- IP 3:
- IP 4:
Yep that's right, in order to get access to it, you must register there first
merdekaid
commented
6 months ago @DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik. This is one of the slides that mentions TKPPSE (timestamp 1:33:00):
Sistem TKPPSE
TKPPSE Virtual Borderline
- TKPPSE telah dipasang pada 147 site di 27 Provinsi
- TKPPSE dipasang pada jaringan internet Indonesia sebagai metode filtering dan kedaulatan digital Indonesia
TKPPSE System
- TKPPSE has been installed on 147 sites in 27 Provinces
- TKPPSE is installed on Indonesia's internet network as a method of filtering and Indonesia's digital sovereignty
It's the DPI middlebox which responsible to send TCP RST (for https) and sending 302 redirection to national blockpage (http://lamanlabuh.aduankonten.id) for http.
If you don't know, every Indonesian DPI mechanism have the same behaviour such as:
- Lamanlabuh blockpage
- They listen to all port from 1 to 65535
- Sending TCP RST packet as their blocking mechanism
Here is for example when we tested port 25565 with the Host header of
hypixel.net, a Minecraft server that Indonesian government don't like.If the DPI is deployed by each ISP, there most likely won't have same mechanism as some ISP here love putting ads lol
I found this leak from some clueless Indonesian NOC on LinkedIn.
TKPPSE is indeed the National DPI implemented by Kominfo, simillar to GFW on China.
merdekaid
commented
6 months ago Every ISP that has connection to outside (Ex: Singapore) have their network tapped first by Kominfo so they can log or monitor the request for "blacklisted" header.
If the header is blacklisted, the National DPI (so called TKPPSE) will send you TCP RST packet and 302 redirection to National Blockpage at (http://lamanlabuh.aduankonten.id)
merdekaid
commented
6 months ago It's indeed sad that my country is heading towards China/Iran :(
I don't care if the government is only blocking pornographic and gambling content. What I care, they love to block random stuff that should not be blocked such as Reddit, Vimeo, Startmail, and recently, Hypixel. This falls under censorship rather than "protection" now especially they forbid their people to change their DNS and now implementing simillar infrastructure to China censorship.
merdekaid
commented
6 months ago
Simillar to GFW, TKPPSE has bidirectional blocking so you can check blocked site in Indonesia by curl-ing them against infected ISPs and modify the host header to blocked website
merdekaid
commented
6 months ago I just realised some clever ISP in Indonesia has different routing thus only its client that affected by DPI. Mainly noted PT Jala Lintas Media and PT Cyberindo Aditama so the bidirectional checking won't work
wkrp
commented
6 months ago I found this leak from some clueless Indonesian NOC on LinkedIn.
TKPPSE is indeed the National DPI implemented by Kominfo, simillar to GFW on China.
That same slide appears in this focus group discussion, during Setyo Wibawa's part at 1:49:40. The title of the slide says "TKPSEE", but I would guess that's a typo for TKPPSE.
TKPSEE [sic]
Tata Kelola Pengendalian Penhelenggara Sistem Elektronik
Penempatan Perangkat di NAP
TKPSEE
Electronic System Operator Control Governance
Device Placement in NAP
wkrp
commented
6 months ago Simillar to GFW, TKPPSE has bidirectional blocking so you can check blocked site in Indonesia by curl-ing them against infected ISPs and modify the host header to blocked website
I can reproduce the bidirectional HTTP 302 injection with curl. Great tip. @snourin, this looks like something you'd be interested in.
$ curl -i http://iconnet.id/ -H "Host: hypixel.net"
HTTP/1.0 302 Moved
Content-Length: 0
Location: http://lamanlabuh.aduankonten.id/
Pragma: no-cache
Cache-Control: no-cache
In my quick tests, it looks like the injection is unreliable: sometimes a get the real response from the iconnet.id server. Interestingly, it appears that the GET method but not the HEAD method is affected: curl -i http://iconnet.id/ -H "Host: hypixel.net" sometimes gets injection, but curl -I http://iconnet.id/ -H "Host: hypixel.net" does not.
merdekaid
commented
6 months ago Simillar to GFW, TKPPSE has bidirectional blocking so you can check blocked site in Indonesia by curl-ing them against infected ISPs and modify the host header to blocked website
I can reproduce the bidirectional HTTP 302 injection with curl. Great tip. @snourin, this looks like something you'd be interested in.
$ curl -i http://iconnet.id/ -H "Host: hypixel.net" HTTP/1.0 302 Moved Content-Length: 0 Location: http://lamanlabuh.aduankonten.id/ Pragma: no-cache Cache-Control: no-cacheIn my quick tests, it looks like the injection is unreliable: sometimes a get the real response from the iconnet.id server. Interestingly, it appears that the GET method but not the HEAD method is affected:
curl -i http://iconnet.id/ -H "Host: hypixel.net"sometimes gets injection, butcurl -I http://iconnet.id/ -H "Host: hypixel.net"does not.
Yeah but if you are inside Indonesia, you will get injected 100%
I don't know what's actually happening on the National DPI's side that causing a request from outside Indonesia to have unstable injection.
merdekaid
commented
6 months ago The iForte one has the stable injection to the outside, maybe you can try curling it against iforte.co.id or transjakarta.co.id
Transjakarta public wifi is using iForte as its IP Transit so it's affected by the TKPPSE aka National DPI aka Great Firewall of Indonesia
merdekaid
commented
6 months ago I suspect Iconnet has a loadbalancing stuff on their side, when you aren't affected, sometimes you got routed to one of their backup loadbalancing border router which hasn't been tapped yet by Kominfo
merdekaid
commented
6 months ago Oh yeah if you don't know what NAP is, NAP stands for Network Access Provider.
Kominfo has actually have 2 ISP licensing. one is ISP and one is NAP
ISPs with normal ISP licensing are forbidden to have a direct peer with Tier 1 ISPs (such as HE, Cogent, etc). they are only allowed to peer with NAP before going to T1 ISPs
NAP in the other hand, are the ISPs that is allowed to have direct connection outside, they are forced by Kominfo to have their border router tapped to the National DPI (TKPPSE) for censorship reason like above.
merdekaid
commented
6 months ago
Since every port are affected, you can't even connect to a game server that is blocked by Kominfo lol
merdekaid
commented
6 months ago
Even some CDN here are blocked , how bad could it be.
The reason of the blockage could be these 2 reasons:
fortuna
commented
6 months ago I also get inconsistent measurements when running the measurement from outside Indonesia. I get 3 different results:
I believe the blocking is inconsistent, and the interference mechanisms race each other.
See this traffic capture triggered with curl -i http://iconnet.id/ -H "Host: hypixel.net":
I received, in order:
In this case, curl returned a connection reset error, even though pages were eventually received. Sometimes the Block page arrives before the TCP reset.
The filter packets can be identified by the IP ID 0x00f2. My machine sends a reset to the server because the TCP state is already reset on the client side when it received the legit page.
I also noticed a smaller TTL on the legit response, which suggests it's farther away than the middlebox.
Here is another example, where the block page is received before the TCP reset and legit page:
When the fetch succeeds, I get neither the block page, nor the TCP reset:
fortuna
commented
6 months ago Is it possible to set up a firewall to drop a specific IP ID? Perhaps combined with a sequence number or direction to minimize false positives?
That could potentially bypass censorship.
merdekaid
commented
6 months ago Is it possible to set up a firewall to drop a specific IP ID? Perhaps combined with a sequence number or direction to minimize false positives?
That could potentially bypass censorship.
We should try this, we have several mechanism to bypass the National DPI (TKPPSE) on MikroTik by dropping certain packet on the firewall (I won't tell you how since there might be a Kominfo spy here lurking around) but feel free to drop me an email or talk with me on Slack as usual haha.
I and my team on BEBASID would love to try to experiment with this
merdekaid
commented
6 months ago Oh yeah, the request might still be logged on Kominfo's TKPPSE infrastructure so while you can bypass the censorship by dropping certain packet that the National DPI sent, they still know what you are visiting thus its not good for your privacy
merdekaid
commented
6 months ago Some Indonesian ISPs now are experimenting with blocking DoH/DoT such as PT Netciti Persada with Cloudflare, Google, and other popular server and PT Mora Telematika Indonesia for Quad9. Same like before with TKPPSE during the end of 2021 with XL Axiata network.
fortuna
commented
6 months ago It looks like nftables support IP IDs in rules: https://wiki.gentoo.org/wiki/Nftables#Rules. I'm not super familiar with nftables, but I think the rule would look something like this:
ip id 0x00f2 drop;Is it possible to set up a firewall to drop a specific IP ID? Perhaps combined with a sequence number or direction to minimize false positives?
merdekaid
commented
6 months ago It looks like nftables support IP IDs in rules: https://wiki.gentoo.org/wiki/Nftables#Rules. I'm not super familiar with nftables, but I think the rule would look something like this:
ip id 0x00f2 drop;Is it possible to set up a firewall to drop a specific IP ID? Perhaps combined with a sequence number or direction to minimize false positives?
That's interesting, since I'm currently super busy right now (sorry), I'll have my colleague test it for us
merdekaid
commented
6 months ago They got Object "id" is unknown, try "ip help". error while trying on nftables hmm
merdekaid
commented
6 months ago I found an old screenshot from my hard drive.
During the post implementation of TKPPSE, Cloudflare CGK Datacenter got affected by the National DPI
Resulting blocked site that is using Cloudflare cannot be accessed as its either redirected to national block page or returning SSL Handshake Error
Google Translate proxy also got affected too.
Luckily its safe now. Probably Google and Cloudflare ditched the provider who did this and rerouted it directly to SG without help of local provider.
merdekaid
commented
6 months ago Oh yeah, this is the original National DNS document which makes Indonesian don't have freedom to customize their network
Lanius-collaris
commented
6 months ago They got Object "id" is unknown, try "ip help". error while trying on nftables hmm
@DarkMProgrammer
ip id 0x00f2 is an expression used to match packets, not a command, drop is operation.
https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Rules
Have you tested TCP fragmentation?
merdekaid
commented
6 months ago They got Object "id" is unknown, try "ip help". error while trying on nftables hmm
@DarkMProgrammer
ip id 0x00f2is an expression used to match packets, not a command,dropis operation. https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Rules Have you tested TCP fragmentation?
I never done it manually with nfttables, but GoodbyeDPI/Zapret did work to bypass TKPPSE
merdekaid
commented
6 months ago It's happening guys
On December 30th 2023, some ISPs have blocked access to DoH/DoT domain
Our DNS service is also affected
Aside PT Netciti Persada, PT Jaringan Sarana Nusantara (JSN) also started to blackholling DoH from their DNS, it seems Kominfo started to roll this to every ISPs
merdekaid
commented
6 months ago Thanks to National DNS regulation, changing plain DNS won't work so you are stuck with ISP DNS that is blocking access to DoH/DoT domain as you can see the result of nslookuping to Google DNS is hijacked to each ISP's DNS.
If you want to use DoH/DoT, writting the domain on host file will work
wkrp
commented
6 months ago On December 30th 2023, some ISPs have blocked access to DoH/DoT domain
Thank you for the news. Since this thread is about the focus group video, let's talk about DoH/DoT blocking in a new thread.
merdekaid
commented
2 months ago AS4800 - PT Aplikanusa Lintasarta started to redirect port 53 again on IP Transit level if they know that their customer is an ISP serving to end user in Indonesia.
They done this back in 2022, dismantled it for temporary and reimplementing again now.
I think this is unethical for an ISP to do this as it can break some of their customer's network and such. What do you think of this?
The Ministry of Communication and Information (Kementerian Kominfo) hosted a live stream on December 4, 2023, where they openly discuss the mechanisms to filter content in Indonesia.
The video is in Indonesian, but you can enable closed captions and auto-translate to explore it.
To make it easier to explore, I've extracted the auto-translated subtitles. That way you can search for topics of interest, and find the time in the video.
Among other things, they discuss DNS and IP-based blocking and blocking of third-party DNS resolvers, explicitly calling out Google, Cloudflare and Quad9, and blocking of port 853. They say that they need to block encrypted DNS (DoT, DoH and DoQ) so that the user is forced to fall back to unencrypted DNS.
I did not see any mention of SNI-based blocking.
Below are two relevant moments, and you can find more by searching the transcript.
https://www.youtube.com/live/JY7-KbByjcI?si=p5SJnKdwww48uQD7&t=6634
https://www.youtube.com/live/JY7-KbByjcI?si=W0hC4sDSYiA-BPpp&t=8551