Open xtexChooser opened 2 months ago
Note: This is a free domain name provider. It has no relation with the European Union, despite its name.
Can you confirm is this a blocking against the SNI *.eu.org
or against part/all of IP addresses any *.EU.ORG resolves to?
@gaukas It seems to be against the SNI. I tested:
eu.org
eu.org
which resolves to the same address as the first oneThanks! So after a TLS handshake using blocked SNI with a target, all TLS connections (supposedly from the same source IP) to that server (IP:443) are blocked for some period of time.
Can you confirm is this a blocking against the SNI eu.org or against part/all of IP addresses EU.ORG resolves to?
it's resolving to user-provided IPs, there's no coherent IP range or finite/distinct set of ASNs it resolves to.
what is not technically clear to me is whether eu.org is blocked by SNI or by preceding DNS query. For example, are requests to eu.org domains fine if DoH is used, and/or if SNI is bogus/empty? are non-tls protocols fine?
this happened before
So what is the significance of eu.org then 🧐 I don't believe all free domain/tlds are targeted?
blocked by SNI or by preceding DNS query
Step 3, 4, 5 supported that it is due to SNI as I can see.
I don't believe all free domain tlds are targeted?
note that eu.org is not a TLD.
not a TLD.
That's true, it is my bad for not stating clearly my question: since there are ~plenty of choices for~ free tlds and other free subdomains, there is no reason to target eu.org
unless it is special in some ways.
Just one of your "subdomains" being targetted is enough they would targert *.maindomain. We have seen this hundreds of times. So it does not need to be special.
We have seen this hundreds of times.
Thank you for sharing. I'm not aware of this, could you please point me to other discussing threads or other resources about the same behavior?
And also, do we know what is the exact trigger for such "full domain TLS RST"? Do you have to have a website hosting banned content, do you have to run a TLS proxy server, or what else.
Btw I wonder if this implies none of the free subdomains will be available in China, perhaps also including restrictive ones such as .netlify.app, .azurewebsites.net, etc?
They do not ban high-profile domains like *.netlify.app, but they do ban their subdomains. But in case of smaller fishes they do ban whole domain. China does not use spoofing anymore (or very rarely), because their users know how to deal(DoH etc) with kind of basic blocking method. Their main method is really to intercept all ssl connections(we know they intercept on all ports) with ClientHello and look at requested certificate and send RST to both parties and firewall the ip for certain period(few minutes) (obviously their SSL filter requires more resources). This is very effective way.
In eu.org i see that your subdomains do have their own certs.. This is good start but the guy who decided about your ban might have seen eu.org as !important and banned whole eu.org.. Or second scenario is; one or multiple of users placed anti-regime-pages to one of your subdomains and they are able to change their subdomains by registering new subdomain with you. So they were tired playing mouse-and-cat game and banned whole "!important" eu.org...
We sometimes see unbans, but very rarely. We see domains they were banned whole year.
But in your case eu.org seems not to be banned but *.eu.org seems to be (just checked)
I just learned that this blocking behavior has been lifted on *.eu.org
, can anyone confirm?
yes seems to be, i have tried nl and cy
yes seems for me.
About one week ago, some people reported that TLS connections to EU.ORG domains are blocked by the Great Firewall. Can be confirmed in both China Telecom and China Mobile networks.
There are no known DNS pollution in this blocking. All DNS queries I tested got correct result.
Plain HTTP requests on 80/TCP are not blocked. After attempts to establish a TLS connection on 443/TCP (other ports are not tested), the connection will be reseted, and further packets to the server's 443/TCP will be dropped for several minutes.