Avoiding DNS poisoning from the ISP side

slh · January 19, 2025, 7:28pm

We should take a step back and distinguish two quite different cases here:

deep packet inspection and something like the Great Firewall
and ISPs who 'just' hijack DNS traffic and do nefarious things, ranging from NXDOMAIN hijacking to blocking of legal but somewhat restricted content (adult entertainment, etc.)

Obviously both approaches are evil™, but they are quite different in scope - and the reactions to it.

The suggestions so far mostly cover the former, the Great Firewall, where you do have to obfuscate your traffic and tunnel your way out of it, in constant fear of legal ramifications.

The later, 'just' simple DNS hijacking, can be sorted with much easier approaches, ranging from just setting a different DNS server (in the very easy cases), things like DoT or DoH or running your own resolver. At worst you may have to find an 'unknown' (to your ISP) DoT/ DoH service to provide you with untainted/ encrypted DNS results, but you don't need full-blown (obfuscated) VPN tunneling and neither have to fear legal repercussions if you're found out.
In this case you can and should also tell your ISP that you're not happy with their service and the lack of net neutrality - and consider the option of switching to a better alternative (that is easier said than done, I know).

Sid · January 19, 2025, 11:44pm

Zapret has a script to check which blocking method works for your ISP, you need to enter the site names which are blocked for you and wait for it to check.

It’s called blockcheck.sh

bosukes · January 20, 2025, 12:47am

Where is that script? I ve installed the ipk files they were hosting. I didnt see any script.

Sid · January 20, 2025, 1:01am

Zapret should’ve installed in /opt/zapret directory,
cd into it and then run it from there

bosukes · January 20, 2025, 1:37am

SUMMARY
ipv4 adultsite.com curl_test_http : working without bypass

ipv4 adultsite.com curl_test_https_tls12 : nfqws --dpi-desync=fake --dpi-desync-ttl=2

ipv4 adultsite.com curl_test_https_tls13 : nfqws not working
Please note this SUMMARY does not guarantee a magic pill for you to copy/paste and be happy.
Understanding how strategies work is very desirable. This knowledge allows to understand better which strategies to prefer and which to avoid if possible, how to combine strategies. Blockcheck does it's best to prioritize good strategies but it's not bullet-proof.
It was designed not as magic pill maker but as a DPI bypass test tool.

press enter to continue

Sid · January 20, 2025, 1:53am

Now once again cd into /opt/zapret and run the installer again ./install_easy.sh

During the installation setup when it asks what blocking method to use select Y for nfqws and then it will ask you if you want to edit the block method file, select yes Y

In the file below there should be a section NFQWS_OPT= “..” in that delete the default blocking options and add the one you found in blockcheck which is this

chapter · January 20, 2025, 2:26am

If your storage is limited, start by putting zapret in /tmp.
Then run the scripts install_prereq.sh, install_easy.sh, install_bin.sh and blockcheck.sh.

github.com

bol-van/zapret/blob/master/docs/readme.en.md#openwrt

# zapret v70

# SCAMMER WARNING

This software is free and open source under [MIT license](./LICENSE.txt).
If anyone demands you to download this software only from their webpage, telegram channel, forces you to delete links, videos, makes copyright claims, you are dealing with scammers.

# Multilanguage/Мультиязычный README
___
[![en](https://img.shields.io/badge/lang-en-red.svg)](https://github.com/bol-van/zapret/tree/master/docs/readme.en.md)
[![ru](https://img.shields.io/badge/lang-ru-green.svg)](https://github.com/bol-van/zapret/tree/master/docs/readme.md)

***

- [What is it for](#what-is-it-for)
- [How it works](#how-it-works)
- [How to put this into practice in the linux system](#how-to-put-this-into-practice-in-the-linux-system)
- [When it will not work](#when-it-will-not-work)
- [nfqws](#nfqws)
  - [DPI desync attack](#dpi-desync-attack)

This file has been truncated. show original

If there is no problem with storage you can start directly from /opt like this tutorial:

bosukes · January 20, 2025, 10:34pm

There is no install_easy.sh file in there:

Sid · January 20, 2025, 10:50pm

How did you install zapret on your system?

For openwrt you have to install the tarball here
https://github.com/bol-van/zapret/releases/download/v69.9/zapret-v69.9-openwrt-embedded.tar.gz

bosukes · January 20, 2025, 11:01pm

From here https://github.com/remittor/zapret-openwrt/releases

Sid · January 20, 2025, 11:16pm

Okay this is a different repo but also not the official one, did you install the correct package for your system architecture?

bosukes · January 20, 2025, 11:36pm

Okay I deleted that, and installed what you said. And did the steps. IT WORKS. THANK YOU MY FRIEND! THIS IS SO AWESOME!!

NFQWS_PORTS_TCP=80,443
NFQWS_PORTS_UDP=443
NFQWS_TCP_PKT_OUT=9
NFQWS_TCP_PKT_IN=3
NFQWS_UDP_PKT_OUT=9
NFQWS_UDP_PKT_IN=0
NFQWS_PORTS_TCP_KEEPALIVE=
NFQWS_PORTS_UDP_KEEPALIVE=
NFQWS_OPT="
--filter-tcp=80 --dpi-desync=fake,multisplit --dpi-desync-split-pos=method+2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
--filter-tcp=443 --dpi-desync=fake --dpi-desync-ttl=2 --filter-udp=443 --dpi-desync=fake --dpi-desync-ttl=2"

brada4 · January 20, 2025, 11:41pm

It is local setup, you have to check whether it works.

bosukes · January 20, 2025, 11:50pm

It works mate, thanks.

bosukes · January 21, 2025, 12:59am

It works but only on wireless. Wired PC's wont work. I also have hardware offloading enabled. Could it cause this? But wireless works fine.

Sid · January 21, 2025, 1:24am

Yes nfqws won’t work with software or hardware flow offloading.

During installation when it asked about FLOWOFFLOAD= what did you select there?

If you select hardware option there, then it will do selective hardware flow offloading

bosukes · January 21, 2025, 8:15am

I selected hardware option. Hmm. Ok I'll try with none then?

brada4 · January 21, 2025, 10:17am

Can you post

nft list ruleset | grep flow

I am no expert in particular tool, but interesting to see what they do with offload.

Dantes · January 21, 2025, 1:09pm

Detection alone would also be very interesting, just to know if an ISP is doing this.

Sid · January 21, 2025, 2:33pm

These rules are with selective software flow offloading enabled

nft list ruleset | grep flow
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
                ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
        flowtable ft {
                oifname @wanif jump flow_offload
                oifname @wanif6 jump flow_offload
        chain flow_offload {
                tcp dport { 80, 443 } ct original packets 1-9 ip daddr != @nozapret return comment "direct flow offloading exemption"
                tcp dport { 80, 443 } ct original packets 1-9 ip6 daddr != @nozapret6 return comment "direct flow offloading exemption"
                udp dport 443 ct original packets 1-9 ip daddr != @nozapret return comment "direct flow offloading exemption"
                udp dport 443 ct original packets 1-9 ip6 daddr != @nozapret6 return comment "direct flow offloading exemption"
                udp length 156 @th,64,32 0x1000000 ip daddr != @nozapret return comment "direct flow offloading exemption"
                udp length 156 @th,64,32 0x1000000 ip6 daddr != @nozapret6 return comment "direct flow offloading exemption"
                meta l4proto { tcp, udp } flow add @ft