2

DNS server blocked in China

Please see the test result of greatfire.org

https://blocky.greatfire.org/detail/450314/https%3A%2F%2Fdns.nextdns.io

`DNS poisoning`? No.

Domestic DNS servers returned correct reply.

 

```

steering.nextdns.io.

103.127.124.46 [Asia]

92.38.166.121 [Korea]

```

 

Detect SNI? Yes.

Any IP using this SNI to establish an HTTPS connection will be subject to TCP reset attacks by Great Firewall and remain disconnected for a period of time.

 

IP blocking(using routing blackhole)? Yes.

`103.127.124.46` and `92.38.166.121 ` is not accessible on any port including 443,853, whenever.

17 replies

null
    • Carrot_eggs
    • 4 yrs ago
    • Reported - view

    今天下午被墙了吗?我现在nextdns一直在报I/O timeout,时断时续。

    最担心的一天终于来了。

    • minqi_wm
    • 4 yrs ago
    • Reported - view

    However, the following querying works.

    ```

    curl -vk 'https://nextdns.io/?name=example.com&type=A' -H "Host: dns.nextdns.io"

    ```

     

    ```

    curl -vk 'https:///45.90.28.102/?name=example.com&type=A' -H "Host: dns.nextdns.io"

    ```

    • minqi_wm
    • 4 yrs ago
    • Reported - view

    https://gitlab.com/NickCao/experiments/-/blob/master/workers/r.js

    I deployed this reverse proxy on Cloudflare workers.

    Now using following as DoH url `https://xxx.workers.dev/https://dns.nextdns.io/114514/devicename` 

    • minqi_wm
    • 4 yrs ago
    • Reported - view

    Carrot eggs

    GFW 看起来只检测 SNI dns.nextdns.io

    将 URL 写为

    https://devicename-114514.dns.nextdns.io

    仍然可用

    • ultramarine_rock
    • 4 yrs ago
    • Reported - view

    楼上的方法也不行。虽然起来只检测 SNI dns.nextdns.io但仍然无法访问诸如xxx.apple.dns.nextdns.io,

    xxx.dns.nextdns.io,apple.dns.nextdns.io/xxxxx,等所有个性化dns

      • minqi_wm
      • 4 yrs ago
      • Reported - view

      小熊2 xxx.apple.dns.nextdns.io 这个域名是不存在的

      注意:DoH 服务器的证书 CN 是 *.dns.nextdns.io

      如果使用 DoH, NextDNS 会按照 PATH 判断用户,和 SNI 无关

      https://nmsl.dns.nextdns.io/xxxxxx

      nmsl 可以替换为任意内容, 但是 xxxxxx 必须是您的 id

    • inkflaw
    • 4 yrs ago
    • Reported - view

    可以试试用 hosts 绑定域名的方式,反正 nextdns 是泛域名证书

      • inkflaw
      • 4 yrs ago
      • Reported - view

      inkflaw 

    • ultramarine_rock
    • 4 yrs ago
    • Reported - view

    已经能访问了

      • Carrot_eggs
      • 4 yrs ago
      • Reported - view

      小熊2 我在深圳移动网络下,目前还是不能使用。直接pingIP和域名都能ping通,就是不能使用。

      客户端是centos8上nextdns cli 1.11.0

      Fetching PoP name for ultra low latency primary IPv4 (ipv4.dns1.nextdns.io)
      Fetch error: Get "https://dns.nextdns.io/info": read tcp 192.168.50.2:36548->37.252.249.233:443: read: connection reset by peer
      Fetching PoP name for ultra low latency secondary IPv4 (ipv4.dns2.nextdns.io)
      Fetch error: Get "https://dns.nextdns.io/info": dial tcp 84.17.37.186:443: connect: connection timed out
      Fetching PoP name for anycast primary IPv4 (45.90.28.0)
      Fetch error: Get "https://dns.nextdns.io/info": read tcp 192.168.50.2:59000->45.90.28.0:443: read: connection reset by peer
      Fetching PoP name for anycast secondary IPv4 (45.90.30.0)
      Fetch error: Get "https://dns.nextdns.io/info": read tcp 192.168.50.2:57286->45.90.30.0:443: read: connection reset by peer

      • Carrot_eggs
      • 4 yrs ago
      • Reported - view

      小熊2 联通LTE IPv6下能够使用。

    • Carrot_eggs
    • 4 yrs ago
    • Reported - view

    https://www.solidot.org/story?sid=67104

    唉。。。

    • SandsHornLeon
    • 4 yrs ago
    • Reported - view

    楼上大佬能说中文吗 告诉我几楼的方法能成啊?

    • ultramarine_rock
    • 4 yrs ago
    • Reported - view

    大佬快想想办法?我现在想通过ios描述文件实现hosts功能,本地屏蔽网址

    • minqi_wm
    • 2 yrs ago
    • Reported - view

    I'm back to NextDNS, new protocol like QUIC or HTTP/3 is yet not blocked.

Login to reply

Content aside

  • 2 Likes
  • 2 yrs agoLast active
  • 17Replies
  • 1720Views
  • 5 Following