Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

 Maxis Blocks Cloudflare DNS? (1.1.1.1), 1.1.1.1 inaccesable from Maxis network

views
     
TSlonewalker
post Oct 17 2019, 03:31 PM

Getting Started
**
Junior Member
202 posts

Joined: Nov 2005
QUOTE(lurkingaround @ Oct 17 2019, 03:23 PM)
Afaik, the difference between Google DNS 8888/8844 and Cloudflare's DNS over HTTPS 1111 is encryption of web traffic in the latter but not in the former.

ISPs cannot see or inspect the latter without doing some serious hacking.

*
NO. wrong. bangwall.gif and very offtopic i might add

Google DNS over TLS and Cloudflare DNS over TLS implements RFC7858 the standard protocol for encrypted DNS queries over a Trusted Layer Socket (TLS) on TCP port 853.

Same protocol DNS over TLS: Both are encrypted, diff is one goes to Cloudflare servers; the other to Google servers. BOTH also cannot be inspected/tampered with in transit (eg. by ISPs).


Read the documentation at the source please:
https://developers.google.com/speed/public-...cs/dns-over-tls
https://developers.cloudflare.com/1.1.1.1/dns-over-tls/

Most the public dns servers I mentioned in the earlier post including Cloudflare and Google have some flavour of encrypted DNS (eg DoTLS/DoH/dnscrypt) and all of them do the regular unencrypted DNS service also.

This post has been edited by lonewalker: Oct 17 2019, 04:12 PM
lurkingaround
post Oct 17 2019, 04:34 PM

Rule of Law
*******
Senior Member
5,106 posts

Joined: Sep 2019
From: South Klang Valley suburb



QUOTE(lonewalker @ Oct 17 2019, 03:31 PM)
NO. wrong.  bangwall.gif and very offtopic i might add

Google DNS over TLS and Cloudflare DNS over TLS implements RFC7858 the standard protocol for encrypted DNS queries over a Trusted Layer Socket (TLS) on TCP port 853.

Same protocol DNS over TLS: Both are encrypted, diff is one goes to Cloudflare servers; the other to Google servers. BOTH also cannot be inspected/tampered with in transit (eg. by ISPs).
Read the documentation at the source please:
https://developers.google.com/speed/public-...cs/dns-over-tls
https://developers.cloudflare.com/1.1.1.1/dns-over-tls/

Most the public dns servers I mentioned in the earlier post including Cloudflare and Google have some flavour of encrypted DNS (eg DoTLS/DoH/dnscrypt) and all of them do the regular unencrypted DNS service also.
*
In that case, the ISPs in Malaysia may soon start blocking all of them, in order to still be able to inspect and/or filter/throttle the web traffic of all their subscribers.

Presently, very few subscribers in Malaysia set their own encrypted DNS, like VPNs, Google 8.8.8.8 and Cloudflare 1.1.1.1.


TSlonewalker
post Oct 17 2019, 05:05 PM

Getting Started
**
Junior Member
202 posts

Joined: Nov 2005
QUOTE(lurkingaround @ Oct 17 2019, 04:34 PM)
In that case, the ISPs in Malaysia may soon start blocking all of them, in order to still be able to inspect and/or filter/throttle the web traffic of all their subscribers.
Pure speculation; unlikely as major browsers makers (Mozilla/Google of Firefox and Chrome fame) have expressed interest in enabling encrypted DNS in future version of their browsers.
https://www.zdnet.com/article/google-to-run...ment-in-chrome/


QUOTE(lurkingaround @ Oct 17 2019, 04:34 PM)
Presently, very few subscribers in Malaysia set their own encrypted DNS, like VPNs, Google 8.8.8.8 and Cloudflare 1.1.1.1.
*
Encryption for DNS is not VPNs, not the same thing even in the most remote sense. Other traffic (other than dns) do not get sent to Google or Cloudflare. Your ISPs will still be able to see your individual connections to P2P peers in file sharing apps (like torrents) when using encrypted DNS.

PS: Dear, lurkingaround ; Please refrain from commenting further, until you had properly read up on the subject matter as anyone reading the entire thread can see where you are coming from.

This post has been edited by lonewalker: Oct 17 2019, 05:15 PM
lurkingaround
post Oct 17 2019, 05:21 PM

Rule of Law
*******
Senior Member
5,106 posts

Joined: Sep 2019
From: South Klang Valley suburb



QUOTE(lonewalker)
Pure speculation; unlikely as major browsers makers (Mozilla/Google of Firefox and Chrome fame) have expressed interest in enabling encrypted DNS in future version of their browsers.
https://www.zdnet.com/article/google-to-run...ment-in-chrome/

It will be like certain websites requiring the visitor to disable their adblocker before they can access the website = the ISPs can do the same, ie requiring their subcribers to disable their browsers' DoH.

DNS over HTTPS likely prevents the ISP from inspecting the encrypted contents of, throttling and/or filtering their subscribers' web-traffic. .......


https://www.zdnet.com/article/dns-over-http...es-experts-say/

Sometimes, we learn new things as we post and discuss a topic, as I have on this thread. We are not right or correct all the time.

It is a fact that ISPs throttle certain web traffic and MCMC blocks/filters certain websites. DoH may be an impediment for this. Remember we are not in USA or Google Chrome's HQ, where the ISPs are not allowed to do Deep Packet Inspection of their subscribers' web traffic.


This post has been edited by lurkingaround: Oct 17 2019, 05:31 PM
TSlonewalker
post Oct 17 2019, 05:44 PM

Getting Started
**
Junior Member
202 posts

Joined: Nov 2005
QUOTE(lurkingaround @ Oct 17 2019, 05:21 PM)
[i]Sometimes, we learn new things as we post and discuss a topic, as I have on this thread. We are not right or correct all the time.
*
True, we can learn that way. But for your sake, to be wrong almost everytime in every prior post :ouch: (its is not my goal to make you look bad/embarrass you); i think you should learn from reading proper documentation resources; not from a stranger correcting every post of yours

PS: you are still factually wrong

QUOTE(lurkingaround @ Oct 17 2019, 05:21 PM)
It is a fact that ISPs throttle certain web traffic and MCMC blocks/filters certain websites. DoH may be an impediment for this. Remember we are not in USA or Google Chrome's HQ, where the ISPs are not allowed to do Deep Packet Inspection of their subscribers' web traffic
No Malaysian ISP ever throttled any particular website's webtraffic. They throttled P2P (Limewire/bitorrent/eMule) but never a website, ie youtube; Not TM, Not Jaring, Not Maxis, etc.. Mobile Cellular throttling is a separate matter entirely related to quality of service for other users.

Hence: Not a fact (If it is, please cite a source and consider me wrong). (Otherwise) YOU seriously need to get your facts straight.

No Malaysian ISP is currently allowed/or was ever allowed to inspect TCP port 443 web traffic, aka HTTPS traffic to sites, eg Facebook, Gmail, maybank2u.com.my. Heck ur ISP cant even inspect ur web traffic currently browsing forum.lowyat.net because of https without setting off major security warnings in your browser. If they were; it would be reported as news.


» Click to show Spoiler - click again to hide... «


Edit: user added "Remember we are not in USA or Google Chrome's HQ, where the ISPs are not allowed to do Deep Packet Inspection of their subscribers' web traffic" after post; so i add my response

This post has been edited by lonewalker: Oct 17 2019, 07:44 PM
I<3LYN
post Oct 17 2019, 07:15 PM

On my way
****
Senior Member
612 posts

Joined: Sep 2009


lonewalker, i salute your patient for trying to argue with someone so clueless but still want to act smart. sweat.gif
lurkingaround
post Oct 17 2019, 07:54 PM

Rule of Law
*******
Senior Member
5,106 posts

Joined: Sep 2019
From: South Klang Valley suburb



QUOTE(lonewalker)
Hence: Not a fact (If it is, please cite a source and consider me wrong). (Otherwise) YOU seriously need to get your facts straight.

QUOTE
So what about content? Can they see what pages on that Web site you visited, and what you wrote in that e-mail? Yes, they can, if they choose to do so. But that's a lot of work with very little return for them. And there are legal limits. For instance, in the United States, ISPs can only share content with the government (I'll let you decide if you find that comforting). On the other hand, there are no such restrictions on with whom they can share your metadata.

https://www.pcworld.com/article/261752/is_y...ng_on_you_.html - Is Your ISP Spying On You? - 2012
.
.
.
QUOTE(lonewalker)
.No Malaysian ISP is currently allowed/or was ever allowed to inspect TCP port 443 web traffic, aka HTTPS traffic to sites, eg Facebook, Gmail, maybank2u.com.my. Heck ur ISP cant even inspect ur web traffic currently browsing forum.lowyat.net because of https without setting off major security warnings in your browser. If they were; it would be reported as news.

So, why are Maxis and/or Digi blocking Cloudflare's DoH 1.1.1.1.?
....... How did the police and MCMC catch those people who insulted the Agong or Sultans or Islam on Facebook, Twitter, Instagram, (forum.lowyat.?), etc.?


This post has been edited by lurkingaround: Oct 17 2019, 08:22 PM
I<3LYN
post Oct 17 2019, 08:18 PM

On my way
****
Senior Member
612 posts

Joined: Sep 2009


QUOTE(lurkingaround @ Oct 17 2019, 07:54 PM)
https://www.pcworld.com/article/261752/is_y...ng_on_you_.html - Is Your ISP Spying On You? - 2012

So, why are Maxis and/or Digi blocking Cloudflare's DoH 1.1.1.1.?
....... How did the police and MCMC catch those people who insulted the Agong or Sultans or Islam on Facebook, Twitter, Instagram, (forum.lowyat.?), etc.?

*
doh.gif doh.gif doh.gif doh.gif doh.gif

dude stop embarrassing yourself furthermore....

DNS can only proof the ip address of a domain name was requested from an origin ip address. while facebooks and most web sites/services are end-to-end encrypted via TLS, even if your ISP is monitoring and spying on you. they cant tell what you did on the properly setup https enabled websites - malaysian ISPs/gov do not have the capabilities of decrypting these traffic, deep packet inspection or not - they can tell what kind of traffic it is (https or torrent or ftp) but not what content you are sending/receiving.

hence, blocking a very specific DNS makes zero sense - DoH or not.
lurkingaround
post Oct 17 2019, 08:39 PM

Rule of Law
*******
Senior Member
5,106 posts

Joined: Sep 2019
From: South Klang Valley suburb



QUOTE(I<3LYN @ Oct 17 2019, 08:18 PM)
doh.gif  doh.gif  doh.gif  doh.gif  doh.gif

dude stop embarrassing yourself furthermore....

DNS can only proof the ip address of a domain name was requested from an origin ip address. while facebooks and most web sites/services are end-to-end encrypted via TLS, even if your ISP is monitoring and spying on you. they cant tell what you did on the properly setup https enabled websites - malaysian ISPs/gov do not have the capabilities of decrypting these traffic, deep packet inspection or not - they can tell what kind of traffic it is (https or torrent or ftp) but not what content you are sending/receiving.

hence, blocking a very specific DNS makes zero sense - DoH or not.
*
QUOTE
Your Internet service provider tracks what IP addresses you contact, which effectively means they know the web sites you're visiting.

Quoted from the same link.

Can you please answer my questions.?

If your ISP knows which website and webpage you have visited, it can type in the same IP address or URL to view the same decrypted webpage/site that you have visited. Simple, ain't it.?
....... Afaik, HTTPS encryption of web traffic is mostly to prevent MITM hacking attacks.

Hence, the police and MCMC, through the ISPs, can know who are the ones who have visited certain extremist websites, bomb-making tutorial websites, child-porn websites and other websites of illegalities.

TSlonewalker
post Oct 17 2019, 08:45 PM

Getting Started
**
Junior Member
202 posts

Joined: Nov 2005
A quick post update summary for those who's reading this thread 26 posts deep:

(ignoring the obvious trolls)

The post is about 1.1.1.1 being unreachable on maxis's isp network. Which was (since last week) and still is unaccessable at time of writing 2019-10-17 8:15 UTC+8.

For those who do not know 1.1.1.1 is cloudflare's version of google dns with 1.1.1.1 and 1.0.0.1 (primary and secondary dns server ips), Google DNS equivalents are 8.8.8.8 and 8.8.4.4 .

I myself, checked that 1.1.1.1 is accessible on on DiGi. Several other has also confirmed this that It is up on other local ISPs. The problem affects all services on the 1.1.1.1 ip address (https/dns/dns over tls) strangely its secondary ip 1.0.0.1 is up and all expected services seems to be working fine (https/dns/dns over tls)

several commenters thought that this thread is the regular post in the forum, the average ah beng complaining about how teruk is his isp service, internet slow, etc etc. And suggested the typical 'solution' a change of ISP.
To this people: I remind you that this is not the Kopitiam subforum of LYN. 'Unhelpful'/nonconstructive comments/replies are not welcomed.

As for a the matter at hand, 1.1.1.1 alone not accessible with its backup 1.0.0.1 accessible; a deliberate block of the ip 1.1.1.1 only by maxis seems rather sloppy attempt at censorship (if it is proven so) as 1.1.1.1 is often configured alongside with is backup ip of 1.0.0.1 ; i would lean towards incompetance, someone trying out a block forgot to remove properly? or (i think this is most likely:) a misconfiguration somehow a mistake on the network routing somehere between Maxis and Clouflare's network. As cloudflare is accessible by other local ISPs (other than maxis), the misconfiguration is likely closer to Maxis's end

Note: Nothing to do with blocking due to encrypted DNS offered by Clouflareas speculated by some commenter whom did not know better (Google also has encrypted DNS)

TL;DR, Cloudflare 1.1.1.1 still not accessible only within Maxis network; a genuine issue not kopitiam talk topic.


Haven't heard other maxis subscribers on the forum chime in on the issue

This post has been edited by lonewalker: Oct 17 2019, 08:52 PM
I<3LYN
post Oct 17 2019, 08:56 PM

On my way
****
Senior Member
612 posts

Joined: Sep 2009


QUOTE(lonewalker @ Oct 17 2019, 08:45 PM)
A quick post update summary for those who's reading this thread 26 posts deep:

(ignoring the obvious trolls)

The post is about 1.1.1.1 being unreachable on maxis's isp network. Which was (since last week) and still is unaccessable at time of writing 2019-10-17 8:15 UTC+8.

For those who do not know 1.1.1.1 is cloudflare's version of google dns with 1.1.1.1 and 1.0.0.1 (primary and secondary dns server ips), Google DNS equivalents are 8.8.8.8 and 8.8.4.4 .

I myself, checked that 1.1.1.1 is accessible on on DiGi. Several other has also confirmed this that It is up on other local ISPs. The problem affects all services on the 1.1.1.1 ip address (https/dns/dns over tls) strangely its secondary ip 1.0.0.1 is up and all expected services seems to be working fine (https/dns/dns over tls)

several commenters thought that this thread is the regular post in the forum, the average ah beng complaining about how teruk is his isp service, internet slow, etc etc. And suggested the typical 'solution' a change of ISP.
To this people: I remind you that this is not the Kopitiam subforum of LYN. 'Unhelpful'/nonconstructive comments/replies are not welcomed.

As for a the matter at hand,  1.1.1.1 alone not accessible with its backup 1.0.0.1 accessible; a deliberate block of the ip 1.1.1.1 only by maxis seems rather sloppy attempt at censorship (if it is proven so) as 1.1.1.1 is often configured alongside with is backup ip of 1.0.0.1 ; i would lean towards incompetance, someone trying out a block forgot to remove properly? or (i think this is most likely:) a misconfiguration somehow a mistake on the network routing somehere between Maxis and Clouflare's network. As cloudflare is accessible by other local ISPs (other than maxis), the misconfiguration is likely closer to Maxis's end

Note: Nothing to do with blocking due to encrypted DNS offered by Clouflareas speculated by some commenter whom did not know better (Google also has encrypted DNS)

TL;DR, Cloudflare 1.1.1.1 still not accessible only within Maxis network; a genuine issue not kopitiam talk topic.


Haven't heard other maxis subscribers on the forum chime in on the issue
*
lodge a complaint with mcmc? there is nothing much you can do with maxis if maxis isn't acknowledging it as an issue.

This post has been edited by I<3LYN: Oct 17 2019, 08:57 PM
TSlonewalker
post Oct 17 2019, 09:02 PM

Getting Started
**
Junior Member
202 posts

Joined: Nov 2005
QUOTE(I<3LYN @ Oct 17 2019, 08:56 PM)
lodge a complaint with mcmc? there is nothing much you can do with maxis if maxis isn't acknowledging it as an issue.
*
Already lodged earlier today
GOPI56
post Oct 17 2019, 09:07 PM

Regular
******
Senior Member
1,396 posts

Joined: Dec 2012
Wishing you all the best to you TS in solving this problem.
I flag white flag to admit my defeat in this discussion.
Nervous Levin
post Oct 17 2019, 09:47 PM

Getting Started
**
Junior Member
75 posts

Joined: Aug 2019
QUOTE(lurkingaround @ Oct 17 2019, 08:39 PM)
Quoted from the same link.

Can you please answer my questions.?

If your ISP knows which website and webpage you have visited, it can type in the same IP address or URL to view the same decrypted webpage/site that you have visited. Simple, ain't it.?
....... Afaik, HTTPS encryption of web traffic is mostly to prevent MITM hacking attacks.

Hence, the police and MCMC, through the ISPs, can know who are the ones who have visited certain extremist websites, bomb-making tutorial websites, child-porn websites and other websites of illegalities.

*
lurkingaround, your understanding is halfway.
you also have sessions to differentiate different visitors, so what you see will depend on what the webmaster wants your session to see, even if you typed the exact same URL with all the query strings intact.

--------

but before you get to load the web resource available at the URL, your computer needs to find the machine-readable location of that server hosting the URL. that's where DNS "phone directory" comes in.

all this while, DNS protocol is practically plain-text over TCP/UDP port 53. that's how anyone including your ISP, can just sniff your traffic and learn which server - NOT URL - that you are trying to get in touch with. it's like learning that your friend asked a specific "phone directory" (Google, Cloudflare, etc) and but as far as this has been going on, you finally get to learn who your friend wants to call.

---------

but you have not learned what your friend actually wants to talk about with the server. to know what is being talked about, you will need to sniff longer for your friend to successfully complete that call to the server.

to prevent you from eavesdropping DURING THE CALL, this is where discarded SSL protocol and replament TLS protocol comes in; to encrypt, AND OPTIONALLY, to authenticate the identity of either or both ends. you usually "see" SSL/TLS in action when you use HTTPS to browse /k.

---------

using SSL/TLS will begin any communication by encrypting it before anything else, thus anything communicated afterward will be garbage to listeners. you cannot even learn which URL is being asked for.

(this is where you are wrong. a properly-secured SSL/TLS traffic will not reveal what is being communicated about. your ISP is not capable of learning the exact URL you are visiting.)

--------

DNS-over-TLS is basically to replace existing plain-text DNS queries with TLS-encrypted queries. With DoT, you still can learn which "phone directory" your friend is asking from, but now even eavesdropping will not reveal who is it that your friend wants to call.

------

additionally, DNS-over-TLS makes use of the authentication function of TLS protocol to make sure that you are really talking to certified "phone directory" (Google, Cloudflare, etc.), so no one can just slip in a pretending DoT server in the middle.

-------

since DoT is a replacement protocol running on new port 853, it is not outright compatible with most devices and operating systems and what else on the market. so to provide some-sort of compatibility AND to avoid access to DoT being prevented by simply blockkng port 853 (think China), DNS-over-HTTPS through usual port 443 is implemented as well. same concept, but now interfaced indirectly through http-based API instead of directly answered by DNS server.

-------

DoT/DoH prevents man-in-the-middle from reading or tampering your DNS queries and responses in-flight.

QUOTE
With DNSSEC, it's not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data. - ICANN


-------

so with DoT/DoH and SSL-/TLS-encrypted http, smtp, ftp, you are almost protected from start to finish. almost. since an attacked focused on you will still be able to sniff the address of the server after all.

to prevent that, NOW, you'll need VPN.
Nervous Levin
post Oct 17 2019, 10:02 PM

Getting Started
**
Junior Member
75 posts

Joined: Aug 2019
TS lonewalker, come to think of it,

maybe - MAYBE - not so much of a deliberate attempt to block or cripple, but rather, the anycast server(s) behind 1.1.1.1 that is published by CloudFlare through Maxis AS are not reachable or not functioning.

while the anycast server(s) behind 1.0.0.1 are functioning as they should.

anyway, this is a case in point WHY a secondary DNS server is required.


TLDR; linux, by default, can only handle max 3 DNS resolvers in /etc/resolv.conf. check the "recurse" setting.

while my experience with windows last week, it will try then supplied DNS resolver top-to-bottom, BUT, once any in the list is contactable, it will not retry the next even if the contactable one is not functioning or returning unfavourable result.
tympg
post Oct 17 2019, 10:06 PM

Look at all my stars!!
*******
Senior Member
3,104 posts

Joined: Oct 2009
From: Penang


Does this Cloudflare app work on Maxis?

https://play.google.com/store/apps/details?...onedotonedotone

(Sorry, my link is Android only)
Nervous Levin
post Oct 17 2019, 10:09 PM

Getting Started
**
Junior Member
75 posts

Joined: Aug 2019
QUOTE(tympg @ Oct 17 2019, 10:06 PM)
Does this Cloudflare app work on Maxis?

https://play.google.com/store/apps/details?...onedotonedotone

(Sorry, my link is Android only)
*
can also try using google's intra - it supports many other DoH providers at a flip of switch and not just CF proprietary.
TSlonewalker
post Oct 17 2019, 10:13 PM

Getting Started
**
Junior Member
202 posts

Joined: Nov 2005
QUOTE(tympg @ Oct 17 2019, 10:06 PM)
Does this Cloudflare app work on Maxis?

https://play.google.com/store/apps/details?...onedotonedotone

(Sorry, my link is Android only)
*
The app has an iOS equivalent, it will work because It'll fall back to the 1.0.0.1' secondary when the 1.1.1.1 fails

QUOTE(Nervous Levin @ Oct 17 2019, 10:02 PM)
TS lonewalker, come to think of it,

maybe - MAYBE - not so much of a deliberate attempt to block or cripple, but rather, the anycast server(s) behind 1.1.1.1 that is published by CloudFlare through Maxis AS are not reachable or not functioning.

while the anycast server(s) behind 1.0.0.1 are functioning as they should.

*
my thoughts too; i know...the title "Maxis Blocks Cloudflare DNS?" was deliberately chosen to be borderline link baity. How else i could get people to read the post? :wink: :wink: laugh.gif brows.gif

This post has been edited by lonewalker: Oct 17 2019, 10:34 PM
Nervous Levin
post Oct 17 2019, 10:14 PM

Getting Started
**
Junior Member
75 posts

Joined: Aug 2019
i switched off android's DoT support.

switched to usendata off hotlink sim.

i enabled Google's Intra, pointing to Cloudflare DoH.

all my queries (fired up chrome and opera) gets answered by 1.0.0.1 in AU.

This post has been edited by Nervous Levin: Oct 17 2019, 10:16 PM
yongtjunkit
post Oct 17 2019, 10:24 PM

Look at all my stars!!
*******
Senior Member
2,483 posts

Joined: Mar 2016
Can’t seem to access 1.1.1.1 on maxis fibre too(Astro IPTV)

This post has been edited by yongtjunkit: Oct 17 2019, 10:24 PM

3 Pages < 1 2 3 >Top
 

Change to:
| Lo-Fi Version
0.0180sec    0.50    5 queries    GZIP Disabled
Time is now: 29th March 2024 - 07:27 AM