bystanders: "wehh, orang tengah bergaduhlah. gaduh."

So TM did really counter offer you RM 110 for 500 Mbps with 6 months free and MESH routers?

If so, I am going to lodge a complaint because it is discriminatory - they should be offering the same to everyone.

That's SWU 4.0, urs should be 3.0

Finish liao, just bug.

Here is your last popcorn for router bug.
Riger1
Riger2
Riger3

---
SHORTEST: Enable Secure DNS at all cost, it is safe and fast.

A bit long: Enable Secure DNS and change your TM DNS on your router, as many IoT device not supporting Security DNS.


Longer:
1. NETIS router's DNS relay drop DNS result that's "status: SERVFAIL", when it shouldn't
2. TM DNS respond every DNS request as status: NOERROR, when it shouldn't
3. PBE forget to list AAAA as EMPTY/NULL on their DNSSEC, when it is allowed, it is still not recommended.
As it may open attack for IPv6 customer, unsure on this part got more vulnerability to combo as an attack or not, lol

Combine 3 together, it works based on bug, but not based on safety.
---
So, just do whatever you need to be done la.
1. Secure DNS at all cost
2. Don't use DNS relay on your old router, setup your DHCP and DHCPv6 or SLAAC DNS, bypass it and connect directly to internet's GOOGLE or 1.1.1.1 DNS SERVER by client.

Unless it is latest router with DNS relay that supported DoT, then use it!

Done.

This post has been edited by BenYeeHua: Nov 28 2023, 03:47 PM

When I said you are a fast learner. I mean it.
Not being sarcastic, not trolling you. Purely logical judgement.

You pick stuff up real quick. This is a rare find.

how about if the netis router disable ipv6 and use ipv4 only? looks like just a matter of the ipv6 code just not robust enough

Also not good to Internet, is it? lol
Sadly this is my biggest weakness, and killed/hurt me a lot, lol.
(As you can see it means I need to keep thinking and editing until the end, no escape allowed, lol.)

I will prefer to be a normal person, happy, nothing worry...
Too over, no one like you...

Anyways, in the end, I am happy, like I said, I success on found out the truth, and so did you.
New security issues found, proofed, and can be avoid easy by enable DNS over TLS/HTTPS.
----
I forgot about this.

This one is not just the important part, what's is important is
https://www.cloudflare.com/learning/ssl/wha...-encrypted-sni/
https://blog.cloudflare.com/encrypted-client-hello/

https://blog.cloudflare.com/announcing-encr...d-client-hello/
https://developers.cloudflare.com/ssl/edge-certificates/ech/


ESNI, also changed as ECH.

This, prevent anyone knowing which website are you connect to, they only see you connected to CloudFlare network, that's all.
Many was using this to bypass something, and sadly ESNI get disabled when ECH is not really ready for public yet....

https://bugzilla.mozilla.org/show_bug.cgi?id=1667801#c5


https://cloudflare.com/cdn-cgi/trace


https://crypto.cloudflare.com/cdn-cgi/trace

See?


By using bug(yes, bug FTW!!!), I success on using firefox to connect blocked website without v2ray.
Because with SNI, firewall can just block based on SNI.
But if you encrypt or drop it, then no issues la.

There is tools working around it as well.
https://github.com/BeyondDimension/SteamTools
https://www.dogfight360.com/blog/686/

By removing SNI request, the website no longer get blocked easy, they still can blocked based on server's IP address la, but it will hurt too many website hosted on it, so it was avoided.

This post has been edited by BenYeeHua: Nov 28 2023, 04:17 PM

It is not IPv6 code, it is DNS relay code.

For example, you might have TuneTalk, instead of sending the SMS delivery report to you, TuneTalk choose to drop it.
But if you testing sms on TuneTalk shortcode, you will receiving it.

It is like I disabled "Call Forward Unanswered/No Answer" on my TuneTalk to prevent extra charge on other telcos that calling me(yes, TuneTalk's voicebox also bite money, lol), old TuneTalk honor it, but now it is enforced redirect to voicebox or "The person you call is not available, pls try again"...


-----
So, your browser expect to receive A Record and AAAA record, but A received, only AAAA error message not received.
Because your router's DNS relay seeing AAAA as a Error message, dropped it instead of telling your browser, while it should not do that.

If there is any application works based on DNS's error message, including A record for IPv4, they will facing the same issues.

For example, I gonna dig this issues, I ran "dig a dnssec-failed.org".

The application tell you, it is your DNS server or connection failed, timeout, which is wrong, right?

It should be

And hei, now, this application know it is DNS error on server side, with the EDE: 9 (DNSKEY Missing)!!!

So it happen to A and AAAA record.
----
Disable IPv6 will solve it?
Nope, it will workaround it, it is like closing your eyes, pretending there is no error.
And how about when it happen to A record?
Still ignore it?

Anyways,
Will it works?
Yes it works.

Is it safe?
Nope, no one need something that modify your result as MITM!!!!
Lucky it just drop it, not modify it....

This post has been edited by BenYeeHua: Nov 28 2023, 04:39 PM

other routers like u said wont have the same issue...

is it during troubleshooting u used dig @at until never realize ur own operating system not returning dns?

can can, i have more XD

Partially, it is router's DNS relay not returning DNS result, not the Windows nor Android, the OS works as it should be.

I found it out during 4 years ago, I open PBE for my parents, but found out the slowness, and chrome showing it is caused by DNS.

As I never open PBE with AC1200v2 as I am not their customers, I didn't know that was router issues.

But today, answer out, and known now.
---
Yup, only this NETIS, so better change router, even the new free FiberHome router supported DoT.

Today no raining, later melt down oh~

This post has been edited by BenYeeHua: Nov 28 2023, 04:55 PM

Thanks. We have to prepare for ACT 2.

its an advantage when people arguing, knowledge also feed to us

thanks to both of you guys

Tp link deco user: wat mat 7 u argue lol

Netis name so bad Liao, now kena rebadged jadi dlink for WiFi 6 default routers lol

I will be interesting on FiberHome, the worst position is AC1200v2 which random reboot + 2 mins boot time(and corrupting packet, based on the only one special edition on my sister's house), who will be second?
Ignore the Riger1 Riger2 Riger3 la, that one should not exist in this world, it should be burned!!!

So far the FiberHome modem(Yes, modem) still running at my home town 24/7 hours non-stop last for >4 years, so gonna see how's the router.

But caused me tired and burned out again, lol.

At least we know now, don't trust TM's DNS and infamous router's DNS Relay too much.

This post has been edited by BenYeeHua: Nov 28 2023, 07:47 PM

Business line upgraded from 30 Mbps to 100 Mbps, nice.

Just bypass gaduh2 above
So now SWU is 4.0? Not 3.0? For famous 300mbps

DNS relay was seen on dlink (850, 842) as well, but of course can off. Still for dlink custom model the TM DNS is kinda Hardcoded for some reasons

C1200 is choosen fail chipset cause it's demise

Above are among the worst of unifi default routers, if not mentioning az tech or some random TM brand routers which I bet is even worse than above

DNS experts detected.

Anyone experience internet slow tonight?