Previously malaysian telcos already hijack dns query when we're using their default dns server, its no secret. When trying to access gov sanctioned sites like p0rn or sarawak today etc, instead of replying with correct dns record they'll route our query to mcmc block page. But now they've taken a step further by hijacking our query even when we're using either google dns or cloudflare dns.

Source 1
Source 2

I guess this is possible if we're only using the cleartext dns of both google dns and cloudflare dns ie

google dns:


cloudflare dns:


Haven't tested myself but I'm 100% sure the and are hijacked since both are the popular dns ip for google dns and cloudflare dns. Others on the list might be hijacked too depending on telco network admins.

But basically people, its high time we should stop using cleartext dns. Its unsecured and hijackable. Start using encrypted dns everywhere.

Theres plenty of them listed here. You'd want to use either the dns-over-https aka doh or dns-over-tls aka dot.

Modern system already support using those encrypted dns protocol ie android natively via setting. Should be listed as in phone setting. You should add a dns-over-tls server here, omit the from uri if you copy paste from the list above.

Ios and mac is native too via dns profile. If prefer app can use dnsecure.

Linux can natively too if install any local forwarding dns server like bind9 or dnsmasq. If prefer gui, theres technitium dns server and adguardhome.

Windows can use yoga dns server.

Ty for attending my ted talk lmao.

This post has been edited by axxer: Aug 8 2024, 11:53 AM

TIME Home Fibre (No Hijack on my side) :





Digi 4/5G (Hijacking IPV4:53 , IPV6:53 normal) :



Maxis 4/5G (Hijacking Google DNS IPV4 / IPV6 :53, other DNS server normal) :

Thanks a bunch. Now using FreeDNS via DoH.

MCMC Statment

https://x.com/Soya_Cincau/status/1821520438973116758

So, they say it's for "safety"

But the thing is

Ok, sure, feel free to block on TM/Maxis/TIME DNS

But if the user has made a conscious effort to CHANGE their DNS to CF/Google/etc
DON'T HIJACK IT BACK

For windows must install software? Can it be done in settings or something?

If windows 11, yes, can enter DNS Over HTTPS address into the DNS settings

If older, then installing YogaDNS is a good choice

Papa said don't try to climb walls. It's bad for you, your family and your kids. Pretty good advice overall.
Big brother don't want you to land in hospital je....

If you don't listen to Papa then you're a bad boy, Papa will ask police to arrest you.

change DNS in router so that any device connected will be adblock ready.

Lets go, but I think most Tplink router users wont have such luck?

I already configure two Windows 11-based laptop and a android phone of mine use DoH by default. Of course I am using Google DNS.

This post has been edited by Jjuggler: Aug 9 2024, 03:06 PM

I using tm provide router....
Got way to unblock?
The white router.....az-tech I think...

Host adguard on a pc or raspberry pi. Set upstream server to use DoT or DoH. Make the router use the adguard as main DNS.

Suprisingly, TP-Link does have DoH/DoT

But only on an extremely limited selection of models
1 AX model and a few AC models

https://community.tp-link.com/en/home/forum/topic/617138

At this rate, everyone will be using v2ray in a couple of years.

This will not slow down the internet, right?

Based on my testing using Control D, encrypted and unencrypted DNS has the same resolution time.
However, the first lookup will be much slower at 112ms vs 20ms unencrypted due to the need to establish the secure connection.

I do recommend prioritizing security over pure speed as DNS poisoning is one of the many ways to install malware on your device.

The performance penalty only happen once during connection establishment, it is not critical.

It wouldn't. Technically encrypted dns is slower than cleartext dns due to the encryption but its negligible on modern hardware you wouldn't even notice. Hell if you use adblocking dns server its faster since you wouldn't load all the ads and craps. I've been blocking ads via dns since 10+ years and vanilla internet without adblock is unuseable to me now.

Let me know if I've configured it correctly. I disabled my ipv6. Thus, I didn't include the ipv6 address. Thanks.

Based on my nmap scan, the domain should be:
dns.adguard.com
EDIT:
If you connect without SNI it will serve you certificate with dns.adguard.com.
With SNI it will serve certificate with dns.adguard-dns.com.
So both works.

Prevent client auto DoH must be set to off. Otherwise Encrypted Client Hello won't work. You want ECH to work on a highly censored network because it prevent the censor from snooping on your SNI.

Unknown:
Did anyone actually MITM or pen test this thing? Given the recent development of TM where they MITM DoH and DoT, the router must absolutely verify the certificate properly.
On Mikrotik, none of this is done!

This post has been edited by kwss: Aug 9 2024, 09:41 PM

I've set Prevent Client auto DoH to NO. Thanks.

Did you miss anything and caused the dns leak? maybe check the firewall rules.
https://youtu.be/w4erB0VzyIE

Nope, it is how Mikrotik works.
You can read about the solution here:
https://forum.mikrotik.com/viewtopic.php?f=...=160243#p787643

I continue to have problem where I cannot import Amazon Root CA for my DoH. I have since turned off Mikrotik DNS resolver and stick to tried and true systemd-resolved for my laptop and stubby for my home server.

I use DoH exclusively for browser due to it being a requirement for ECH to work.

My point being, I don't know if any of those router aka IoT device do security properly. To the user they are doing DoT / DoH but behind the scene they might fall apart from actual attack.

UPDATE:
I give it another go but this time I download the certificates from
https://www.amazontrust.com/repository/

It works!
Not sure why the download from browser view certificate didn't works.

This post has been edited by kwss: Aug 10 2024, 12:47 AM

I play a bit with Celcom's implementation. Basically they catch all UDP port 53 on IPv4 and IPv6

Test with fc00:: which is a non-routable local address


Test with 10.10.10.10 which is also non-routable:


Using non-routable IPv6 address but with TCP:



Using non-routable IPv4 address but with TCP:


This means that using TCP should work, even if it is plain text. Yes it does!


However, I found that they block by IP address too for pornhub.com and xvideos.com. murrayhunter.substack.com didn't have their IP blocked so it is not quite consistent.
Reason is murrayhunter.substack.com uses Cloudflare CDN. They cannot block the CDN without blocking everyone else.

This post has been edited by kwss: Aug 10 2024, 02:44 AM

so few people discuss about this...am i being paranoid over this matter or they just don't care?

Btw, i already onboard with DoT/DoH, now all my devices are protected

Most Malaysians don’t care about privacy or security. With the Google Pixel 9 being announced for Malaysia, I visited all the Pixel related threads in the Mobile Phone and Kopitiam sections on this forum and entered “GrapheneOS” in the search box. Not a single hit.

celcom axiata mobile long time already block xxx website
canot bypass with dns
Dont visit xxx so not a problem

duh...

Guess, we are the "paranoid" one.

Cloudflare WARP work?

It should. Cloudflare warp is doh. Cloudflare warp+ is vpn+doh.

thx. how about Cloudflare WARP Windows Software 1.1.1.1 DNS Protocol HTTPS and TLS, 1.1.1.1 with WARP DNS Protocol HTTPS and TLS and WARP, all of these work? unifi fibre keep getting website facebook reddit etc loading or half loading issues since around weeks ago. and strange that Google Chrome incognito Mode doesnt have website loading or half loading issues.

UPDATE: Such issues doesnt happen again since 14 August 2024

This post has been edited by Alpha_Tay: Aug 14 2024, 10:50 PM

do we need to install extra program for windows or android in order to use encrypted dns? or just simply change 1.1.1.1 to those with encrypted dns will be enough, or how do we check the dns we are using is encrypted?


sorry I am rookie.... TQ

This post has been edited by alpha: Aug 13 2024, 08:37 AM

There are several ways to do it.

1. Firefox & Chrome web browsers
https://imap.sinarproject.org/news/internet...lic-dns-servers

2. Windows 11
https://www.howtogeek.com/765940/how-to-ena...-on-windows-11/

3. Android
https://blog.cloudflare.com/enable-private-...-android-9-pie/

To test if you're using Cloudflare secure dns (DoH or DoT):
https://one.one.one.one/help/
https://www.cloudflare.com/ssl/encrypted-sni/

Calling help for collecting data to test for Transparent DNS Proxies.
https://imap.sinarproject.org/news/guide-on...ent-dns-proxies

If you're not using Linux, you can create a Linux bootable USB drive and run the commands. You can use USB tethering or wifi hotspot from mobile phone to connect to internet and test your mobile network.

Interesting that Celcom(Digi) is now hijacking all DNS53. What about things like Quad9dns? If Quad9dns blocks a malicious domain, and Celcom(Digi) is now hijacking all DNS53 packets to them, will Celcom(Digi) resolve the domain blocked by Quad9dns?

What should i worry about, as a normal user, if i don't use DoT/DoH?

For normal users, you will more likely be concerned with censorship from the government. e.g. if one day government decides to block a certain news portal, all ISPs will be instructed to hijack DNS requests for that site making user unable to access it.

For those using Quad9, Quad9 has provided a few ways to check what protocol you're using and check for hijacks

https://docs.quad9.net/FAQs/

From my testing with Celcom (AS10030), all DNS is hijacked, including microsoft.com, lowyat.net, etc. They all resolved via some non-routable IP address.

Maybe like one day when Ergodan is unhappy Meta removed his post, he went and block Instagram nationwide.

So something like:


Which is blocked by Quad9:



But resolveable:


With AS10030 hijacking all DNS53 packets, does it resolve googie-anaiytics.com, if the DNS query is pointed to 9.9.9.9

I use quad9 DoH and DoT on adguard.
Just now it stopped working, sites fail to resolve. I see a bunch of timeout in the logs using 443. After removing DoH, it started working again. Adding back DoH did not break it.
Checking on ipleak, Global Transit (TIME) shows up for ipv4 while Woodynet(Quad9) shows up for ipv6.
Something is not right

Are you a time user? I'm having issues now, all sites are slow as heck
On Adguard DoT

Yes. Most of the devices can’t resolve, only a few can.



This post has been edited by ChenKaiWen: Aug 13 2024, 08:00 PM

AdGuard had been hijacked as well? Suddenly stopped working for me an hour ago, for both Maxis & Unifi

TIME and Maxis user here, facing similar issues
I think it started since 2~3PM today, I felt the network getting slower all of a sudden

Network abruptly stopped in my case, around 7 pm here in the midst of browsing. Very slow, then showing failed DNS probe on Chrome.

Same here. Around 7, suddenly stopped working. Bunch of connection timeout for 443 in adguard. I have parallel request, no idea why it didn’t fall back on TLS instead.

Hey uhh, that was me who was responsible for that

Global Transit is one of the host for Quad9's Presence in Malaysia
They are related to time, but they are neutral, they're just the host
you can confirm this by connecting to Quad9 on other ISPs like Maxis and see that your DNS goes to them as well

I noticed that TM and TIME don't send to Quad9 KUL, and route to SIN which has a slightly higher latency

Now, TM refuses to peer with them
But TIME is supposed to when I asked Quad9
Quad9 said they'll check with TIME
so, seems like TIME fixed that, and you get lower latency




But uhh, no issues detected on my side, but I use DNSCrypt protocol

you can confirm it's not a hijack with
https://docs.quad9.net/FAQs/#detecting-dns-...rection-hijacks

This post has been edited by PRSXFENG: Aug 13 2024, 08:28 PM

Thanks for informing. Did a trace route on ipv6, seems to go to Singapore still, ipv4 goes to myix

Just use VPN, no issues lieu 😇

Maybe the server only has ipv4 connectivity

I check with https://www.dnscheck.tools/ and notice

IPv4 MY - Global Transit
IPv4 SG - WoodyNet
IPv6 MY - WoodyNet
IPv4 SG - WoodyNet

Quad9 does have a total of 3 MY locations and 2 SG locations
(Don't trust the map 100%, at one point in time they listed Johor's country as Singapore , and they say they don't update it that often )
My guess is MyIX KUL would be TIME's Global Transit
and the DE-CIX KL is the PCH/WoodyNet one?

DE-CIX does peer with PCH/WoodyNet

seems that it is going to KUL. But traceroute 2620:fe::9 and 2620:fe::fe is going to Singapore. Seems to be all good now.

I tested with AS10030 Celcom but it doesn't implement transparent proxy DNS and doesn't block anything.
You can view the reports here:
1.1.1.1:
https://explorer.ooni.org/m/20240813131113....4706209241c200c
8.8.8.8:
https://explorer.ooni.org/m/20240813131135....aa74995ad507bf9
9.9.9.9:
https://explorer.ooni.org/m/20240813131158....27ecfbf61a2bcb0

I tested with XOX which is MVNO riding on Celcom.

Feels like they're still testing out this system and has it on and off

For me, I noticed my U Mobile isn't hijacking anymore at this time

It is hijacked.


Using the TXT query test method:


Using traceroute, you can see !X (communication administratively prohibited)


Let's see where they start redirecting UDP 53. Looks like the very first hop:

TCP port 53 and TCP port 443 have vastly different hop count. This needs further investigation.

I have done a packet capture. Looks like it is man-on-the-side attack?

This post has been edited by kwss: Aug 14 2024, 01:17 AM


Attached File(s)
 quad_https_celcom_as10030.pcapng.gz ( 8.12k ) Number of downloads: 6

Unable to resolve that domain but traceroute shows !X

Might just be some firewall config on Quad9's side?

Based on this forum post
https://www.linuxquestions.org/questions/li...ine-4175635996/

Yesterday Adguard having some routing issue

https://status.adguard.com/incidents/2zb98nsz83vv

You should understand why when a DNS server who is now catching up as the popular choice for blocking ad trackers now suddenly experience higher downtimes.

Same goes to DuckDuckGo search engine, after people started making the switch from Uncle G, it started to go out of service very often.

I'm not blaming others, but their competitors don't really like them stealing away their revenues/monopoly.

used to using cisco-opendns and try abit of quad9.

now i custom my own DoH/DoT by hosting adguard on my VPS but still using quad9 as the upstream DNS

This post has been edited by eds2: Aug 14 2024, 11:53 PM

Firstly, thanks to kwss and ChenKaiWen for their inputs

This is what I was afraid off. People who are using alternative DNS providers like Quad9 for protection, their DNS53 queries are being hijacked. Stuff that Quad9 are DNS blackholing will be resolved by the MCMC DNS server hijacking DNS53 packets.

Sure can say that people should move to DoT/DoH, but for who use Quad9 DNS as a first layer of protection on their family members home router, this is terrible.


Interesting that TIME (AS9930) is not hijacking all DNS53 packets at least?

Given that it is a AUTHORITY: 0 reply, suggests that it is blocked by Quad9, instead of non-existent domain, with the NXDOMAIN response: https://docs.quad9.net/FAQs/

Thus it looks like DNS53 packets to Quad9 DNS are still being untampered with (for now?)

https://forum.lowyat.net/index.php?showtopi...ost&p=110240779

It has always bugged me that AS4788 would rather send AS42 bound packets to Singapore/international transit rather than use it on MyIX. At least now I have a explanation, but man it goes back to the "good old days" when packets between ISP's/ASN's would go around the world because AS4788 refused to peer with, well, anyone.

For your reference, the answer was shared by them here
https://www.reddit.com/r/Quad9/comments/13e...comment/jjpx60w

Yes, I linked to the Reddit thread response in the other thread

From what I observed over the years
TIME's DNS Hijacking appears to be on the router side

The old WiFi 5 combo ONT, HG8145V5 has DNS settings greyed out in the router, and hijacks port 53
I've heard you can get TIME CS to remotely change to a DNS provider of your choosing but don't quote me on that

The rest of their devices, don't seem to hijack in my experience

maxis router also same thing.

it is why it is in the dustbin

That's why people have the option to use their own/buy their own router. ISP's locking down routers is not limited to Malaysian ISP's: plenty of cases in other countries if Reddit posts are any indication.

What is problematic is hijacking DNS53 at the network level. Ie. What Celcom(Digi) seems to be doing. (And what Indonesia is doing) Using own router (notwithstanding DoT/DoH) for alternate DNS providers will fail when the ISP hijacks DNS53 at their network level/side.

The MSC Bill of Guarantees died with the Najib administration.

got youtube guide for each method?

But you see, the ISPs are moving to "all in one" ont routers

TM with their (not great) D-Link or Skyworth or FiberHome all in ones
Maxis with their Huawei all in ones (a bit rare, I think maybe on their own infra only, the usual TP-Link/Kaon is more common)
TIME has fully commited to Huawei all in ones for a long time

All it takes is for then to pull a Indonesia and say "no bridging" and then we're in trouble

Still manageble, I wasnt able to find the PPPOE username and pwd from my Huawei HG8145X6
Cant contact CS to switch into bridge mode because my landlord is pathetic and stingy (He want us to pay RM700 for a pair of Deco M4, go figure)
Ended up downloading the backup config file from it and toss into a Unifi ONU
Managed to grab the username and pwd that way, using TIME with Unifi's ONU+Asus AX58u

I understand, but we didn't vote Najib in on reformation

Right now I am planning on getting a firewalla and just use my surfshark account to wireguard the whole connection

Yup..i agree..
So my DoT setup i am still using CF for stability

Question; visiting https://www.ssllabs.com/ssltest/index.html and inputting dns.adguard-dns.com as an example, which one of the two SHA256 lines I’ve pointed at with the red arrow in this screenshot would be the equivalent of the SPKI fingerprint needed in order to do certificate pinning?

This post has been edited by dev/numb: Aug 15 2024, 06:05 PM

BF+fS5RPhZQggn38wZ6lqii8lxPNWQPzU2VVVqbLhqM=
It is actually public key pinning. The certificate can renew as long as the public key is the same.
I checked and it is same for both DoH and DoT.

This post has been edited by kwss: Aug 15 2024, 06:18 PM

all this just temporary bypass, if government wanted do enforce their rules even you are using DOH or DOT also will blocked access.

No lol. While dot is trivial to block since it uses the port 853 that literally only it use, doh use port 443. Might aswell block the entire net by blocking port 443. They can still block the endpoint, blocking the popular doh server endpoint from resolving but then ppl will just spawn their own private endpoint with own custom domain. I've been selfhosting my own private endpoint via adguardhome for a few years already.

This post has been edited by axxer: Aug 16 2024, 05:37 AM

Until they decide to (BGP) blackhole entire swaths of platforms.

That's what (some ISP's in) Indonesia does. Eg. Reddit is blocked in Indonesia. Even if you can resolve the correct IP address for Reddit, they will block all connection attempts to Reddit's IP addresses.

Sure you can say VPN. But it isn't too long when the next step is China, where they will block most commercial VPN providers, detect OpenVPN/WireGuard/KEv2/IPsec/L2TP/IPsec/PPTP protocols to hunt down who are using VPN's.

No need to compare Malaysia with the China GFW: if Indonesia can do it, what is to say Malaysia can't?

Cross posting from Unifi thread for those who didn't go there. Running cost should be less than USD $0.60 per month

DNS wall climbing for beginner
This quick guide will teach you how to use CDN to front DoH server using Amazon CloudFront.
The benefit this provides over other method is the difficulty of the censor to block this kind of setup without blocking the whole CDN provider.

Requirements:
AWS Account
Browser / OS / resolver supporting DoH

Login to your AWS account and search for CloudFront. Create a new distribution.
Refer to the setting below and put in your desired DoH server:


After you are done creating the distribution, wait for it to finish deploying:


Put the address and the full path into your browser / OS / resolver:


Finally test your resolver:


DNS wall climbing stealth setup
This is a setup for people who are already using CloudFront for their business and wish to hide DoH inside it.
I am using ControlD here instead of Cloudflare DNS. The "/dns-query" in cloudflare is "/p0" in controld.

First add an Origin like below:


Then add a Behavior:


Wait for it to finish deploying. You will access it via https://mydomain.com/bkaj41f

For people wondering what is my "DoH-fronting" policy, here is it:


This post has been edited by kwss: Aug 16 2024, 08:16 AM

No other country will deploy china gwf if thats your concern. That thing gobbled up $$ to maintain which my doesn't have. Even indo block is still kids play to evade. Hell theres a dedicated ppl still playing cat and mouse game with china gwf till this day with vray, xray etc.

It doesn't have to be China level GFW, but there is a lot that can happen between DNS53 hijacking and GFW for internet censorship.

Its a slippery slope. And most people don't know the technical details. Once MCMC blocked The Malaysia Insider their traffic dried up and it died from lack of ad revenue (amongst other reasons). Similar thing happened with MalaysiaNow.

Despite the fact it is easily circumvented by changing the DNS server query IP address.

Don't expect people to understand Doh/DoT, much less roll their own DNS server for USD $0.60 per month.

For the site operator themselves, of course they'll get the end of the stick. We're talking about end user perspective here. If the time comes ppl will learn. Maybe not all makcik and pakcik but some would. Vpn, tor is still the easiest solution if its not gwf, which is close to impossible to happen. Doesn't even need to learlinux cli and stuff. Install client, pay if its a paid service, connect.

One thing I want to mention is never underestimate the censor. Look at countries that are poor yet they can throw a lot of money into building nuclear bomb and rocket. All it takes is one guy to come into power.

As for plaintext DNS traffic, my personal opinion is that we should all just kill it. Not just for the sake of anti-censorship, but for the sake of your personal security.

It is the same as killing plaintext HTTP and anything less than TLS v1.2. Merely moving to HTTPS/3 aka QUIC will increase the difficulty of the censor to snoop your SNI, even without Encrypted Client Hello.

Increasing your network security should be the ultimate goal.