It seems TM Unifi has finally implemented, transparent DNS proxy
|
|
 Sep 3 2024, 11:24 PM
Return to original view | Post
#1
|
 
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang 
|
QUOTE(Weisun79 @ Sep 3 2024, 11:12 PM) i tried.. Firefox... enable Increased Protection.. Chooose NextDNS as provider... it works.... or if you use win11, just use OS level DoH at network setting.or Use Safari...   
This post has been edited by failed.hashcheck: Sep 3 2024, 11:27 PM |
|
|
|
|
|
Sep 3 2024, 11:37 PM
Return to original view | Post
#2
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(zerorating @ Sep 3 2024, 11:29 PM) just read unifi thread, TM just reroute google dns or cloudflare to their TM dns resource. looks like TM use the most efficient method without provisioning tons of servers for transparent proxy. such evil. that only for plaintext dns right?Even with DoT they could only block at most. If they could tamper DoH, like rerouting and return a valid response without hijacking browser certificate, I think we have global IT emergency right now since that means TLS 1.3 has been broken. Oltromen Ripot liked this post
|
|
|
Sep 3 2024, 11:57 PM
Return to original view | Post
#3
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(zerorating @ Sep 3 2024, 11:41 PM) IP level la boss, meaning plaintext, dot, doh all redirected. kek so DoH simply stop working thendoh will not work without valid cert. anyway, i will move to "not widely" known public dns service, koff koff ans1.Singapore3.Level3.net AIMS also have DNS server that not filtering ahem site. IP is 110.74.147.67 When that finally happen to me I'll just fire up unbound and spawn my own DNS server. Finally got some real legit use for those Oracle Compute instances that I don't know what to do other than hosting hentai@home  |
|
|
Sep 4 2024, 01:30 AM
Return to original view | IPv6 | Post
#4
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(soonwai @ Sep 4 2024, 01:05 AM) Not all ppl affected though so means TM just testing je. So far: Hard to imagine they would make this standard. The stake is too damn high.Kajang ❌❌ me & raynman Kuching ✅ karenzayn Penang ✅ tng55 PJ ✅ countingcrows Right now Google have lots of their apps hardwired to their (cleartext) DNS, and it's not unreasonable to see they will go further with DoT in future. Shit going to hit the fan really hard when that day finally come. QUOTE(cloudstrife07 @ Sep 4 2024, 01:06 AM) Wah masih lagi run h@h At some point few years ago Oracle realized they are being stupidly generous offering a rather thicc instances for free (up to 4 micro instances with pooled 200gb storage and up to 24gb ram). And now they will terminate and reclaim those that they deemed underused for 7 consecutive days.So I have to generate some CPU/ram and traffic to keep my holding, and apparently h@h is perfect for that 🤣 |
|
|
Sep 4 2024, 06:57 PM
Return to original view | Post
#5
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(shinigamidesu @ Sep 4 2024, 05:50 PM) What is the best value VPN out there? Vote PN next time |
|
|
Sep 4 2024, 07:31 PM
Return to original view | Post
#6
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(kwss @ Sep 4 2024, 07:25 PM) Cross posting from Unifi thread for those who didn't go there. Running cost should be less than USD $0.60 per month if like this its much cheaper and easier to just buy nat vps in sg and set up wireguard DNS wall climbing for beginner This quick guide will teach you how to use CDN to front DoH server using Amazon CloudFront. The benefit this provides over other method is the difficulty of the censor to block this kind of setup without blocking the whole CDN provider. Requirements: AWS Account Browser / OS / resolver supporting DoH Login to your AWS account and search for CloudFront. Create a new distribution. Refer to the setting below and put in your desired DoH server:  After you are done creating the distribution, wait for it to finish deploying:  Put the address and the full path into your browser / OS / resolver:  Finally test your resolver:  DNS wall climbing stealth setup This is a setup for people who are already using CloudFront for their business and wish to hide DoH inside it. I am using ControlD here instead of Cloudflare DNS. The "/dns-query" in cloudflare is "/p0" in controld. First add an Origin like below:  Then add a Behavior:  Wait for it to finish deploying. You will access it via https://mydomain.com/bkaj41f For people wondering what is my "DoH-fronting" policy, here is it:   |
|
|
|
|
|
Sep 4 2024, 11:31 PM
Return to original view | Post
#7
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(kwss @ Sep 4 2024, 11:28 PM) Everyone needing a no hassle setup can use this: So its actually possible.https://sky.rethinkdns.com/dns-query It runs on Cloudflare Workers on all edge location and cannot be IP blocked. If it's DNS bootstrap blocked, just put lowyat.net IP in your HOST file and it should work again I always thought about this possible solution around using cf worker but never bothered to further look into it. This post has been edited by failed.hashcheck: Sep 4 2024, 11:32 PM |
|
|
Sep 5 2024, 12:15 AM
Return to original view | IPv6 | Post
#8
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(kwss @ Sep 4 2024, 11:56 PM) Ummm... Works for me. Didn't try. Tm routing is so shit that I have to have always on wireguard anyway. So these DNS thing is pretty much irrelevant to me currently.Did it work for you? Even if I decide to do something about it later, I'd rather opt for a straightforward solution - by spawning my own doh server using unbound. This post has been edited by failed.hashcheck: Sep 5 2024, 12:17 AM kwss liked this post
|
|
|
Sep 6 2024, 10:10 AM
Return to original view | IPv6 | Post
#9
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(LemonHoneyIce @ Sep 6 2024, 09:59 AM) so um... any best solution to bypass it now? First, try to study any other alternative doh server around. Else, Considering the block is targeted at websites, the ideal solution is using socks5 proxy like shadowsocks. It work at browser/https level and does not impose full overhead to the entire system like VPN. Second choice is VPN. But it adds too muuch overhead for just a simple bypass. But if you have complain about tm shit routing then this is the first choice. But if you are more technically adept, spawning your own doh server is best solution. This post has been edited by failed.hashcheck: Sep 6 2024, 10:11 AM MR_alien and LemonHoneyIce liked this post
|
|
|
Sep 6 2024, 10:14 AM
Return to original view | IPv6 | Post
#10
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(vapanel @ Sep 6 2024, 10:10 AM) So anyone reported TLS DOT still works are fake new? The entire reason dot exist alongside doh is because network admins preferred it since it is easier to block. Just block port 853 and that's it.If there is ever attempt to block doh, then obviously there is no fucking reason for dot to still be working. vapanel liked this post
|
|
|
Sep 6 2024, 10:18 AM
Return to original view | IPv6 | Post
#11
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(vapanel @ Sep 6 2024, 10:11 AM) Spawning own DNS server how to make sure it is constantly updated? The entire DNS system, to oversimplify is just sort of relay. Once setup, in this case, recursive DNS server, you don't need to update anything.It will get the data from 'higher level' and pass it to you. |
|
|
Sep 6 2024, 10:34 AM
Return to original view | Post
#12
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(Icehart @ Sep 6 2024, 10:23 AM) Time to spin free tier EC2/ECS and host your own DNS Finally have some use for my free Oracle Cloud instance that been idling so hard  |
|
|
Sep 6 2024, 10:37 AM
Return to original view | Post
#13
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
Well shit.
Now I received few msgs and emails from my customers that I set up their system with doh enabled and they can't access the internet since this morning. This going to be a very fine week for builders and admins. |
|
|
|
|
|
Sep 6 2024, 10:39 AM
Return to original view | Post
#14
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(soonwai @ Sep 6 2024, 10:34 AM) No, real. DoT still working on Unifi. whoever implement this blocking ting is really facepalm one.CODE ;; QUESTION SECTION: ;4chan.org. IN A ;; ANSWER SECTION: 4chan.org. 300 IN A 104.19.143.99 4chan.org. 300 IN A 104.19.142.99 ;; Query time: 22 msec ;; SERVER: LOLO.LOLO.LOLO.LOLO.LOLO (TLS) <---- ;; WHEN: Fri Sep 06 10:31:59 +08 2024 ;; MSG SIZE rcvd: 70 inb4: It's all text, I made it up. |
|
|
Sep 6 2024, 10:58 AM
Return to original view | Post
#15
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(JohnLai @ Sep 6 2024, 10:42 AM) Now that's the name that I haven't heard in a long time Thought this thing already lose the standards war and be dead. what a plot twist |
|
|
Sep 6 2024, 11:21 AM
Return to original view | Post
#16
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(CyberSetan @ Sep 6 2024, 11:17 AM) » Click to show Spoiler - click again to hide... « ExpressVPN cost RM400+ per year... I just tutup mata and divide RM400 / 12 - and absorb the additional cost as part of my internet subscription....  you could have spend some 1 hour learning the concept of vps, and deploy a vpn setup script for as low as USD2.00 per year. |
|
|
Sep 6 2024, 11:34 AM
Return to original view | Post
#17
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(loonsave @ Sep 6 2024, 11:25 AM) Any recommended VPS? If you just want to use vpn on demand, better use nat vpsI recommend webhorizon and gullo's host (typically USD2/yr) If always on, look for beefier package from can't-go-wrong provider like Linode or DigitalOcean (USD5/mo) as long it is SG server. But then again while you are at it with vps, I strongly recommend exploring shadowsocks. Its made exactly for bypassing censorship like this. Its much more performant with consistently higher throughput even when compared to kernel version of wireguard. And you can set up domain based rules that is not very achievable with VPN's split tunneling. This post has been edited by failed.hashcheck: Sep 6 2024, 11:35 AM X_F@cT0R liked this post
|
|
|
Sep 6 2024, 11:42 AM
Return to original view | Post
#18
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(brkli @ Sep 6 2024, 11:36 AM) 1 hour learning. 1. Buy VPS, register account - 10 minhow many hours after that to setup, support, restart server and etc? 2. server provisioning - 20 sec (linode) 3. connect ssh, update and restart. reconnect - 1.5 min (Debian) 4. deploy script copy paste from github - 2 min 5. provision user - 30 sec 6. copy config to client - 1 min (sftp/copy paste), 10 sec (qr). set and forget. maybe repeat step 5 and 6 if you wish to have more clients with unique id. this is very generous estimate. tigerporc liked this post
|
|
|
Sep 6 2024, 12:03 PM
Return to original view | Post
#19
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
QUOTE(mhyug @ Sep 6 2024, 11:57 AM) is this somewhat similar as kwss posted in post #302? No that one much more complicated and aimed towards people that already have AWS account, know their way around AWS and have played with cloudfront before.Setting AWS account from zero is not trivial. Superscalers like AWS/GCP/Azure is entirely different game than our usual cloud vps providers. |
|
|
Sep 6 2024, 02:35 PM
Return to original view | IPv6 | Post
#20
|
|
Senior Member
2,096 posts Joined: Aug 2009 From: Shithole Klang
|
 Gotta finish this 12pb quota somehow before they figure out how to block the VPN part of warp+ This post has been edited by failed.hashcheck: Sep 6 2024, 02:36 PM |
| Change to: |  0.0258sec
 0.75
 7 queries
 GZIP Disabled
Time is now: 20th December 2025 - 07:39 PM |
Quote