It seems TM Unifi has finally implemented

Lowyat.NET forums

Lowyat.NET Kopitiam Garage Sales

Lowyat.NET Rules and Regulations FAQ Help Search Members

Welcome Guest ( Log In | Register )

Lowyat.NET -> Kopitiam

Bump Topic Add Reply RSS Feed

Outline · [ Standard ] · Linear+

It seems TM Unifi has finally implemented, transparent DNS proxy

views

loonsave	Sep 4 2024, 05:46 PM Return to original view \| Post #1
Regular Senior Member 1,635 posts Joined: May 2005	QUOTE(soonwai @ Sep 4 2024, 05:40 PM) We all are overthinking it. TM is not doing any DNS proxy, DNS redirection, DoH or DoT blocking. I don't think the committee assigned to this knows how or even what those terms are. All they are doing is taking over the IP addresses. 8.8.8.8 or 9.9.9.9 or 1.1.1.1 no longer goes to Google or Quad9 or Cloudflare respectively. Those addresses now go to TM's Mickey Mouse DNS server which only has port 53 working, no DoH or DoT here. Easy job done and wait for bonus. I think you are right. The traceroute seems route within TM network only. What a brute force method. This post has been edited by loonsave: Sep 4 2024, 05:46 PM
Card PM	Report Top Like Quote Reply

loonsave	Sep 4 2024, 05:50 PM Return to original view \| Post #2
Regular Senior Member 1,635 posts Joined: May 2005	QUOTE(JohnL77 @ Sep 4 2024, 05:48 PM) So what's the solution? VPN.
Card PM	Report Top Like Quote Reply

loonsave	Sep 4 2024, 09:59 PM Return to original view \| Post #3
Regular Senior Member 1,635 posts Joined: May 2005	» Click to show Spoiler - click again to hide... « QUOTE(kwss @ Sep 4 2024, 07:25 PM) Cross posting from Unifi thread for those who didn't go there. Running cost should be less than USD $0.60 per month DNS wall climbing for beginner This quick guide will teach you how to use CDN to front DoH server using Amazon CloudFront. The benefit this provides over other method is the difficulty of the censor to block this kind of setup without blocking the whole CDN provider. Requirements: AWS Account Browser / OS / resolver supporting DoH Login to your AWS account and search for CloudFront. Create a new distribution. Refer to the setting below and put in your desired DoH server: After you are done creating the distribution, wait for it to finish deploying: Put the address and the full path into your browser / OS / resolver: Finally test your resolver: DNS wall climbing stealth setup This is a setup for people who are already using CloudFront for their business and wish to hide DoH inside it. I am using ControlD here instead of Cloudflare DNS. The "/dns-query" in cloudflare is "/p0" in controld. First add an Origin like below: Then add a Behavior: Wait for it to finish deploying. You will access it via https://mydomain.com/bkaj41f For people wondering what is my "DoH-fronting" policy, here is it: Thanks for sharing the Cloudfront method. How do you secure and prevent other to use your Cloudfront as DNS?
Card PM	Report Top Like Quote Reply

loonsave	Sep 4 2024, 11:13 PM Return to original view \| Post #4
Regular Senior Member 1,635 posts Joined: May 2005	QUOTE(kwss @ Sep 4 2024, 10:23 PM) From low tech to high tech: 1. Keep the generated URL secret. (first tutorial) 2. Create another Origin with path, then assign a Behavior with "password" as your new path (second tutorial) 3. Use signed URL: https://docs.aws.amazon.com/AmazonCloudFron...igned-urls.html Since TM blackhole 1.1.1.1, wouldn't be it still fail to resolve since the Cloudfront URL origin is cloudflare-dns.com, which is 1.1.1.1 This post has been edited by loonsave: Sep 4 2024, 11:16 PM
Card PM	Report Top Like Quote Reply

loonsave	Sep 4 2024, 11:49 PM Return to original view \| Post #5
Regular Senior Member 1,635 posts Joined: May 2005	QUOTE(lurkingaround @ Sep 4 2024, 11:41 PM) . AFAIK, if Malaysia's MCMC is ready to ban or block Social Media websites like Facebook and Twitter next year if they do not apply for a local license, MCMC is ready to also similarly ban or block Amazon CDN for bypassing MCMC's website-blocking tools or the "Great Firewall of Malaysia". . That's the issue. If MCMC do this without any regulation, they can just block anything when request by the Gov. It's unlikely they will block Amazon CDN since they just official launch AWS MY region. This post has been edited by loonsave: Sep 4 2024, 11:50 PM
Card PM	Report Top Like Quote Reply

loonsave	Sep 4 2024, 11:59 PM Return to original view \| Post #6
Regular Senior Member 1,635 posts Joined: May 2005	QUOTE(lurkingaround @ Sep 4 2024, 11:54 PM) . Affected TM users can use Google Cloud or M$ Azure if AWS will not cooperate with MCMC.? . Amazon spent so much money to build infrastructure in MY. Pretty sure MCMC won't do that.
Card PM	Report Top Like Quote Reply

loonsave	Sep 5 2024, 12:18 AM Return to original view \| Post #7
Regular Senior Member 1,635 posts Joined: May 2005	QUOTE(lurkingaround @ Sep 5 2024, 12:09 AM) . AFAIK, online services from Amazon, Google, Facebook, Twitter, etc have been banned by CCP China wrt the Great Firewall Of China and China is still Numba One in the world of wumao and EV-lovers. ....... Maybe Malaysia will be Numba Two. . Can't compare in that way. China is the world's second largest economy country. They afford to do that. MY got what? This post has been edited by loonsave: Sep 5 2024, 12:20 AM
Card PM	Report Top Like Quote Reply

loonsave	Sep 5 2024, 12:20 AM Return to original view \| Post #8
Regular Senior Member 1,635 posts Joined: May 2005	QUOTE(failed.hashcheck @ Sep 5 2024, 12:15 AM) Didn't try. Tm routing is so shit that I have to have always on wireguard anyway. So these DNS thing is pretty much irrelevant to me currently. Even if I decide to do something about it later, I'd rather opt for a straightforward solution - by spawning my own doh server using unbound. I was thinking to setup Adguard server + Unbound too. Seems more straight forward to me instead of setup Cloudfrount.
Card PM	Report Top Like Quote Reply

loonsave	Sep 6 2024, 10:07 AM Return to original view \| Post #9
Regular Senior Member 1,635 posts Joined: May 2005	QUOTE(AmpBuster @ Sep 6 2024, 10:06 AM) tm tried to hijack your encrypted request so your dns client doesn't accept the response tm ~~tried to~~ hijacked your encrypted request so your dns client doesn't accept the response
Card PM	Report Top Like Quote Reply

loonsave	Sep 6 2024, 11:25 AM Return to original view \| Post #10
Regular Senior Member 1,635 posts Joined: May 2005	QUOTE(failed.hashcheck @ Sep 6 2024, 11:21 AM) dafuq. you could have spend some 1 hour learning the concept of vps, and deploy a vpn setup script for as low as USD2.00 per year. Any recommended VPS?
Card PM	Report Top Like Quote Reply

loonsave	Sep 6 2024, 11:58 AM Return to original view \| Post #11
Regular Senior Member 1,635 posts Joined: May 2005	QUOTE(failed.hashcheck @ Sep 6 2024, 11:34 AM) If you just want to use vpn on demand, better use nat vps I recommend webhorizon and gullo's host (typically USD2/yr) If always on, look for beefier package from can't-go-wrong provider like Linode or DigitalOcean (USD5/mo) as long it is SG server. But then again while you are at it with vps, I strongly recommend exploring shadowsocks. Its made exactly for bypassing censorship like this. Its much more performant with consistently higher throughput even when compared to kernel version of wireguard. And you can set up domain based rules that is not very achievable with VPN's split tunneling. I didn't expect we need to like CCP that need to use shadowsocks or v2ray to access to the world internet.
Card PM	Report Top Like Quote Reply

loonsave	Sep 6 2024, 12:20 PM Return to original view \| Post #12
Regular Senior Member 1,635 posts Joined: May 2005	QUOTE(yushin @ Sep 6 2024, 12:06 PM) Does this DNS block affects those IPTV box? If they don't do it now, they will do it eventually.
Card PM	Report Top Like Quote Reply

loonsave	Sep 6 2024, 05:44 PM Return to original view \| Post #13
Regular Senior Member 1,635 posts Joined: May 2005	QUOTE(danieln @ Sep 6 2024, 05:38 PM) actually what do you want them to reject on? Coz need to allow MY users to access ahem & illegal site? that will be a wide opening to get fire from all angles LOL It's not about ahem & illegal sites only. If you look at bigger picture, why they implement this after mentioned social media license? Of course I am talking from conspiracy way. But giving they such great power to block the Internet, they can control and determine what can you see and what you can't. This post has been edited by loonsave: Sep 6 2024, 05:47 PM X_F@cT0R and FunkyBass liked this post
Card PM	Report Top Like Quote Reply

« Next Oldest · Kopitiam · Next Newest »

Add Reply Options

Change to:

0.0392sec

1.49

7 queries

GZIP Disabled
Time is now: 24th December 2025 - 03:43 PM

All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)

Removal Request

Powered by Invision Power Board © 2025 IPS, Inc.