ISP/Network admin seems to be altering my DNS requests
Kinda related to this: https://lowendtalk.com/discussion/185065/free-domains-after-freenoms-death
I'm trying to bypass a blocking on my local network. So far I've setup Shadowsocks + V2Ray following this, got a domain and passed the traffic through Cloudflare, and had my domain unblocked from the blocking software by pretending to host a Educational website (Fortiguard is used for blocking). Even after all this, SS+V2Ray doesn't work on this network.
On further inspection, I noticed that the IP address of my domain was being changed when I would send a ping request. The requests would be going to 208.91.112.55 instead of a Cloudflare server. nslookup always seems to fail with no response even though it reports the server as 1.1.1.1 or 8.8.8.8 (or respective IPv6). nslookup would even fail for google.com.
I'm assuming they are monitoring and blocking DNS requests and changing them. DNS over HTTPS would be a solution to this, but WIndows 10 doesn't seem to support it.
What options do I have to get this working?
Comments
As far as I know Windows 10 already support DoH. May bit tricky but there is tons of its tutorial on Google. Or install local DNS resolver (such as Unbound) and use TLS upstream.
Assuming you have control over your local network, could you setup another device to handle the DoH for you and use that as your DNS server on your Windows 10 system?
I searched a lot on google but most use a setting which isn't available on my system. According to this Win11 has the feature, WIn10 doesn't.
I'll look into Unbound.
You're suggesting something like a PiHole server? I guess that could work, but I'd like to try software solutions first and keep that as a last resort.
Try Regular VPN instead of Shadowsocks
I tried Wireguard but it wasn't supported since OpenVZ was used. I'll try OpenVPN next.
I'm using https://github.com/Nyr/wireguard-install on webhorizon's nat ovz and it works flawlessly, give it a try.
WireGuard will work on OVZ, but I'm an OpenVPN advocate. So I'll recommend OpenVPN with blocking outside dns feature
I was using this script to install wireguard and it was throwing some random error. This worked thanks! I'll check whether the vpn works on the network.
As someone who administers Fortigates, it's detection algorithms when inspecting traffic for VPN's, proxies, etc are pretty good, it's probably detecting you're running SS+V2Ray & redirecting all requests to the block page because of proxy avoidance. - https://community.fortinet.com/t5/FortiGate/Blocking-Proxy-Avoidance-Software/ta-p/191482
It's also very likely port 53 UDP is blocked, except for their own DNS servers (this is what I do) - so just use DNS over HTTPS.
Better yet fully wrap your VPN in HTTPS - sTunnel comes to mind, but I haven't used it in a while.
You can wrap WireGuard in sTunnel
Otherwise, https://github.com/cbeuw/Cloak should work.
Softether's native client and server are good for this too.
If they're using deep inspection this will also get picked up, however I don't see a realistic way of them getting the MITM cert onto the device unless its a provided resource or they're using an MDM for personal devices.
https://github.com/mullvad/udp-over-tcp
Get Mullvad. They have their own obfuscation wrapper for Wireguard and plenty of servers using it.
Yea, the plain Wireguard VPN did not work. Thank you all for the suggestions, I'll try them out and keep you posted.
Application signatures will be picking that one up.