Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


ISP/Network admin seems to be altering my DNS requests
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

ISP/Network admin seems to be altering my DNS requests

Kinda related to this: https://lowendtalk.com/discussion/185065/free-domains-after-freenoms-death

I'm trying to bypass a blocking on my local network. So far I've setup Shadowsocks + V2Ray following this, got a domain and passed the traffic through Cloudflare, and had my domain unblocked from the blocking software by pretending to host a Educational website (Fortiguard is used for blocking). Even after all this, SS+V2Ray doesn't work on this network.

On further inspection, I noticed that the IP address of my domain was being changed when I would send a ping request. The requests would be going to 208.91.112.55 instead of a Cloudflare server. nslookup always seems to fail with no response even though it reports the server as 1.1.1.1 or 8.8.8.8 (or respective IPv6). nslookup would even fail for google.com.

I'm assuming they are monitoring and blocking DNS requests and changing them. DNS over HTTPS would be a solution to this, but WIndows 10 doesn't seem to support it.

What options do I have to get this working?

Comments

  • fazarfazar Member

    As far as I know Windows 10 already support DoH. May bit tricky but there is tons of its tutorial on Google. Or install local DNS resolver (such as Unbound) and use TLS upstream.

  • Assuming you have control over your local network, could you setup another device to handle the DoH for you and use that as your DNS server on your Windows 10 system?

  • @fazar said:
    As far as I know Windows 10 already support DoH. May bit tricky but there is tons of its tutorial on Google. Or install local DNS resolver (such as Unbound) and use TLS upstream.

    I searched a lot on google but most use a setting which isn't available on my system. According to this Win11 has the feature, WIn10 doesn't.

    I'll look into Unbound.

    @Xrmaddness said:
    Assuming you have control over your local network, could you setup another device to handle the DoH for you and use that as your DNS server on your Windows 10 system?

    You're suggesting something like a PiHole server? I guess that could work, but I'd like to try software solutions first and keep that as a last resort.

  • vsys_hostvsys_host Member, Patron Provider

    Try Regular VPN instead of Shadowsocks

  • @vsys_host said:
    Try Regular VPN instead of Shadowsocks

    I tried Wireguard but it wasn't supported since OpenVZ was used. I'll try OpenVPN next.

  • dosaidosai Member

    @DentFuse said:

    @vsys_host said:
    Try Regular VPN instead of Shadowsocks

    I tried Wireguard but it wasn't supported since OpenVZ was used. I'll try OpenVPN next.

    I'm using https://github.com/Nyr/wireguard-install on webhorizon's nat ovz and it works flawlessly, give it a try.

    Thanked by 1DentFuse
  • WireGuard will work on OVZ, but I'm an OpenVPN advocate. So I'll recommend OpenVPN with blocking outside dns feature

  • @dosai said:

    I'm using https://github.com/Nyr/wireguard-install on webhorizon's nat ovz and it works flawlessly, give it a try.

    I was using this script to install wireguard and it was throwing some random error. This worked thanks! I'll check whether the vpn works on the network.

  • As someone who administers Fortigates, it's detection algorithms when inspecting traffic for VPN's, proxies, etc are pretty good, it's probably detecting you're running SS+V2Ray & redirecting all requests to the block page because of proxy avoidance. - https://community.fortinet.com/t5/FortiGate/Blocking-Proxy-Avoidance-Software/ta-p/191482

  • tjntjn Member
    edited March 2023

    It's also very likely port 53 UDP is blocked, except for their own DNS servers (this is what I do) - so just use DNS over HTTPS.

    Better yet fully wrap your VPN in HTTPS - sTunnel comes to mind, but I haven't used it in a while.

    You can wrap WireGuard in sTunnel

    Otherwise, https://github.com/cbeuw/Cloak should work.

    Softether's native client and server are good for this too.

    Thanked by 1DentFuse
  • @tjn said: so just use DNS over HTTPS.

    If they're using deep inspection this will also get picked up, however I don't see a realistic way of them getting the MITM cert onto the device unless its a provided resource or they're using an MDM for personal devices.

  • treesmokahtreesmokah Member
    edited March 2023

    @tjn said:
    It's also very likely port 53 UDP is blocked, except for their own DNS servers (this is what I do) - so just use DNS over HTTPS.

    Better yet fully wrap your VPN in HTTPS - sTunnel comes to mind, but I haven't used it in a while.

    You can wrap WireGuard in sTunnel

    Otherwise, https://github.com/cbeuw/Cloak should work.

    Softether's native client and server are good for this too.

    https://github.com/mullvad/udp-over-tcp
    Get Mullvad. They have their own obfuscation wrapper for Wireguard and plenty of servers using it.

  • Yea, the plain Wireguard VPN did not work. Thank you all for the suggestions, I'll try them out and keep you posted.

  • @DentFuse said:
    Yea, the plain Wireguard VPN did not work. Thank you all for the suggestions, I'll try them out and keep you posted.

    Application signatures will be picking that one up.

Sign In or Register to comment.