Opened 4 months ago

Last modified 2 weeks ago

#22949 new enhancement

Add some IP-HOST pair for meek use

Reported by: cypherpunks Owned by: n8fr8
Priority: Medium Milestone:
Component: Applications/Orbot Version:
Severity: Normal Keywords: meek
Cc: arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

  1. I want to use meek.
  2. My network is blocking DNS request.

Please consider adding some IP:PORT pair to Orbot itself.

Current behavior:
Orbot: "Hey DNS, resolve www.google.com(for domain fronting)"
DNS: "Reject!"
Orbot: "Hey user, you can't connect!!"

Expected behavior:
Orbot: "Hey DNS, resolve www.google.com(for domain fronting)"
DNS: "Reject!"
Orbot: "Then I'll try 120.130.140.150(www.google.com's IP addr.)"
Orbot: Trying to connect: 120.130.140.150:443 with "Host: google.com".
Orbot: Success. Fuck DNS :)

I'm not joking. By adding valid IP address into Orbot core, user
can access to Tor network even DNS is blocked.

Child Tickets

Change History (5)

comment:1 Changed 4 months ago by cypherpunks

Good idea, meek-amazon and meek-azure front-ends are probably only blocked in some corporate firewalls, so maybe countering DNS poisoning may be useful in those cases.

comment:2 Changed 4 months ago by yawning

Cc: yawning removed

Attempting in vain to remove myself from the cc list.

comment:3 Changed 4 months ago by dcf

Keywords: meek added
Priority: Very HighMedium
Severity: CriticalNormal
Type: defectenhancement

I think that a local IP address database is unlikely to be implemented, for maintainability reasons. Also I'm not sure this is actually a common problem. Have you actually encountered it in practice, or are you just suggesting it as a possibility?

meek-google hasn't worked for a year now—were you only using www.google.com as an example, or are you actually using it for fronting somehow? Is there really a work network that blocks www.google.com by DNS? How would anyone get any work done?

If you are on a network that actually is DNS-blocking the default front domain, you can try changing the front domain. You can also try configuring a DNS server other than the default. If that doesn't work, you can also maintain your own local DNS database in /etc/hosts or similar. Or just use obfs4 in that case?

comment:4 Changed 2 weeks ago by cypherpunks

Have you actually encountered it in practice

  1. Connect to AppsVPN (e.g. M88B's "NetGuard" - open source app)
  2. This VPN was configured to block DNS request to prevent DNSLeak.

3.

  1. I can Connect to Tor using Orbot without bridge, IF the network is NOT CENSORED
  2. I can NOT connect to Tor using Orbot without bridge because the network is clearly monitored.

maintain your own local DNS database in /etc/hosts or similar

And how can I do such thing if my phone is unrootable?
Is there any way to solve this?

Can I solve this by adding "MapAddress" or what?

https://www.google.com/ --header 'Host: meek-reflect.appspot.com'

Orbot --- Advanced Torrc
MapAddress meek-reflect.appspot.com 10.20.30.40

Will above 1 line will make meek work WITHOUT DNS request?

comment:5 Changed 2 weeks ago by cypherpunks

and above google is just a example. I just want you to know that some network are blocking DNS requests. So, IP-Host pair is necessary. And for advanced user like me, please provide a way to solve this. I guess "MapAddress" do the trick, but I'm not sure meek.exe(?) obey torrc's MapAddress.

Note: See TracTickets for help on using tickets.