Opened 11 days ago

Last modified 10 days ago

#22949 new enhancement

Add some IP-HOST pair for meek use

Reported by: cypherpunks Owned by: n8fr8
Priority: Medium Milestone:
Component: Applications/Orbot Version:
Severity: Normal Keywords: meek
Cc: arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

  1. I want to use meek.
  2. My network is blocking DNS request.

Please consider adding some IP:PORT pair to Orbot itself.

Current behavior:
Orbot: "Hey DNS, resolve www.google.com(for domain fronting)"
DNS: "Reject!"
Orbot: "Hey user, you can't connect!!"

Expected behavior:
Orbot: "Hey DNS, resolve www.google.com(for domain fronting)"
DNS: "Reject!"
Orbot: "Then I'll try 120.130.140.150(www.google.com's IP addr.)"
Orbot: Trying to connect: 120.130.140.150:443 with "Host: google.com".
Orbot: Success. Fuck DNS :)

I'm not joking. By adding valid IP address into Orbot core, user
can access to Tor network even DNS is blocked.

Child Tickets

Change History (3)

comment:1 Changed 11 days ago by cypherpunks

Good idea, meek-amazon and meek-azure front-ends are probably only blocked in some corporate firewalls, so maybe countering DNS poisoning may be useful in those cases.

comment:2 Changed 11 days ago by yawning

  • Cc yawning removed

Attempting in vain to remove myself from the cc list.

comment:3 Changed 10 days ago by dcf

  • Keywords meek added
  • Priority changed from Very High to Medium
  • Severity changed from Critical to Normal
  • Type changed from defect to enhancement

I think that a local IP address database is unlikely to be implemented, for maintainability reasons. Also I'm not sure this is actually a common problem. Have you actually encountered it in practice, or are you just suggesting it as a possibility?

meek-google hasn't worked for a year now—were you only using www.google.com as an example, or are you actually using it for fronting somehow? Is there really a work network that blocks www.google.com by DNS? How would anyone get any work done?

If you are on a network that actually is DNS-blocking the default front domain, you can try changing the front domain. You can also try configuring a DNS server other than the default. If that doesn't work, you can also maintain your own local DNS database in /etc/hosts or similar. Or just use obfs4 in that case?

Note: See TracTickets for help on using tickets.