Shulou(Shulou.com)06/02 Report--

Preface

Before I start writing this article, I need to popularize a knowledge that the Great Wall Firewall of China (English name: Great Firewall of China) is a great-looking tool specially used by XX to block the Internet from Internet users and close the door to the country. Recently, a number of well-known foreign websites, such as google.com, youtube.com, facebook.com, dropbox.com and so on, are unable to visit normally, thanks to their gifts. The main shielding technologies implemented by it include IP blocking, keyword filtering, domain name hijacking and pollution, and HTTPS certificate filtering. This paper mainly uses dnscrypt technology to reverse its dns hijacking and pollution.

Let's take a look at what DNS hijacking and DNS contamination are, but they are not the same concept. We all know that the communication between hosts identifies each other's hosts through ip, but IP is not easy to remember. Later, the concept of domain name, such as www.baidu.com, was put forward. The connection between domain name and IP is through DNS resolution, and the mapping between domain name and IP is realized. This mapping is stored on the DNS server.

What is DNS hijacking?

DNS hijacking usually happens to some network operators. DNS hijacking is to hijack the DNS server and obtain the control of the DNS server. The purpose of modifying these domain names is to resolve IP addresses by some means. DNS hijacking is realized by tampering with the data on the DNS server and returning an incorrect query result to the user.

DNS hijacking symptom: after successfully connecting to broadband in some areas, users open any page for the first time to point to content pages such as "Telecom Interconnection Star" and "Netcom Yellow pages Advertising" provided by ISP. There is also the Baidu website that has appeared when users visit the Google domain name. These are all hijacked by DNS.

To deal with DNS hijacking, you only need to configure the DNS server address to a foreign DNS server address in the network configuration, such as the DNS server address provided by Google: 8.8.8.8 8.8.4.4

What is DNS pollution

DNS pollution is a way to prevent ordinary users from communicating with a fake target host IP. It is a DNS cache poisoning (DNS cache poisoning). The way it works is as follows: because the usual DNS query does not have any authentication mechanism, and the DNS query is usually based on a connectionless and unreliable protocol, the DNS query is very easy to be tampered with. Through * detection of the DNS query on UDP port 53, once it is found that the request matches the keyword, it will immediately return false results to the querier disguised as the resolution server (NS,Name Server) of the target domain name.

Symptoms of DNS pollution: at present, many banned websites are achieved through DNS pollution, such as YouTube, Facebook, DropBox and so on.

For DNS pollution, ordinary users can not simply set up foreign DNS servers to solve. I need to use the key point of this article: DnsCrypt-proxy, I solved the access blockade to Dropbox in this way.

First, take a look at the resolution of www.dropbox.com on Google's DNS server (8.8.8.8).

Analysis of www.dropbox.com by Telecom DNS Server (114.114.114.114)

Www.dropbox.com are parsed to 59.24.3.173 this IP, this is a South Korean IP, use the webmaster ping tool to detect, all timeout, I only intercept part of them, if the server is not accessible or disable ping, then all timeout.

Whether we get the data packets from Google servers or telecom servers, they are tampered with by the Great Firewall before we get them. In order to prevent this data from being tampered with, we need to use DNSCrypt to ensure that our dns query packets are not tampered with.

DNSCrypt is an encrypted DNS tool released by OpenDNS, which can encrypt DNS traffic and prevent common DNS***, such as playback * *, observation * *, timing * *, man in the middle * * and parsing forgery * *. DNSCrypt supports Mac OS and Windows as well as Linux and is an excellent tool for preventing DNS contamination. I tried it on both Mac OS and Centos.

Install DNSCrypt-proxy

The installation on Mac OS and Linux is very simple, just follow the documentation on the project home page step by step.

Mac Os can install brew install dnscrypt-proxy with one click using the brew tool

Linux installation # installation dependency

Cd / usr/local/src/

Wget "https://download.libsodium.org/libsodium/releases/libsodium-0.5.0.tar.gz"tar-xzvf libsodium-*.tar.gzcd libsodium-*

. / configure

Make

Make install

Ldconfigecho / usr/local/lib > / etc/ld.so.conf.d/usr_local_lib.confcd / usr/local/src/

Wget "http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.4.0.tar.bz2"bunzip2-cd dnscrypt-proxy-*.tar.bz2 | tar xvf-cd dnscrypt-proxy-*

. / configure

Make

Make install

Start dnscrypt_proxy

The usage of dnscrypt_proxy can be queried through man 8 dnscrypt_proxy

Before starting, you need to pay attention to one thing, because dnscrypt_proxy, as a query agent, encrypts communications, which also requires the destination dns server to support it, and the project home page provides a list of available

Startup script

Finally, we can see that a link has been established between port 53 of the local machine and port 443 of the destination host; according to the instructions on the official website, if we successfully install, when we execute dig txt debug.opendns.com, we will see debug.opendns.com. 0 IN TXT "dnscrypt enabled (.)" This kind of output.

Congratulations, we have succeeded. The next step is to point the local dns server to this agent.

Let's take a look at the resolution of www.dropbox.com.

Visit https://www.dropbox.com

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.