New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EU.ORG got blocked by GFW recently #350
Comments
Note: This is a free domain name provider. It has no relation with the European Union, despite its name. |
Can you confirm is this a blocking against the SNI |
@gaukas It seems to be against the SNI. I tested:
|
Thanks! So after a TLS handshake using blocked SNI with a target, all TLS connections (supposedly from the same source IP) to that server (IP:443) are blocked for some period of time. |
it's resolving to user-provided IPs, there's no coherent IP range or finite/distinct set of ASNs it resolves to. what is not technically clear to me is whether eu.org is blocked by SNI or by preceding DNS query. For example, are requests to eu.org domains fine if DoH is used, and/or if SNI is bogus/empty? are non-tls protocols fine? |
So what is the significance of eu.org then 🧐 I don't believe all free domain/tlds are targeted?
Step 3, 4, 5 supported that it is due to SNI as I can see. |
note that eu.org is not a TLD. |
That's true, it is my bad for not stating clearly my question: since there are |
Just one of your "subdomains" being targetted is enough they would targert *.maindomain. We have seen this hundreds of times. So it does not need to be special. |
Thank you for sharing. I'm not aware of this, could you please point me to other discussing threads or other resources about the same behavior? And also, do we know what is the exact trigger for such "full domain TLS RST"? Do you have to have a website hosting banned content, do you have to run a TLS proxy server, or what else. Btw I wonder if this implies none of the free subdomains will be available in China, perhaps also including restrictive ones such as *.netlify.app, *.azurewebsites.net, etc? |
They do not ban high-profile domains like *.netlify.app, but they do ban their subdomains. But in case of smaller fishes they do ban whole domain. China does not use spoofing anymore (or very rarely), because their users know how to deal(DoH etc) with kind of basic blocking method. Their main method is really to intercept all ssl connections(we know they intercept on all ports) with ClientHello and look at requested certificate and send RST to both parties and firewall the ip for certain period(few minutes) (obviously their SSL filter requires more resources). This is very effective way. In eu.org i see that your subdomains do have their own certs.. This is good start but the guy who decided about your ban might have seen eu.org as !important and banned whole eu.org.. Or second scenario is; one or multiple of users placed anti-regime-pages to one of your subdomains and they are able to change their subdomains by registering new subdomain with you. So they were tired playing mouse-and-cat game and banned whole "!important" eu.org... We sometimes see unbans, but very rarely. We see domains they were banned whole year. But in your case eu.org seems not to be banned but *.eu.org seems to be (just checked) |
I just learned that this blocking behavior has been lifted on |
yes seems to be, i have tried nl and cy |
yes seems for me. |
About one week ago, some people reported that TLS connections to EU.ORG domains are blocked by the Great Firewall.
Can be confirmed in both China Telecom and China Mobile networks.
There are no known DNS pollution in this blocking. All DNS queries I tested got correct result.
Plain HTTP requests on 80/TCP are not blocked.
After attempts to establish a TLS connection on 443/TCP (other ports are not tested), the connection will be reseted, and further packets to the server's 443/TCP will be dropped for several minutes.
The text was updated successfully, but these errors were encountered: