Rutracker has included eSNI. End of DPI era and end of locks
Despite the yellow heading, there will be no yellow article further. All of us (I hope it is here that I can finally say from the whole community) have already gotten the actions of Roskomnadzor. And also its constant appearance in recommended on a habr. Therefore, you will like this news. At least something important. News by the way back from December 2018.
In a nutshell, now the main effective DPI method is checking the SNI field in the packet. In order not to repeat myself, I will send you to the ValdikSS article . Not that there is all the information, but the main points are stated correctly. I’ll only add that now the operator’s equipment has learned to insert a https TLS 1.2 certificate, which does not pass validation in the browser and has the common name MGTS. (Not even mgts.ru, haha, that is, it’s not even a domain, not that they could manage to create it, with all these Certificate Transparency , which Google created.) In addition, now it’s not clear whether ip is blocked completely. Those. all ports, for example, as ping.pe/www.7-zip.org . or DPI answers you. There is only one solution for sites: constantly change the ip address.
Rutracker has only three official mirrors (although you can create your own , personal, you only need your own domain): rutracker.net rutracker.nl and rutrackerripnext.onion . All of them have a certain relationship with Cloudflare (authoritative DNS server from cloudflare or tor, and rutracker.nl and ip from cloudflare bgp.he.net/ip/104.28.16.16 ):
root@kali:~# dig @8.8.8.8 IN SOA rutracker.nl && dig @8.8.8.8 IN A rutracker.nl ;; ANSWER SECTION: rutracker.nl. 3599 IN SOA buck.ns.cloudflare.com. dns.cloudflare.com. 2031873434 10000 2400 604800 3600 ;; ANSWER SECTION: rutracker.nl. 231 IN A 104.28.17.16 rutracker.nl. 231 IN A 104.28.16.16 ;; Query time: 22 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Sep 23 16:46:24 MSK 2019 ;; MSG SIZE rcvd: 73
, habr.com/ru/post/424857 habr.com/ru/company/globalsign/blog/427563 . , cloudflare… , 35% cloudflare (en. wiki), , - . eSNI, … .
, : eSNI (encrypted Server Name Indication) Cloudflare ( _esni TXT , SNI, IETF IN TXT IN ESNI github.com/tlswg/draft-ietf-tls-esni/pull/144).
root@kali:~# dig @8.8.8.8 IN TXT _esni.rutracker.nl ; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> @8.8.8.8 IN TXT _esni.rutracker.nl ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33017 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;_esni.rutracker.nl. IN TXT ;; ANSWER SECTION: _esni.rutracker.nl. 3599 IN TXT "/wF+a004ACQAHQAgtyygbWc/bwQo5RPSszvuzK+0BIucwJhOLHZ0iCqrCjsAAhMBAQQAAAAAXYTNUAAAAABdjLZQAAA=" ;; Query time: 42 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Sep 23 16:54:07 MSK 2019 ;; MSG SIZE rcvd: 152
, ? -, eSNI Mozilla Firefox. Chromium ( Chrome) , , Google IN ESNI , Google ( cloudflare, Firefox ). IETF. google / github .
: firefox about:config network.security.esni.enabled true. eSNI ( , : windows (IN TXT) bugzilla.mozilla.org/show_bug.cgi?id=1500289) DNS over HTTPS, sni _esni.example.com IN TXT, dns,
https://mozilla.cloudflare-dns.com/dns-query
(
https://dns.google.com/experimental
https://1.0.0.1/dns-query
)
network.trr.bootstrapAddress, resolve mozilla.cloudflare-dns.com resolver DoH DNS, , Firefox ( 1.0.0.1, 1.1.1.1 2606:4700:4700::1111 2606:4700:4700::1001 dig mozilla.cloudflare-dns.com. ( , cloudflare.)) trr resolver: github.com/bagder/TRRprefs
, )) cloudflare.com/ssl/encrypted-sni Check My Browser
, , rutracker.nl, (2-6-20/ 2019-04-25-699- 29.05.2019 ). … ! : Android , . , DNS over TLS Android 9 eSNI, TRR . . , , . bugzilla.mozilla.org/show_bug.cgi?id=1542754
, DPI (NRO) RIR . , , . APNIC DNS ( ip Cloudflare DNS , ) eSNI , ip , looking glass , RIR.
, SNI DPI .. . .
All Articles