{"id":204,"date":"2021-03-23T14:26:00","date_gmt":"2021-03-23T19:26:00","guid":{"rendered":"http:\/\/sycured.127.0.0.1.sslip.io\/?p=204"},"modified":"2024-01-13T20:43:47","modified_gmt":"2024-01-14T01:43:47","slug":"bitel-drop-dns-bypass","status":"publish","type":"post","link":"http:\/\/10.42.0.68:8080\/blog\/bitel-drop-dns-bypass","title":{"rendered":"NET NEUTRALITY – Bitel: Drop DNS Bypassed"},"content":{"rendered":"\n
Bitel, an internet provider in Peru, drops DNS traffic to other servers.<\/p>\n\n\n\n
This is a direct attack on Net Neutrality, privacy, freedom, and security.<\/p>\n\n\n\n
In this example, I’ll use CloudFlare DNS<\/a> as the destination.<\/p>\n\n\n\n\n\n\n\n I exclusively use CloudFlare DNS on my laptop (MacBook Pro) so I set up my settings to use it on Wi-Fi and Ethernet.<\/p>\n\n\n\n I use security.cloudflare-dns.com or more exactly:<\/p>\n\n\n\n I have a little command to set up on my laptop:<\/p>\n\n\n\n When I connect my laptop with my smartphone (hotspot) with my sim Bitel, I have a timeout and nothing more.<\/p>\n\n\n\n I tried a lot of tests and nothing is working\u2026 wait, no DNS traffic but TCP (directly using the IP address) is working on my webservers.<\/p>\n\n\n\n Net Neutrality is the principle that Internet service providers (ISPs) must treat all Internet communications equally, and not discriminate or charge differently based on user, content, website, platform, application, type of equipment, source address, destination address, or method of communication.[4][5]<\/p>\n\n\n\n With net neutrality, ISPs may not intentionally block, slow down, or charge money for specific online content.<\/p>\n\n\n\n Without net neutrality, ISPs may prioritize certain types of traffic, meter others, or potentially block traffic from specific services, while charging consumers for various tiers of service.<\/p>\n\n\n\n We have the right to untrust our internet provider and use external DNS servers like CloudFlare or others depending on our need and trust.<\/p>\n\n\n\n I never trusted Bitel to be my DNS provider and now, I untrust it a lot more.<\/p>\n\n\n\n Yes, it’s also about security because Bitel is intentionally blocking other DNS so I can’t use CloudFlare for Families<\/a> or any other solution using DNS like OpenDNS Family Shield<\/a> to protect my child.<\/p>\n\n\n\n For example, 1.1.1.2\/1.0.0.2 is blocking malware so it’s good for any personal computer to use it.<\/p>\n\n\n\n The only way to bypass easily this problem without security issues is by using DNS-over-TLS.<\/p>\n\n\n\n This is a quick and working config: \/usr\/local\/etc\/stubby\/stubby.yml<\/p>\n\n\n\n I commented on the pinset in this blog post because CloudFlare can change the certificate and you need to compute the new pinset using:<\/p>\n\n\n\n It’s time to start stubby:<\/p>\n\n\n\n Now, it’s time to set up the system to use it:<\/p>\n\n\n\n You can open any website and look if you can see it or use your shell with my custom function that permits you to know which DNS server (IP and Organization) I use:<\/p>\n\n\n\n In my case, I need to see CloudFlare for the organization.<\/p>\n\n\n\n %[https:\/\/youtu.be\/S-DyWBB5kWc]<\/p>\n","protected":false},"excerpt":{"rendered":" Bitel, an internet provider in Peru, drops DNS traffic to other servers. This is a direct attack on Net Neutrality, privacy, freedom, and security. In this example, I’ll use CloudFlare DNS as the destination.<\/p>\n","protected":false},"author":1,"featured_media":72,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"saved_in_kubio":false,"footnotes":""},"categories":[9],"tags":[23,19],"_links":{"self":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/204"}],"collection":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/comments?post=204"}],"version-history":[{"count":1,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/204\/revisions"}],"predecessor-version":[{"id":205,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/204\/revisions\/205"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media\/72"}],"wp:attachment":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media?parent=204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/categories?post=204"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/tags?post=204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}The problem<\/h2>\n\n\n\n
\n
networksetup -setdnsservers Wi-Fi 1.1.1.2 1.0.0.2 2606:4700:4700::1112 2606:4700:4700::1002<\/code><\/pre>\n\n\n\n
Net Neutrality, privacy and freedom<\/h3>\n\n\n\n
Security:<\/h3>\n\n\n\n
Bypass:<\/h2>\n\n\n\n
Install and configure Stubby<\/h3>\n\n\n\n
brew install stubby<\/code><\/pre>\n\n\n\n
resolution_type: GETDNS_RESOLUTION_STUB\ndns_transport_list:\n - GETDNS_TRANSPORT_TLS\ntls_authentication: GETDNS_AUTHENTICATION_REQUIRED\ntls_query_padding_blocksize: 128\nedns_client_subnet_private : 1\nround_robin_upstreams: 1\nidle_timeout: 9000\nlisten_addresses:\n - 127.0.0.1\n - 0::1\nupstream_recursive_servers:\n - address_data: 1.1.1.2\n tls_auth_name: \"security.cloudflare-dns.com\"\n# tls_pubkey_pinset:\n# - digest: \"sha256\"\n# value: 47DEQpj8HBSa+\/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=\n - address_data: 1.0.0.2\n tls_auth_name: \"security.cloudflare-dns.com\"\n# tls_pubkey_pinset:\n# - digest: \"sha256\"\n# value: 47DEQpj8HBSa+\/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=\n - address_data: 2606:4700:4700::1112\n tls_auth_name: \"security.cloudflare-dns.com\"\n# tls_pubkey_pinset:\n# - digest: \"sha256\"\n# value: 47DEQpj8HBSa+\/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=\n - address_data: 2606:4700:4700::1002\n tls_auth_name: \"security.cloudflare-dns.com\"\n# tls_pubkey_pinset:\n# - digest: \"sha256\"\n# value: 47DEQpj8HBSa+\/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=<\/code><\/pre>\n\n\n\n
openssl s_client -connect 1.1.1.2:853 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64<\/code><\/pre>\n\n\n\n
\n
sudo brew services start stubby<\/code><\/pre>\n\n\n\n
\n
sudo stubby -C \/usr\/local\/etc\/stubby\/stubby.yml<\/code><\/pre>\n\n\n\n
networksetup -setdnsservers Wi-Fi 127.0.0.1 ::1<\/code><\/pre>\n\n\n\n
Verify<\/h3>\n\n\n\n
function whatsmydns() {\n local ip=$(ping whoami.akamai.net -c 1 | awk '\/from\/ {print $4}' | cut -d ':' -f1)\n echo $ip\n whois $ip | awk '\/Organization\/'\n}<\/code><\/pre>\n\n\n\n
My evidence<\/h2>\n\n\n\n