{"id":204,"date":"2021-03-23T14:26:00","date_gmt":"2021-03-23T19:26:00","guid":{"rendered":"http:\/\/sycured.127.0.0.1.sslip.io\/?p=204"},"modified":"2024-01-13T20:43:47","modified_gmt":"2024-01-14T01:43:47","slug":"bitel-drop-dns-bypass","status":"publish","type":"post","link":"http:\/\/10.42.0.68:8080\/blog\/bitel-drop-dns-bypass","title":{"rendered":"NET NEUTRALITY &#8211; Bitel: Drop DNS Bypassed"},"content":{"rendered":"\n<p>Bitel, an internet provider in Peru, drops DNS traffic to other servers.<\/p>\n\n\n\n<p>This is a direct attack on Net Neutrality, privacy, freedom, and security.<\/p>\n\n\n\n<p>In this example, I&#8217;ll use <a href=\"http:\/\/1.1.1.1\/\">CloudFlare DNS<\/a> as the destination.<\/p>\n\n\n\n<!--more-->\n\n\n\n<h2 class=\"wp-block-heading\">The problem<\/h2>\n\n\n\n<p>I exclusively use CloudFlare DNS on my laptop (MacBook Pro) so I set up my settings to use it on Wi-Fi and Ethernet.<\/p>\n\n\n\n<p>I use security.cloudflare-dns.com or more exactly:<\/p>\n\n\n\n<ul>\n<li>1.1.1.2<\/li>\n\n\n\n<li>1.0.0.2<\/li>\n\n\n\n<li>2606:4700:4700::1112<\/li>\n\n\n\n<li>2606:4700:4700::1002<\/li>\n<\/ul>\n\n\n\n<p>I have a little command to set up on my laptop:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>networksetup -setdnsservers Wi-Fi 1.1.1.2 1.0.0.2 2606:4700:4700::1112 2606:4700:4700::1002<\/code><\/pre>\n\n\n\n<p>When I connect my laptop with my smartphone (hotspot) with my sim Bitel, I have a timeout and nothing more.<\/p>\n\n\n\n<p>I tried a lot of tests and nothing is working\u2026 wait, no DNS traffic but TCP (directly using the IP address) is working on my webservers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Net Neutrality, privacy and freedom<\/h3>\n\n\n\n<p>Net Neutrality is the principle that Internet service providers (ISPs) must treat all Internet communications equally, and not discriminate or charge differently based on user, content, website, platform, application, type of equipment, source address, destination address, or method of communication.[4][5]<\/p>\n\n\n\n<p>With net neutrality, ISPs may not intentionally block, slow down, or charge money for specific online content.<\/p>\n\n\n\n<p>Without net neutrality, ISPs may prioritize certain types of traffic, meter others, or potentially block traffic from specific services, while charging consumers for various tiers of service.<\/p>\n\n\n\n<p>We have the right to untrust our internet provider and use external DNS servers like CloudFlare or others depending on our need and trust.<\/p>\n\n\n\n<p>I never trusted Bitel to be my DNS provider and now, I untrust it a lot more.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Security:<\/h3>\n\n\n\n<p>Yes, it&#8217;s also about security because Bitel is intentionally blocking other DNS so I can&#8217;t use <a href=\"https:\/\/blog.cloudflare.com\/introducing-1-1-1-1-for-families\/\">CloudFlare for Families<\/a> or any other solution using DNS like <a href=\"https:\/\/www.opendns.com\/home-internet-security\/\">OpenDNS Family Shield<\/a> to protect my child.<\/p>\n\n\n\n<p>For example, 1.1.1.2\/1.0.0.2 is blocking malware so it&#8217;s good for any personal computer to use it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bypass:<\/h2>\n\n\n\n<p>The only way to bypass easily this problem without security issues is by using DNS-over-TLS.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install and configure Stubby<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>brew install stubby<\/code><\/pre>\n\n\n\n<p>This is a quick and working config: \/usr\/local\/etc\/stubby\/stubby.yml<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>resolution_type: GETDNS_RESOLUTION_STUB\ndns_transport_list:\n  - GETDNS_TRANSPORT_TLS\ntls_authentication: GETDNS_AUTHENTICATION_REQUIRED\ntls_query_padding_blocksize: 128\nedns_client_subnet_private : 1\nround_robin_upstreams: 1\nidle_timeout: 9000\nlisten_addresses:\n  - 127.0.0.1\n  - 0::1\nupstream_recursive_servers:\n  - address_data: 1.1.1.2\n    tls_auth_name: \"security.cloudflare-dns.com\"\n#    tls_pubkey_pinset:\n#      - digest: \"sha256\"\n#        value: 47DEQpj8HBSa+\/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=\n  - address_data: 1.0.0.2\n    tls_auth_name: \"security.cloudflare-dns.com\"\n#    tls_pubkey_pinset:\n#      - digest: \"sha256\"\n#        value: 47DEQpj8HBSa+\/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=\n  - address_data: 2606:4700:4700::1112\n    tls_auth_name: \"security.cloudflare-dns.com\"\n#    tls_pubkey_pinset:\n#      - digest: \"sha256\"\n#        value: 47DEQpj8HBSa+\/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=\n  - address_data: 2606:4700:4700::1002\n    tls_auth_name: \"security.cloudflare-dns.com\"\n#    tls_pubkey_pinset:\n#      - digest: \"sha256\"\n#        value: 47DEQpj8HBSa+\/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=<\/code><\/pre>\n\n\n\n<p>I commented on the pinset in this blog post because CloudFlare can change the certificate and you need to compute the new pinset using:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl s_client -connect 1.1.1.2:853 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64<\/code><\/pre>\n\n\n\n<p>It&#8217;s time to start stubby:<\/p>\n\n\n\n<ul>\n<li>to have launchd start stubby now and restart at startup:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>  sudo brew services start stubby<\/code><\/pre>\n\n\n\n<ul>\n<li>if you don&#8217;t want\/need a background service you can just run:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>  sudo stubby -C \/usr\/local\/etc\/stubby\/stubby.yml<\/code><\/pre>\n\n\n\n<p>Now, it&#8217;s time to set up the system to use it:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>networksetup -setdnsservers Wi-Fi 127.0.0.1 ::1<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verify<\/h3>\n\n\n\n<p>You can open any website and look if you can see it or use your shell with my custom function that permits you to know which DNS server (IP and Organization) I use:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>function whatsmydns() {\n    local ip=$(ping whoami.akamai.net -c 1 | awk '\/from\/ {print $4}' | cut -d ':' -f1)\n    echo $ip\n    whois $ip | awk '\/Organization\/'\n}<\/code><\/pre>\n\n\n\n<p>In my case, I need to see CloudFlare for the organization.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">My evidence<\/h2>\n\n\n\n<p>%[https:\/\/youtu.be\/S-DyWBB5kWc]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bitel, an internet provider in Peru, drops DNS traffic to other servers. This is a direct attack on Net Neutrality, privacy, freedom, and security. In this example, I&#8217;ll use CloudFlare DNS as the destination.<\/p>\n","protected":false},"author":1,"featured_media":72,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"saved_in_kubio":false,"footnotes":""},"categories":[9],"tags":[23,19],"_links":{"self":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/204"}],"collection":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/comments?post=204"}],"version-history":[{"count":1,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/204\/revisions"}],"predecessor-version":[{"id":205,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/204\/revisions\/205"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media\/72"}],"wp:attachment":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media?parent=204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/categories?post=204"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/tags?post=204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}