Vodafone | Notion

DNS focused blocking

DNS

ISP's DNS server resolves government IPs for blocked domains.
Manipulates 3rd party DNS servers to hang on resolving blocked domains, DNS injection.
ISP's DNS takes queries instead of specified DNS servers, DNS injection.
All blocked websites hang on TLS client hello on DNS servers

$ curl -vik --resolve pastebin.com:443:1.1.1.1 <https://pastebin.com> -m 2
* Added pastebin.com:443:1.1.1.1 to DNS cache
* Hostname pastebin.com was found in DNS cache
*   Trying 1.1.1.1:443...
* TCP_NODELAY set
* Connected to pastebin.com (1.1.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* Operation timed out after 2000 milliseconds with 0 out of 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 2000 milliseconds with 0 out of 0 bytes received

Exceptions

ISP DNS will respond blank for privateinternetaccess.com.
No DNS injection on servers such as 9.9.9.9
None of the blocked websites will hang on TLS client hello on DNS servers such as 9.9.9.9

HTTP

If a blocked domain appears on host header, it won't do anything

$ curl -vik --header "Host: xvideos.com" 85.117.236.90
*   Trying 85.117.236.90:80...
* TCP_NODELAY set
* Connected to 85.117.236.90 (85.117.236.90) port 80 (#0)
> GET / HTTP/1.1
> Host: xvideos.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK

ISP 302 redirects the government IP address with blocked domain to present the page stating the domain is blocked, to Vodafone IP: http://176.55.252.4:8080/?url=<DomainName>%2F

$ curl -vik --header "Host: xvideos.com" 195.175.254.2
*   Trying 195.175.254.2:80...
* TCP_NODELAY set
* Connected to 195.175.254.2 (195.175.254.2) port 80 (#0)
> GET / HTTP/1.1
> Host: xvideos.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Content-Length: 241
Content-Length: 241
< Location: <http://176.55.252.4:8080/?url=xvideos.com%2F>
Location: <http://176.55.252.4:8080/?url=xvideos.com%2F>
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8

<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Found</TITLE></HEAD><BODY>
<H1>302 Found</H1>
The document has moved
<A HREF="<http://176.55.252.4:8080/?url=xvideos.com%2F>">here</A>
</BODY></HTML>

* Connection #0 to host 195.175.254.2 left intact

HTTPS

If a blocked domain appears on SNI, it won't do anything

$ curl -vik --resolve pastebin.com:443:85.117.236.90 <https://pastebin.com>
* Added pastebin.com:443:85.117.236.90 to DNS cache
* Hostname pastebin.com was found in DNS cache
*   Trying 85.117.236.90:443...
* TCP_NODELAY set
* Connected to pastebin.com (85.117.236.90) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=arinc9.com
*  start date: Nov 16 15:18:35 2020 GMT
*  expire date: Feb 14 15:18:35 2021 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: pastebin.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
Server: nginx/1.18.0 (Ubuntu)
< Date: Fri, 04 Dec 2020 11:34:05 GMT
Date: Fri, 04 Dec 2020 11:34:05 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 178
Content-Length: 178
< Connection: keep-alive
Connection: keep-alive
< Location: IsThisThingOn
Location: IsThisThingOn

<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
* Connection #0 to host pastebin.com left intact