bbs
bbs copied to clipboard
net4people
Indonesian Focus Group discusses filtering mechanisms
The Ministry of Communication and Information (Kementerian Kominfo) hosted a live stream on December 4, 2023, where they openly discuss the mechanisms to filter content in Indonesia.
The video is in Indonesian, but you can enable closed captions and auto-translate to explore it.
To make it easier to explore, I've extracted the auto-translated subtitles. That way you can search for topics of interest, and find the time in the video.
Among other things, they discuss DNS and IP-based blocking and blocking of third-party DNS resolvers, explicitly calling out Google, Cloudflare and Quad9, and blocking of port 853. They say that they need to block encrypted DNS (DoT, DoH and DoQ) so that the user is forced to fall back to unencrypted DNS.
I did not see any mention of SNI-based blocking.
Below are two relevant moments, and you can find more by searching the transcript.
https://www.youtube.com/live/JY7-KbByjcI?si=p5SJnKdwww48uQD7&t=6634
https://www.youtube.com/live/JY7-KbByjcI?si=W0hC4sDSYiA-BPpp&t=8551
I'll note that blocking of encrypted DNS has been reported in 2022: https://github.com/net4people/bbs/issues/114
Thanks @fortuna, this is a great thing to find.
This is an archival copy: https://archive.org/details/KominfoFGD20231204
The "Kominfo" of the YouTube channel name is the Indonesian Ministry of Communications and Informatics, "responsible for communications, information affairs, and Internet censorship."
Does anyone speak Indonesian who can pick out some of the important points? (In particular, do you know anything about the "TKPPSE" or "RPZ" acronyms mentioned?) EDIT 2023-12-20: RPZ is Response Policy Zone, TKPPSE is Tata Kelola Pengendalian Penyelenggara Sistem Elektronik "Electronic System Operator Control Governance".
I skimmed through the visuals and noted a few interesting timestamps:
| timestamp | comment | screenshot |
|---|---|---|
| 0:00:52 | Site to report content complaints: http://aduankonten.id. Or WhatsApp 0811 922 4545, or email [email protected]. | |
| 1:17:50 | List of regulations relating to content blocking (dasar hukum penanganan konten): Pasal 40 ayat (2), Pasal 96, Pasal 14 ayat (1), Pasal 18, Peraturan K/L Terkait. | |
| 1:21:42 | Pipeline for website and social media blocking (mekanisme pemblokiran situs dan media sosial). | |
| 1:25:19 | This slide claims 2,501,070 domains and subdomains were blocked as of 2023-12-01. 1:30:55 shows a breakdown by category: the top two are gambling (perjudian) at 1,247,987 and pornography (pornografi) at 1,213,840). | |
| 1:26:45 | Slide shows a "Sistem DNS RPZ Kominfo" with IP addresses 103.154.123.130 and 139.255.196.202. | |
| 1:33:00 | Slide shows a "TKPPSE system" and marks installation points on a map of Indonesia. | |
| 1:37:53 | A "Kominfo RPZ basic synchronization and configuration guide" (Panduan sinkronisasi dan konfigurasi dasar RPZ kominfo) with links to a form http://bit.ly/FormKoneksiRPZ → Google Forms (archive) and a private Telegram group https://t.me/c/1526604311/1. | |
| 1:40:17 | Another mention of the RPZ IP addresses 103.154.123.130 and 139.255.196.202 and what looks like a DNS zone configuration file. | |
| 1:46:36 | Another mention of "TKPPSE", as a component alongside "DNS filtering" and "IP blocking". | |
| 1:52:41 | A diagram labeled "BGP blackhole". | |
| 1:57:18 | A node labeled "DNS Trust+ Master" with the IP addresses 103.154.123.130 (already seen for "RPZ") and 27.54.116.6. | |
| 2:40:25 | During the Q&A session, one of the speakers says something about RPZ being a real-time system, with some kind of synchronization every 1,000 seconds. There are also QR codes pointing to https://t.me/c/1526604311/1 (the private Telegram group from 1:37:53) and https://me-qr.com/dCuKk8Cc (archive). |
I did not see any mention of SNI-based blocking.
But some ISPs also do SNI-based blocking here now
In particular, do you know anything about the "TKPPSE" or "RPZ" acronyms mentioned?
iMAP and OONI have high-quality reports about blocking in Indonesia:
- The State of Internet Censorship in Indonesia (2017)
- iMAP State of Internet Censorship Report 2022 - Indonesia
- iMAP Indonesia 2023 Internet Censorship Report
I did not find the acronyms RPZ and TKPPSE in them, but there are definitions of PSE and Trust+/TrustPositif. PSE is a legal class of online service operators who are obliged to register themselves with the government, comply with takedown requests, etc. TrustPositif is a (DNS?) filtering application, operational since 2010.
https://ooni.org/post/2022-state-of-internet-censorship-indonesia/#private-electronic-system-operators-pse-ministerial-regulation-no-5-of-2020
Private Electronic System Operators (PSE) Ministerial Regulation No 5 of 2020
The law came into effect in November 2020 to replace and consolidate Kominfo Regulations No 19 of 2014 on Handling of Internet Sites Containing Negative Content and No 36 of 2014 on Registration of Electronic System Operators.47 The law requires private electronic system operators (penyelenggara sistem elektronik or PSE) to register themselves with Kominfo before providing any service to internet users.
Through the single registration system, a PSE must disclose how their system works and the kinds of user information they collect, store, and process. The law does not only apply to domestic operators but also to foreign private PSEs that have users in Indonesia. Failing registration, Kominfo would block the websites of private PSEs in Indonesia.48
https://ooni.org/post/2022-state-of-internet-censorship-indonesia/#trustpositif-by-kominfo
TrustPositif by Kominfo
As of September 2022, the Indonesian Ministry of Information and Communication (Kominfo) has blocked over 1,000,000 websites through TrustPositif,52 a filtering application that has been operational since 2010 per Ministerial Regulation No 19 of 2014. The majority of the blocked websites fall under the categories of gambling and pornography. Other categories of blocked websites include online scams, intellectual property violations, and “negative content” recommended by related-sector agencies. There have been reported cases of newly registered domain names being falsely pre-blocked on TrustPositif.53 An official from Kominfo claims that the blocks are based on citizen reports.54
The Freedom on the Net 2023 report for Indonesia is also full of a lot of good analysis. I do not find TSPPKE or RPZ in it, but it mentions TrustPositif and another, newer system called DNS Whitelist Nusantara:
https://freedomhouse.org/country/indonesia/freedom-net/2023#A
In July 2022, the Pengelola Nama Domain Internet Indonesi (PANDI) and the APJII proposed the implementation of national Domain Name System (DNS) filtering technology, such as DNS Whitelist Nusantara and TrustPositif. This would enable the government to limit public access to certain types of content.42 Critics of the proposal likened it to China’s highly repressive filtering system, known as the Great Firewall.43
The Freedom on the Net 2023 report for Indonesia is also full of a lot of good analysis. I do not find TSPPKE or RPZ in it, but it mentions TrustPositif and another, newer system called DNS Whitelist Nusantara
Footnote 42 of the Freedom on the Net report links to a PowerPoint presentation (20220729021540.pdf) by Mohamad Shidiq Purnama at the Indonesia Network Operators Group (IDNOG) Workshop and Conference 2022, on the topic of a national DNS system.
Indonesia National DNS |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I figured out what RPZ is. From A warm welcome to DNS:
RPZ: Response Policy Zone is a framework for blocking, dropping queries or spoofing responses based on domain names, response IP addresses or nameservers used during resolution. It has long lived as an ISC Technical Note, and failed to become an IETF standard. It is nevertheless very useful, and there is an industry of RPZ providers. Policies are described by zones and are typically transmitted over IXFR.
National DNS has actually been implemented since 2015
You can read it here https://www.kominfo.go.id/index.php/content/detail/4991/Kominfo+Finalisasi+DNS+Nasional/0/sorotan_media
So basically the current system is, every ISP must redirect port 53 to their own server, their own server must be synchronized to Kominfo's RPZ server so it can update the blocking efficiently.
Indonesian cannot change their DNS settings without using encrypted DNS, so if we want to use custom filtering service such as NextDNS or ControlD, we usually rely on DoH/DoT
Indonesian cannot change their DNS settings without using encrypted DNS, so if we want to use custom filtering service such as NextDNS or ControlD, we usually rely on DoH/DoT
True. And that means that if those protocols get blocked, then we'll have to probably use a VPN to tunnel DNS queries lol
I figured out what RPZ is.
So basically the current system is, every ISP must redirect port 53 to their own server, their own server must be synchronized to Kominfo's RPZ server so it can update the blocking efficiently.
I see—so RPZ (Response Policy Zone) is a semi-standard way of representing DNS filtering/blocking rules as DNS information itself, such that the rules can be transmitted/synchronized with a zone transfer (AXFR/IXFR).
So we may take as a working hypothesis that the DNS blocklist in Indonesia is centrally managed and stored in Response Policy Zone format. Each individual ISP synchronizes the local blocklists in its own DNS resolvers with a master RPZ server periodically. (Every 1,000 seconds?)
Maybe, then, it's possible to interrogate the RPZ masters, or download the entire blocklist with a zone transfer? I tried port scanning 103.154.123.130, 139.255.196.202, and 27.54.116.6, but did not find udp/53 responsive on any of them.
The Trust+ / TrustPositif label also seems to have to do with DNS filtering. But I'm not sure if it's the same as the RPZ system, or something additional to it. @DarkMProgrammer, @ThePhoenix576, do you know, is Trust+ the name for the RPZ-based rule specification and synchronization system, or is Trust+ a different system? Slide 5 of the IDNOG 2022 slides mentions an "anti phishing" database separate from the Trust+ list, so maybe there is more than one database. One of the slides in the focus group discussion refers to both RPZ and TrustPositif:
Untuk setting konfigurasi dasar bind untuk menjadi slave pada RPZ kominfo berikut tahapan nya:
Untuk mengaktifkan slave RPZ zone maka kita harus mengedit file named.conf atau file yang memuat konfigurasi zone. Tambahkan parameter berikut di file konfigurasi zone:
zone "trustpositifkominfo" { type slave; file "db.trustpositifkominfo"; masters { 103.154.123.130; 139.255.196.202; }; allow-query { any; }; };Note: Masters IP yang digunakan lebi dari satu.
To set the basic bind configuration to become a slave to the RPZ kominfo, here are the steps:
To enable the RPZ zone slave, we must edit the named.conf file or the file that contains the zone configuration. Add the following parameters in the zone configuration file:
Note: More than one Masters IP is used.
@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.
This is one of the slides that mentions TKPPSE (timestamp 1:33:00):
Sistem TKPPSE
TKPPSE Virtual Borderline
- TKPPSE telah dipasang pada 147 site di 27 Provinsi
- TKPPSE dipasang pada jaringan internet Indonesia sebagai metode filtering dan kedaulatan digital Indonesia
TKPPSE System
- TKPPSE has been installed on 147 sites in 27 Provinces
- TKPPSE is installed on Indonesia's internet network as a method of filtering and Indonesia's digital sovereignty
The Trust+ / TrustPositif label also seems to have to do with DNS filtering. But I'm not sure if it's the same as the RPZ system, or something additional to it. @DarkMProgrammer, @ThePhoenix576, do you know, is Trust+ the name for the RPZ-based rule specification and synchronization system, or is Trust+ a different system? Slide 5 of the IDNOG 2022 slides mentions an "anti phishing" database separate from the Trust+ list, so maybe there is more than one database. One of the slides in the focus group discussion refers to both RPZ and TrustPositif:
I don't know for sure. I haven't looked into it that much. @DarkMProgrammer might know more about this thing though.
@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.
Tata Kelola Pengendalian Penyelenggara Sistem Elektronik
It seems to refer to their blocking system to "protect" the digital world . or something like that. I don't know if it's specific to one of their blocking systems or something like that though.
@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.
Tata Kelola Pengendalian Penyelenggara Sistem Elektronik
It seems to refer to their blocking system to "protect" the digital world . or something like that. I don't know if it's specific to one of their blocking systems or something like that though.
I see. So the name is not really specific. I wonder if TKPPSE is something like the TSPU in Russia, government-managed DPI black boxes installed at ISPs.
@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.
Tata Kelola Pengendalian Penyelenggara Sistem Elektronik It seems to refer to their blocking system to "protect" the digital world . or something like that. I don't know if it's specific to one of their blocking systems or something like that though.
I see. So the name is not really specific. I wonder if TKPPSE is something like the TSPU in Russia, government-managed DPI black boxes installed at ISPs.
Yeah, idk for sure. But I'm not liking where this country is going with them wanting to block DoT/H etc lol. Thankfully they drew the line with VPNs. But we all know that they can change their minds in an instant.
@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.
This is one of the slides that mentions TKPPSE (timestamp 1:33:00):
Sistem TKPPSE
TKPPSE Virtual Borderline
- TKPPSE telah dipasang pada 147 site di 27 Provinsi
- TKPPSE dipasang pada jaringan internet Indonesia sebagai metode filtering dan kedaulatan digital Indonesia
TKPPSE System
- TKPPSE has been installed on 147 sites in 27 Provinces
- TKPPSE is installed on Indonesia's internet network as a method of filtering and Indonesia's digital sovereignty
It's the DPI middlebox which responsible to send TCP RST (for https) and sending 302 redirection to national blockpage (http://lamanlabuh.aduankonten.id) for http.
If you don't know, every Indonesian DPI mechanism have the same behaviour such as:
- Lamanlabuh blockpage
- They listen to all port from 1 to 65535
- Sending TCP RST packet as their blocking mechanism
Here is for example when we tested port 25565 with the Host header of hypixel.net, a Minecraft server that Indonesian government don't like.
If the DPI is deployed by each ISP, there most likely won't have same mechanism as some ISP here love putting ads lol
If the DPI is deployed by each ISP, there most likely won't have same mechanism as some ISP here love putting ads lol
Oh look ! Ads !
But anyways, I really do hope that they won't block DoT/H lol. Public DNS like Google DNS is far more reliable than our ISPs DNS servers lol
I figured out what RPZ is.
So basically the current system is, every ISP must redirect port 53 to their own server, their own server must be synchronized to Kominfo's RPZ server so it can update the blocking efficiently.
I see—so RPZ (Response Policy Zone) is a semi-standard way of representing DNS filtering/blocking rules as DNS information itself, such that the rules can be transmitted/synchronized with a zone transfer (AXFR/IXFR).
So we may take as a working hypothesis that the DNS blocklist in Indonesia is centrally managed and stored in Response Policy Zone format. Each individual ISP synchronizes the local blocklists in its own DNS resolvers with a master RPZ server periodically. (Every 1,000 seconds?)
Maybe, then, it's possible to interrogate the RPZ masters, or download the entire blocklist with a zone transfer? I tried port scanning 103.154.123.130, 139.255.196.202, and 27.54.116.6, but did not find udp/53 responsive on any of them.
The Trust+ / TrustPositif label also seems to have to do with DNS filtering. But I'm not sure if it's the same as the RPZ system, or something additional to it. @DarkMProgrammer, @ThePhoenix576, do you know, is Trust+ the name for the RPZ-based rule specification and synchronization system, or is Trust+ a different system? Slide 5 of the IDNOG 2022 slides mentions an "anti phishing" database separate from the Trust+ list, so maybe there is more than one database. One of the slides in the focus group discussion refers to both RPZ and TrustPositif:
Untuk setting konfigurasi dasar bind untuk menjadi slave pada RPZ kominfo berikut tahapan nya: Untuk mengaktifkan slave RPZ zone maka kita harus mengedit file named.conf atau file yang memuat konfigurasi zone. Tambahkan parameter berikut di file konfigurasi zone:
zone "trustpositifkominfo" { type slave; file "db.trustpositifkominfo"; masters { 103.154.123.130; 139.255.196.202; }; allow-query { any; }; };Note: Masters IP yang digunakan lebi dari satu.
To set the basic bind configuration to become a slave to the RPZ kominfo, here are the steps: To enable the RPZ zone slave, we must edit the named.conf file or the file that contains the zone configuration. Add the following parameters in the zone configuration file: Note: More than one Masters IP is used.
The DNS Transfer only permitted for ISP DNS here, they have an ACL going to port 53 so outsider can't do AXFR command.
Feel free to contact me on slashy(at)bebasid.com if you want more info
If the DPI is deployed by each ISP, there most likely won't have same mechanism as some ISP here love putting ads lol
Oh look ! Ads !
But anyways, I really do hope that they won't block DoT/H lol. Public DNS like Google DNS is far more reliable than our ISPs DNS servers lol
It's not about reliable outside server anymore, it's about freedom of information and human right.
Indonesian are very restricted to customize their network by Kominfo due to National DNS regulation. They can't enjoy custom filtering, ad-blocking DNS, or even host their own DNS because of this.
It's not only international port 53 that got redirected, the local one too because Kominfo/ISP afraid people is hosting DNS on local VPS server and use them at home.
Ironically, National DNS actually against our consitution which guaranteed freedom of expression and human rights
The DNS Transfer only permitted for ISP DNS here, they have an ACL going to port 53 so outsider can't do AXFR command.
I see. The ACL must be the reason for the Google Form (archive) linked at 1:37:53 in the focus group video. A field on the form asks for the IP addresses that will be used for RPZ zone transfers.
Alamat IP Publik DNS Server (Jika sudah ada)
RPZ sistem kominfo adalah sebuan DNS server yang berisi sebuah zone yang dapat direplikasi (transfer zone). Untuk dapat melakukan transfer zone, ISP harus terlebih dahulu meregister Source IP yang akan melakukan transfer ke sistem RPZ kominfo. Mohon memasukkan IP yang dimaksud ke dalam dform di bawah ini (maksimal 4 IP). Jika informasi ini belum ada, dapat disusulkan melalui Whatsapp Message ke sdr. Riko Rahmada
- IP 1:
- IP 2:
- IP 3:
- IP 4:
DNS Server Public IP Address (If already exist)
Kominfo RPZ system is a DNS server that contains a zone that can be replicated (transfer zone). To be able to transfer zones, ISPs must first register the Source IP that will transfer to the Kominfo RPZ system. Please enter the IP in question into the dform below (maximum 4 IPs). If this information does not exist, it can be proposed via Whatsapp Message to Br. Riko Rahmada
- IP 1:
- IP 2:
- IP 3:
- IP 4:
The DNS Transfer only permitted for ISP DNS here, they have an ACL going to port 53 so outsider can't do AXFR command.
I see. The ACL must be the reason for the Google Form (archive) linked at 1:37:53 in the focus group video. A field on the form asks for the IP addresses that will be used for RPZ zone transfers.
Alamat IP Publik DNS Server (Jika sudah ada)
RPZ sistem kominfo adalah sebuan DNS server yang berisi sebuah zone yang dapat direplikasi (transfer zone). Untuk dapat melakukan transfer zone, ISP harus terlebih dahulu meregister Source IP yang akan melakukan transfer ke sistem RPZ kominfo. Mohon memasukkan IP yang dimaksud ke dalam dform di bawah ini (maksimal 4 IP). Jika informasi ini belum ada, dapat disusulkan melalui Whatsapp Message ke sdr. Riko Rahmada
- IP 1:
- IP 2:
- IP 3:
- IP 4:
DNS Server Public IP Address (If already exist)
Kominfo RPZ system is a DNS server that contains a zone that can be replicated (transfer zone). To be able to transfer zones, ISPs must first register the Source IP that will transfer to the Kominfo RPZ system. Please enter the IP in question into the dform below (maximum 4 IPs). If this information does not exist, it can be proposed via Whatsapp Message to Br. Riko Rahmada
- IP 1:
- IP 2:
- IP 3:
- IP 4:
Yep that's right, in order to get access to it, you must register there first
@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik. This is one of the slides that mentions TKPPSE (timestamp 1:33:00):
Sistem TKPPSE
TKPPSE Virtual Borderline
- TKPPSE telah dipasang pada 147 site di 27 Provinsi
- TKPPSE dipasang pada jaringan internet Indonesia sebagai metode filtering dan kedaulatan digital Indonesia
TKPPSE System
- TKPPSE has been installed on 147 sites in 27 Provinces
- TKPPSE is installed on Indonesia's internet network as a method of filtering and Indonesia's digital sovereignty
It's the DPI middlebox which responsible to send TCP RST (for https) and sending 302 redirection to national blockpage (http://lamanlabuh.aduankonten.id) for http.
If you don't know, every Indonesian DPI mechanism have the same behaviour such as:
- Lamanlabuh blockpage
- They listen to all port from 1 to 65535
- Sending TCP RST packet as their blocking mechanism
Here is for example when we tested port 25565 with the Host header of
hypixel.net, a Minecraft server that Indonesian government don't like.If the DPI is deployed by each ISP, there most likely won't have same mechanism as some ISP here love putting ads lol
I found this leak from some clueless Indonesian NOC on LinkedIn.
TKPPSE is indeed the National DPI implemented by Kominfo, simillar to GFW on China.
Every ISP that has connection to outside (Ex: Singapore) have their network tapped first by Kominfo so they can log or monitor the request for "blacklisted" header.
If the header is blacklisted, the National DPI (so called TKPPSE) will send you TCP RST packet and 302 redirection to National Blockpage at (http://lamanlabuh.aduankonten.id)
It's indeed sad that my country is heading towards China/Iran :(
I don't care if the government is only blocking pornographic and gambling content. What I care, they love to block random stuff that should not be blocked such as Reddit, Vimeo, Startmail, and recently, Hypixel. This falls under censorship rather than "protection" now especially they forbid their people to change their DNS and now implementing simillar infrastructure to China censorship.
Simillar to GFW, TKPPSE has bidirectional blocking so you can check blocked site in Indonesia by curl-ing them against infected ISPs and modify the host header to blocked website
I just realised some clever ISP in Indonesia has different routing thus only its client that affected by DPI. Mainly noted PT Jala Lintas Media and PT Cyberindo Aditama so the bidirectional checking won't work
I found this leak from some clueless Indonesian NOC on LinkedIn.
TKPPSE is indeed the National DPI implemented by Kominfo, simillar to GFW on China.
That same slide appears in this focus group discussion, during Setyo Wibawa's part at 1:49:40. The title of the slide says "TKPSEE", but I would guess that's a typo for TKPPSE.
TKPSEE [sic]
Tata Kelola Pengendalian Penhelenggara Sistem Elektronik
Penempatan Perangkat di NAP
TKPSEE
Electronic System Operator Control Governance
Device Placement in NAP
Simillar to GFW, TKPPSE has bidirectional blocking so you can check blocked site in Indonesia by curl-ing them against infected ISPs and modify the host header to blocked website
I can reproduce the bidirectional HTTP 302 injection with curl. Great tip. @snourin, this looks like something you'd be interested in.
$ curl -i http://iconnet.id/ -H "Host: hypixel.net"
HTTP/1.0 302 Moved
Content-Length: 0
Location: http://lamanlabuh.aduankonten.id/
Pragma: no-cache
Cache-Control: no-cache
In my quick tests, it looks like the injection is unreliable: sometimes a get the real response from the iconnet.id server. Interestingly, it appears that the GET method but not the HEAD method is affected: curl -i http://iconnet.id/ -H "Host: hypixel.net" sometimes gets injection, but curl -I http://iconnet.id/ -H "Host: hypixel.net" does not.
Simillar to GFW, TKPPSE has bidirectional blocking so you can check blocked site in Indonesia by curl-ing them against infected ISPs and modify the host header to blocked website
I can reproduce the bidirectional HTTP 302 injection with curl. Great tip. @snourin, this looks like something you'd be interested in.
$ curl -i http://iconnet.id/ -H "Host: hypixel.net" HTTP/1.0 302 Moved Content-Length: 0 Location: http://lamanlabuh.aduankonten.id/ Pragma: no-cache Cache-Control: no-cacheIn my quick tests, it looks like the injection is unreliable: sometimes a get the real response from the iconnet.id server. Interestingly, it appears that the GET method but not the HEAD method is affected:
curl -i http://iconnet.id/ -H "Host: hypixel.net"sometimes gets injection, butcurl -I http://iconnet.id/ -H "Host: hypixel.net"does not.
Yeah but if you are inside Indonesia, you will get injected 100%
I don't know what's actually happening on the National DPI's side that causing a request from outside Indonesia to have unstable injection.
The iForte one has the stable injection to the outside, maybe you can try curling it against iforte.co.id or transjakarta.co.id
Transjakarta public wifi is using iForte as its IP Transit so it's affected by the TKPPSE aka National DPI aka Great Firewall of Indonesia
I suspect Iconnet has a loadbalancing stuff on their side, when you aren't affected, sometimes you got routed to one of their backup loadbalancing border router which hasn't been tapped yet by Kominfo
Oh yeah if you don't know what NAP is, NAP stands for Network Access Provider.
Kominfo has actually have 2 ISP licensing. one is ISP and one is NAP
ISPs with normal ISP licensing are forbidden to have a direct peer with Tier 1 ISPs (such as HE, Cogent, etc). they are only allowed to peer with NAP before going to T1 ISPs
NAP in the other hand, are the ISPs that is allowed to have direct connection outside, they are forced by Kominfo to have their border router tapped to the National DPI (TKPPSE) for censorship reason like above.