net4people
Secure DNS (DoH/DoT) blocking in Indonesia 2023-12-30
Copied from https://github.com/net4people/bbs/issues/316#issuecomment-1872517483:
On December 30th 2023, some ISPs have blocked access to DoH/DoT domain
Our DNS service [dns.bebasid.com] is also affected
Aside PT Netciti Persada, PT Jaringan Sarana Nusantara (JSN) also started to blackholling DoH from their DNS, it seems Kominfo started to roll this to every ISPs
Thanks to National DNS regulation, changing plain DNS won't work so you are stuck with ISP DNS that is blocking access to DoH/DoT domain as you can see the result of nslookuping to Google DNS is hijacked to each ISP's DNS.
If you want to use DoH/DoT, writting the [resolver] domain on host file will work
~ $ curl -v https://security.cloudflare-dns.com/dns-query * processing: https://security.cloudflare-dns.com/dns-query * Trying 0.0.0.0:443... * connect to 0.0.0.0 port 443 failed: Connection refused * Failed to connect to security.cloudflare-dns.com port 443 after 135 ms: Couldn't connect to server * Closing connection curl: (7) Failed to connect to security.cloudflare-dns.com port 443 after 135 ms: Couldn't connect to serverWtf is this
~ $ curl -v dns.bebasid.com * processing: dns.bebasid.com * Trying 0.0.0.0:443... * connect to 0.0.0.0 port 443 failed: Connection refused * Failed to connect to dns.bebasid.com port 443 after 5260 ms: Couldn't connect to server * Closing connection curl: (7) Failed to connect to dns.bebasid.com port 443 after 5260 ms: Couldn't connect to server
~ $ nslookup dns.bebasid.com nslookup dns.google nslookup cloudflare-dns.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: dns.bebasid.com Address: 0.0.0.0 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: dns.google Address: 0.0.0.0 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: cloudflare-dns.com Address: 0.0.0.0
Copied from #316 (comment):
On December 30th 2023, some ISPs have blocked access to DoH/DoT domain Our DNS service [dnscheck.tools] is also affected Aside PT Netciti Persada, PT Jaringanku Sarana Nusantara (JSN) also started to blackholling DoH from their DNS, it seems Kominfo started to roll this to every ISP operated in Indonesia. Thanks to National DNS regulation, changing plain DNS won't work so you are stuck with ISP DNS that is blocking access to DoH/DoT domain as you can see the result of nslookuping to Google DNS is hijacked to each ISP's DNS. If you want to use DoH/DoT, writting the [resolver] domain on host file will work
~ $ curl -v https://security.cloudflare-dns.com/dns-query * processing: https://security.cloudflare-dns.com/dns-query * Trying 0.0.0.0:443... * connect to 0.0.0.0 port 443 failed: Connection refused * Failed to connect to security.cloudflare-dns.com port 443 after 135 ms: Couldn't connect to server * Closing connection curl: (7) Failed to connect to security.cloudflare-dns.com port 443 after 135 ms: Couldn't connect to serverWtf is this
~ $ curl -v dns.bebasid.com * processing: dns.bebasid.com * Trying 0.0.0.0:443... * connect to 0.0.0.0 port 443 failed: Connection refused * Failed to connect to dns.bebasid.com port 443 after 5260 ms: Couldn't connect to server * Closing connection curl: (7) Failed to connect to dns.bebasid.com port 443 after 5260 ms: Couldn't connect to server
~ $ nslookup dns.bebasid.com nslookup dns.google nslookup cloudflare-dns.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: dns.bebasid.com Address: 0.0.0.0 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: dns.google Address: 0.0.0.0 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: cloudflare-dns.com Address: 0.0.0.0
Apologize for the correction, our DNS service is (dns.bebasid.com), not dnscheck.tools. dnscheck.tools is just a benchmark website to check if a DNSSEC and DNS performance and its not owned by us.
Anyway there's some inconsistent blocking on DoH/DoT service in Indonesia
These ISPs are confirmed to block Secure DNS service in Indonesia although its not consistent:
- PT Mora Telematika Indonesia only blocks Google DoH/DoT by blackholling 8.8.8.8 and 8.8.4.4 on BGP level and 9.9.9.9 is also affected. (Fortunately, they forgot to blackhole 149.112.112.112 thus Quad9 still works)
- PT Neticiti Persada only rely on port blocking yet the DNS that is currently affected is Cloudflare, Google, Quad9, and Adguard going to port 443 and 853.
- PT Jaringanku Sarana Nusantara (JSN) blocks every DoH/DoT domain on its DNS however the IP is not affected as you can see the screenshot above
For PT Mora Telematika Indonesia:
- https://explorer.ooni.org/m/20231021021635.306666_ID_webconnectivity_5e8be05f2b41ad16 (Google)
For PT Netciti Persada:
-
https://explorer.ooni.org/m/20231224095358.013369_ID_webconnectivity_61da54ba80163044 (Google)
-
https://explorer.ooni.org/m/20231222143553.043744_ID_webconnectivity_a47e098847ecb591 (Cloudflare)
Other ISPs that are suspected to follow latest Kominfo censorship suggestion to block popular DoH/DoT according to that video:
- https://explorer.ooni.org/m/20231222143738.085272_ID_webconnectivity_0ef8b4bc492339aa (PT Giga Network Solusindo)
Also I suspect biggest telco here (PT Telkom Indonesia) at least have attempted before to block Cloudflare's DoH/DoT but they aren't blocking it anymore for now:
- https://explorer.ooni.org/m/20231226034632.129063_ID_webconnectivity_7c53f0bcc0d72307
Also correction, the ISP is named PT Jaringanku Sarana Nusantara, not just Jaringan.
They are crazy for doing this.
PT Aplikasnusa Lintasarta also started to restrict DoH/DoT too, mainly popular one like Google, Cloudflare, AdGuard, Quad9 by blackholling it on their DNS, since port 53 is redirected as its mandated by Kominfo under National DNS, you will be stuck by their DNS blocking DoH/DoT domain
Not only that, I got a report that they are also redirect port 53 on IP Transit level, making whoever transit to them cannot change their DNS and have DoH/DoT blocked on their network