bbs icon indicating copy to clipboard operation
bbs copied to clipboard
verified publisher icon net4people

EU.ORG got blocked by GFW recently

Open xtexx opened this issue 1 year ago • 16 comments

About one week ago, some people reported that TLS connections to EU.ORG domains are blocked by the Great Firewall. Can be confirmed in both China Telecom and China Mobile networks.

There are no known DNS pollution in this blocking. All DNS queries I tested got correct result.

Plain HTTP requests on 80/TCP are not blocked. After attempts to establish a TLS connection on 443/TCP (other ports are not tested), the connection will be reseted, and further packets to the server's 443/TCP will be dropped for several minutes.

xtexx avatar Apr 04 '24 23:04 xtexx

Note: This is a free domain name provider. It has no relation with the European Union, despite its name.

systemhorse avatar Apr 05 '24 07:04 systemhorse

Can you confirm is this a blocking against the SNI *.eu.org or against part/all of IP addresses any *.EU.ORG resolves to?

gaukas avatar Apr 13 '24 02:04 gaukas

@gaukas It seems to be against the SNI. I tested:

  1. DNS query a domain not under eu.org
  2. Connect, HTTPS connections to that domain are not blocked
  3. DNS query a domain does under eu.org which resolves to the same address as the first one
  4. TLS connect to the first domain, not blocked
  5. Attempt to establish a TLS connection with the second domain, getting blocked
  6. Connections to the first domain are blocked

xtexx avatar Apr 13 '24 03:04 xtexx

Thanks! So after a TLS handshake using blocked SNI with a target, all TLS connections (supposedly from the same source IP) to that server (IP:443) are blocked for some period of time.

gaukas avatar Apr 13 '24 03:04 gaukas

this happened before

https://github-com.translate.goog/XTLS/Xray-core/issues/2707?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en https://github-com.translate.goog/XTLS/Xray-core/issues/1351?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en

mmmray avatar Apr 13 '24 09:04 mmmray

Can you confirm is this a blocking against the SNI eu.org or against part/all of IP addresses EU.ORG resolves to?

it's resolving to user-provided IPs, there's no coherent IP range or finite/distinct set of ASNs it resolves to.

what is not technically clear to me is whether eu.org is blocked by SNI or by preceding DNS query. For example, are requests to eu.org domains fine if DoH is used, and/or if SNI is bogus/empty? are non-tls protocols fine?

mmmray avatar Apr 13 '24 09:04 mmmray

this happened before

So what is the significance of eu.org then 🧐 I don't believe all free domain/tlds are targeted?

blocked by SNI or by preceding DNS query

Step 3, 4, 5 supported that it is due to SNI as I can see.

gaukas avatar Apr 13 '24 13:04 gaukas

I don't believe all free domain tlds are targeted?

note that eu.org is not a TLD.

xtexx avatar Apr 13 '24 23:04 xtexx

not a TLD.

That's true, it is my bad for not stating clearly my question: since there are ~plenty of choices for~ free tlds and other free subdomains, there is no reason to target eu.org unless it is special in some ways.

gaukas avatar Apr 13 '24 23:04 gaukas

Just one of your "subdomains" being targetted is enough they would targert *.maindomain. We have seen this hundreds of times. So it does not need to be special.

def24 avatar Apr 14 '24 11:04 def24

We have seen this hundreds of times.

Thank you for sharing. I'm not aware of this, could you please point me to other discussing threads or other resources about the same behavior?

And also, do we know what is the exact trigger for such "full domain TLS RST"? Do you have to have a website hosting banned content, do you have to run a TLS proxy server, or what else.

Btw I wonder if this implies none of the free subdomains will be available in China, perhaps also including restrictive ones such as *.netlify.app, *.azurewebsites.net, etc?

gaukas avatar Apr 14 '24 17:04 gaukas

They do not ban high-profile domains like *.netlify.app, but they do ban their subdomains. But in case of smaller fishes they do ban whole domain. China does not use spoofing anymore (or very rarely), because their users know how to deal(DoH etc) with kind of basic blocking method. Their main method is really to intercept all ssl connections(we know they intercept on all ports) with ClientHello and look at requested certificate and send RST to both parties and firewall the ip for certain period(few minutes) (obviously their SSL filter requires more resources). This is very effective way.

In eu.org i see that your subdomains do have their own certs.. This is good start but the guy who decided about your ban might have seen eu.org as !important and banned whole eu.org.. Or second scenario is; one or multiple of users placed anti-regime-pages to one of your subdomains and they are able to change their subdomains by registering new subdomain with you. So they were tired playing mouse-and-cat game and banned whole "!important" eu.org...

We sometimes see unbans, but very rarely. We see domains they were banned whole year.

But in your case eu.org seems not to be banned but *.eu.org seems to be (just checked)

7c avatar Apr 15 '24 17:04 7c

I just learned that this blocking behavior has been lifted on *.eu.org, can anyone confirm?

gaukas avatar Apr 18 '24 18:04 gaukas

yes seems to be, i have tried nl and cy

7c avatar Apr 18 '24 19:04 7c

yes seems for me.

xtexx avatar Apr 20 '24 04:04 xtexx

Reopen to keep discussion visible.

wkrp avatar May 29 '25 16:05 wkrp