The default hostname for dynamic DNS is 'vpnXXXXXXXXX.softether.net', eg, 'vpn10123132.softether.net'.
Unfortunately, the GFW of China detects the word 'vpn' in DNS queries, and may block connections to that IP subsequently, or schedule it for probing, or start randomly dropping packets, etc.
A hostname with the word 'vpn', and openvpn connection attempt is enough to confirm it as a VPN endpoint, and it'll get blocked.
Could the SoftEther VPN Server Manager be changed, so it doesn't suggest the word 'vpn' in the dynamic DNS hostname, when a new VPN server is created?
Dynamic DNS and China
-
inten
- Posts: 370
- Joined: Fri Oct 18, 2013 8:15 am
Re: Dynamic DNS and China
Just do it :)
You do not have the required permissions to view the files attached to this post.
-
trammel
- Posts: 3
- Joined: Wed Jun 11, 2014 3:29 am
Re: Dynamic DNS and China
inten wrote:
> Just do it :)
I did. But I also accepted the default, the first time, so the IP is on the shit-list until I don't know when. I was asking if the _default suggestion_ of 'vpnXXXXXXX' could be changed to exclude 'vpn'
> Just do it :)
I did. But I also accepted the default, the first time, so the IP is on the shit-list until I don't know when. I was asking if the _default suggestion_ of 'vpnXXXXXXX' could be changed to exclude 'vpn'
-
inten
- Posts: 370
- Joined: Fri Oct 18, 2013 8:15 am
Re: Dynamic DNS and China
I suppose they already put _ALL_ IPs of SoftEther into the list. And a domain too.
-
gavstah
- Posts: 61
- Joined: Wed Jun 05, 2013 11:33 pm
Re: Dynamic DNS and China
Would be nice if during the initial setup you could just opt out of the whole dynamic host setup - seems like it's something that would be simple to implement right away.
Pretty sure that's how China is blocking all these softether servers.
Why is it that this is not a setup option already?
Pretty sure that's how China is blocking all these softether servers.
Why is it that this is not a setup option already?
-
dnobori
- Posts: 230
- Joined: Tue Mar 05, 2013 10:04 am
Re: Dynamic DNS and China
Working Dynamic DNS cannot be detected by intermediate censorship firewalls since censors cannot enumerate all entries of DDNS, unless you actually send a query for that DNS entry via a censorship point.
If a VPN client actually uses a registered DNS records (at first only the owner of the DDNS entry can do that because no one else know the record name), the censor may capture the DNS query and response record.
Therefore, DDNS function has no risk to censorship unless the actual DDNS entry will be queried and responded beyond the censor's capture point.
If a VPN client actually uses a registered DNS records (at first only the owner of the DDNS entry can do that because no one else know the record name), the censor may capture the DNS query and response record.
Therefore, DDNS function has no risk to censorship unless the actual DDNS entry will be queried and responded beyond the censor's capture point.
-
gavstah
- Posts: 61
- Joined: Wed Jun 05, 2013 11:33 pm
Re: Dynamic DNS and China
@dnobori - how is it then, that China is all of a sudden blocking all of my softether VPN servers?
This happened all at once about a week or two ago. I suspect (based on others posts here) that they've figured out a way to discover softether VPN servers and their associated IPs.
I'd like an option to opt out of any dynamic dns registration or addition of my servers to any vpngate lists (if this actually takes place, that is) during setup.
I've set up alternate vpn servers in the meantime, which are not being blocked based on hostname or IP - so it seems that there's a good chance that this is a softether issue.
This happened all at once about a week or two ago. I suspect (based on others posts here) that they've figured out a way to discover softether VPN servers and their associated IPs.
I'd like an option to opt out of any dynamic dns registration or addition of my servers to any vpngate lists (if this actually takes place, that is) during setup.
I've set up alternate vpn servers in the meantime, which are not being blocked based on hostname or IP - so it seems that there's a good chance that this is a softether issue.
-
gavstah
- Posts: 61
- Joined: Wed Jun 05, 2013 11:33 pm
Re: Dynamic DNS and China
Bump for @dnobori
gavstah wrote:
> @dnobori - how is it then, that China is all of a sudden blocking all of
> my softether VPN servers?
>
> This happened all at once about a week or two ago. I suspect (based on
> others posts here) that they've figured out a way to discover softether VPN
> servers and their associated IPs.
>
> I'd like an option to opt out of any dynamic dns registration or addition
> of my servers to any vpngate lists (if this actually takes place, that is)
> during setup.
>
> I've set up alternate vpn servers in the meantime, which are not being
> blocked based on hostname or IP - so it seems that there's a good chance
> that this is a softether issue.
gavstah wrote:
> @dnobori - how is it then, that China is all of a sudden blocking all of
> my softether VPN servers?
>
> This happened all at once about a week or two ago. I suspect (based on
> others posts here) that they've figured out a way to discover softether VPN
> servers and their associated IPs.
>
> I'd like an option to opt out of any dynamic dns registration or addition
> of my servers to any vpngate lists (if this actually takes place, that is)
> during setup.
>
> I've set up alternate vpn servers in the meantime, which are not being
> blocked based on hostname or IP - so it seems that there's a good chance
> that this is a softether issue.
-
dnobori
- Posts: 230
- Joined: Tue Mar 05, 2013 10:04 am
Re: Dynamic DNS and China
The GFW authority cannot enumerate registered DDNS hostnames on the softether.net domain. Activating a DDNS hostname on softether.net is safe for the GFW unless any computer inside China-mainland actually sends a query for that DDNS hostname.
Anyway, you can disable the DDNS function on SoftEther VPN Server by editing the vpn_server.config file.
Anyway, you can disable the DDNS function on SoftEther VPN Server by editing the vpn_server.config file.
-
trammel
- Posts: 3
- Joined: Wed Jun 11, 2014 3:29 am
Re: Dynamic DNS and China
dnobori wrote:
> The GFW authority cannot enumerate registered DDNS hostnames on the
> softether.net domain.
Agreed.
> Activating a DDNS hostname on softether.net is safe
> for the GFW unless any computer inside China-mainland actually sends a
> query for that DDNS hostname.
This is the problem. By default, a new user opts-in to the dynamic DNS when setting up the server.
The client then uses that dynamic hostname in their VPN client configuration.
If the client is in China, the DNS lookup is caught, the word 'vpn' is detected, and the resolved IP is added to the blacklist, making the IP close to useless.
If the word 'vpn' could be removed from the default configuration, then it won't be problem.
> The GFW authority cannot enumerate registered DDNS hostnames on the
> softether.net domain.
Agreed.
> Activating a DDNS hostname on softether.net is safe
> for the GFW unless any computer inside China-mainland actually sends a
> query for that DDNS hostname.
This is the problem. By default, a new user opts-in to the dynamic DNS when setting up the server.
The client then uses that dynamic hostname in their VPN client configuration.
If the client is in China, the DNS lookup is caught, the word 'vpn' is detected, and the resolved IP is added to the blacklist, making the IP close to useless.
If the word 'vpn' could be removed from the default configuration, then it won't be problem.
-
dnobori
- Posts: 230
- Joined: Tue Mar 05, 2013 10:04 am
Re: Dynamic DNS and China
Even if the "vpn" string will be removed from the hostname, the censorship firewall can detect ".softether.net" easily.
-
suntzu_2010
- Posts: 10
- Joined: Sat Jul 12, 2014 1:32 pm
Re: Dynamic DNS and China
dnobori wrote:
> The GFW authority cannot enumerate registered DDNS hostnames on the
> softether.net domain.
Technically, yes. But in practice you are 100% wrong.
At least based on my experience. My local network providers (I use 2) have both begun actively blocking every DDNS entry found on the VPNGate list. The DDNS function is great from a crowd sourcing access points perspective, but since China is extremely advanced in their practices it makes the use virtually unusable for most. Instead of it helping remove censorship it is "helping them" create censorship.
I have made the change to:
declare DDnsClient
{
bool Disabled false
AND I hope that this removes me from the DDNS list entries or I will keep getting blocked every few minutes, which sucks....
> The GFW authority cannot enumerate registered DDNS hostnames on the
> softether.net domain.
Technically, yes. But in practice you are 100% wrong.
At least based on my experience. My local network providers (I use 2) have both begun actively blocking every DDNS entry found on the VPNGate list. The DDNS function is great from a crowd sourcing access points perspective, but since China is extremely advanced in their practices it makes the use virtually unusable for most. Instead of it helping remove censorship it is "helping them" create censorship.
I have made the change to:
declare DDnsClient
{
bool Disabled false
AND I hope that this removes me from the DDNS list entries or I will keep getting blocked every few minutes, which sucks....
-
suntzu_2010
- Posts: 10
- Joined: Sat Jul 12, 2014 1:32 pm
Re: Dynamic DNS and China
I can confirm that changing the config and then restarting the service removes the DDNS auto population into the list.
/s
/s