I stumbled upon this service (https://shecan.ir) they offer public DNS servers that operate like proxies! Such that when you visit a geo-restricted website not available in my country, they re-route it through their own VPN and connect you to the service without requiring the client to install any kind of VPN or software other than changing the DNS servers to their addresses!
How does this exactly work? And how can I deploy something similar on my own server?
EDIT:
I know how to deploy my own DNS resolver with AdGuardHome either plaintext, DoT or DoH but don’t know how to make it act like this proxy router!
UPDATE:
ChatGPT to the rescue:
The DNS server you’re referring to likely provides “smart DNS” services, which redirect DNS queries for specific domain names to servers that are not subject to the same geographical restrictions as the user’s local DNS servers.
Presumably, they change the DNS responses to point everything to their servers, which act as proxies. Those servers would have to be located somewhere that isn’t blocked, or connected via a VPN to somewhere that isn’t.
Sounds like it makes it really easy to use. But I suspect not nearly as secure as an actual VPN connection, and still with the same potential for them to spy on you that nearly any VPN service has.
It’s exactly what you described. Setup a DNS server with DNS over HTTPS. Setup a VPN to outside of where something is restricted. Setup outbound internet access on the other end of the VPN. Setup a proxy that redirects requests for blocked domains through the VPN. Reject all requests for non-blocked content.
You may want to consider the risks of providing/using something like this if you live in an area where they have restricted content. That’s a lot different than I wanna play games at work in my browser. It will 100% be noticed. MITM on HTTPS is only a challenge outside the LAN. The WAN is the LAN when your the ISP. But that doesn’t even matter. It doesn’t take long to realize all these people are going to here and they’re no longer trying to go to all of these other places. Windows queries secondary DNS servers after the primary fails to respond within 1 second. To top that off, it queries both of them at the same time. So if that service goes down at all while you’re making a request, you just asked your ISP and the DNS service how to get there at the same exact time. Even if it’s DoH(DNS over HTTPS), the ISP is still going to get a request intended for them. It’s intended for them so they decrypt and process it.
There’s likely loads of old blog posts and how-to regarding this from when it was all super-popular 10 years or so ago. Search for ‘roll your own smart dns’ or ‘roll your own geo unblocker’ etc. etc.
There are also still a few ongoing github projects which allow you to run your own geo unblocking dns proxies, e.g:
(don’t vouch for validity of the above, just first one I turned up in a search)
Just check through a few of those. Effectively you just need to forwrd traffic without terminating SSL, and you only intercept and redirect traffic to the (sub)domains responsible for geolocation, not necessarilly the video streams themselves.
I ran a version myself years ago but don’t really bother any more. The info will still be around though, for sure. GL.
They have their VPNs in France as I checked but only the whitelisted services are routed in there, everything else is fetched as if I’m using my own ISP’s DNS!
I’m a noob in networking but I assume there must be iptables rules or something similar, checking for whitelisted websites or IPs and then redirecting them to the VPN server in France and returning whatever comes back to the client, am I right?
Setup a proxy that redirects requests for blocked domains through the VPN
This is where I’m puzzled! The client sends a DNS query and obviously expects a DNS response, now if the resolver changes the IP address in the response to something else, wouldn’t it break the TLS verification mechanism?! And if they did not change the response IP then how does the client bypass the geo-restrictions because they would be directly connected to the service!
TLS is initiated after getting IP from DNS, so nothing is changed here. Client sends DNS query, gets DNS response with custom IP, connects to this IP and sets up TLS session with it.
How can they sign TLS with valid certificate issued for domains not owned by them without making your browser trust their CA is entirely different question, which I don’t know the answer for. This scheme sounds exactly like a MitM attack, which is not possible without additional configuration on your site (or compromising existing CA).
They’re just responding to the DNS request with their own IP as the host. When you connect requesting the URL, it’s proxied across the VPN to the other side. I’m not sure what you mean by breaking TLS. DNS can occur over HTTPs but it isn’t just a single HTTPs connection involved in the entire connection setup process. The DNS server has a cert. That cert is used for the transfer of the DNS information. Then whatever server your connecting to that is hosting the site you’re visiting has a cert and likely multiple concurrent https connections. The lookup portion of the connection request and the actual connection are entirely unrelated. The DNS lookup only happens when there’s no cached record on the host. You can just type in the IP of whatever server you want and have an HTTPS connection with no DNS request involved.
How can they sign TLS with valid certificate issued for domains not owned by them without making your browser trust their CA is entirely different question, which I don’t know the answer for.
That’s exactly what I was asking, thank you!
When I visit a restricted website, everything works normally and the certs are verified but the website sees me as visiting from France!
I found myself wondering about the CA. Does it say it’s proxied? Or did you assume? Based on what you’ve described, It’s not proxied. It’s routed across the VPN. You don’t need a proxy to accomplish what you’re describing. But it totally could be. Look at it more like a DNS rebinding attack. You changed the DNS on your side so they didn’t have to intercept it. You don’t need to get involved in certificates for DNS redirects.
Which kind of certs are they? DV ones or OV/EV? If latter, there should be company name next to the green lock in address bar. Do they all are issues by the same CA, or they look legit?
Or, if you can compare certs from same website with or without DNS, this would be the best option
In one of the scripts it looks like they rewrote the DNS entry for Google to their IPs which also look like they may be google servers(didn’t check, block looked familiar). The lack of source IP is likely due to routed NAT. Doesn’t break TLS and the source IP would be the outbound address of the NAT’d interface. In a proxy situation the headers are rewritten to maintain the original IP. With the NAT, it’s lost.
Guessing is half the fun. How far can you figure it out without looking? Lol
