| Tweet |
We’ve been running a series of guides that show just how easy it is to bi-pass general DNS censorship. It’s general DNS censorship that has been proposed in the PROTECT-IP Act among other things. Rather than simply debate philosophically on why the PROTECT-IP act will do absolutely nothing to deter copyright infringement, we decided to do one better and prove it instead.
Hiding your IP address, using a proxy, using the onion router and obtaining an IP address to a website so you won’t have to rely on a public DNS server – these seem like a very intimidating tasks for the unprepared. To be honest, when I first chose to try and figure these out, it seemed intimidating even to me – especially given that I don’t really even make use of proxy servers (or do any of the above for that matter). So really, I felt that I could relate to a number of moderately informed users on these topics.
Certainly, being able to remain anonymous online is something that can benefit many people – especially those who are marginalized by their own government in various ways – but I personally never felt that motivated to use any tools as it seemed to be an unnecessary layer of security when I simply browse news articles and listen to Creative Commons music among other things. So, a vast majority of the guides I’ve written over the last few weeks have been quite a learning experience to me.
The PROTECT-IP act has given me motivation to figure out how all of these methods work mainly due to the arbitrary nature of it all. If Hollywood doesn’t like that fan edit of a short clip, they can make that whole website disappear. If the RIAA thinks that a site like SoundClick doesn’t need to be seen by anyone else, they can erase easy access to that site almost with the snap of their fingers. So, how does the PROTECT-IP act work? Just look at the following from Wikipedia’s entry:
The Protect IP Act says that an “information location tool shall take technically feasible and reasonable measures, as expeditiously as possible, to remove or disable access to the Internet site associated with the domain name set forth in the order”. In addition, it must delete all hyperlinks to the offending “Internet site”.At a technical level domain name servers would be ordered to blacklist the suspected websites. Although the websites would remain reachable by IP address, links directing to them would be broken.[9] Also search engines—such as the already protesting Google—would be ordered to remove links in their index of the web of an allegedly infringing website. Furthermore, copyright holders themselves would be able to apply for court injunctions to have sites’ domains blacklisted.
To me, the scarier part is the fact that DNS servers would be affected by this. Forget search engines censoring websites based on copyright complaints, that has been happening for years through the DMCA. What I was more concerned about was the DNS servers because it would affect every internet user that uses that given server. So really, the taller order was figuring out how to make DNS censorship useless.
What struck me when writing these guides was just how easy some of these methods really were. In some instances, the only way to make defeating such censorship easier is to have a really big red button on the side of your computer that you can press to make DNS censorship go away. As such, I am convinced, at this point, that the PROTECT-IP Act will do absolutely nothing to curb copyright infringement. Sure, it’ll hamper free speech, sure it’s probably unconstitutional, sure it is politically unsound, sure it’ll probably hurt small and medium business, sure it’s probably anti-competitive, sure it’ll probably cause some security headaches, but stopping copyright infringement? Not by a long shot. Not with such methods I found that would be useful in circumventing such censorship anyway.
So, without further ado, the list including pros and cons of each (each method links to a corresponding guide we wrote):
1. Using a VPN Service
Quick Explanation:
A security tunnel that protects your data as it travels from your computer to the VPN server before letting it out on to the internet. As long as that VPN service is outside the United States, it’ll be very difficult to stop users using such services to circumvent DNS censorship.
Pros:
Very good security benefits. For the most part, it’s reliable. Plenty of technical support to go around depending on which VPN service you choose. Access pretty much everything on the internet. Very good for privacy.
Cons:
Costs money. May include bandwidth caps. Reliability of service isn’t consistent for every VPN service (though frontrunners are generally easier to spot in terms of reliability). Reportedly, you may need to install software you aren’t completely familiar with (depends on which service is being used).
2. Using Your HOSTs File
Quick Explanation:
For most users, there is actually a hosts file on their computer that can be used to connect domain name to server IP address without the use of a public DNS server. If a website is censored through a DNS server, one can simply use the HOSTs file so that a public DNS server isn’t even used in the first place. You just type in the domain name in your URL and the website would still appear.
Pros:
Completely removes the need to use a public DNS server when accessing specific websites. Prevents links from breaking due to DNS censorship. Enables you to have greater power over how you view webpages. No installation or downloading of software.
Cons:
Requires maintenance. Not always easy to find in your system (solved by our guide). May raise security issues on a LAN with multiple users (difficult to see how in a number of cases since one can use the HOSTs file to increase security for others). Side benefit of having an effective way of blocking ads on the web (hint: Use 127.0.0.1 for domains that deliver ads). You also need to find accurate IP addresses in the first place (solved by two other guides we have in this list.
3. Using TOR
Quick Explanation:
TOR is more or less a network of proxies. One person accesses a proxy and that proxy forwards that access to another proxy, trying to erase the users tracks. That proxy sends that stream to another proxy and the stream keeps going through these steps until it finally reaches what is known as an “exit-node”. That exit node then accesses the internet on the users behalf and acts as an intermediary in the process. As long as that exit node exists outside of the US, there is a very good chance that it won’t be affected by DNS censorship imposed by the ISPs onto their DNS servers.
Pros:
Added bonus of a very secure source of anonymity (not 100% chance of anonymity of course, but close enough). An interesting way of seeing the internet through the eyes of someone not in your country.
Cons:
You might not be able to get everything your want from the internet through this network (there may be way of making things not break through this, but it isn’t without the risk of compromised security). Requires downloading content to run (though installation is minimal)
4. Using a Web DNS Tool
Quick Explanation
Just by using publicly available DNS look-up tools, one can easily obtain server IP addresses for later use. If a domain is censored, one can simply replace the domain name part of the URL with the IP address and still access the website.
Pros:
Potentially obtain multiple IP addresses for later use. Free. Obtain the addresses once and you don’t have to worry about losing access to the site for as long as the server IP address remains the same.
Cons:
Preferably, the IP addresses must be obtained before the site is actually censored (there may be a brief window between when the domain is censored and when DNS records are updated, but there’s no telling how long that window is for sure). If the website obtains a new server and changes all of its IP addresses and you don’t have the new addresses, then you could lose the ability to use the website. There’s no guarantee this will always be an option should ISPs start blocking IP addresses as well.
5. Changing Your DNS Server
Quick Explanation:
Since we are talking about censoring DNS servers in the US, one can always just use a DNS server over seas (like ones used by ISPs overseas). By changing a your DNS server, you are no longer relying on a server that could be censored by the US government and/or corporate interests.
Pros:
No installation or downloading of additional software (everything you need should be on your computer already). Just a few menu clicks away. Can always be changed again at a later time without too much hassle.
Cons:
Can be a security risk to your computer if not done properly. Difficult to obtain DNS server IP addresses that will guaranteed be available for the foreseeable future. No guarantee that ISPs won’t start blocking this type of activity.
6. Using Command Prompt
Quick Explanation:
In Windows at least, one can simply open up command prompt (explained in tutorial) and simply type in “ping [insert domain name here]” and obtain a server IP address for later use.
Pros:
No installation or downloading of any software (use what you already have on your computer). Probably the fastest way to shield yourself from censorship. Only one command is technically necessary before you get what you are after.
Cons:
Obtaining this information through command prompt must be done before the domain is censored. Only one IP address can be obtained this way. If the website changes IP address for their server, you’ll lose access to the site unless you have the new one as well.
7. Using Foxy Proxy
Quick Explanation:
It’s a simple plug-in for FireFox you can download and install. After getting a nice list of simple proxies that preside outside of the US, you have a better chance at accessing the website that has been censored by the US government and/or corporate interests.
Pros:
Easy to install. Being able to access censored websites can merely be a click away. A fast fix with minimal effort if you have access to a decent size list of proxies (provided in guide).
Cons:
Reliability is no guarantee. Based on the technological aspect of this method, it’s not that secure since you are relying on one proxy. Not able to use this method for all kinds of web traffic. Confined to FireFox.
8. Using MAFIAAFire
Quick Explanation:
A simple plug-in for FireFox (or Chrome) you can download and install. If a website has had it’s domain seized, then you can be redirected to an alternate domain and still access the website.
Pros:
Easy to install. Is maintained for you through updates.
Cons:
Uses DNS servers that can be censored. Depends on there being an alternative domain name being used in the first place for access (if an alternate domain doesn’t exist, then the site might not be accessible in this fashion). Technically, the site could be censored and block all possible updates as well.
Final Thoughts
By no means is this list comprehensive in any way. Still, I think some of these methods go way beyond circumventing types of censorship as suggested by the PROTECT-IP act.
It’ll be interesting to see how some services respond both who support internet censorship and those who are against internet censorship. I have a feeling it will be extremely difficult to stop these already existing methods to defeat DNS censorship. If, say, ISPs find a way to stop all of the above, a combination of some of the above or any enhancements to any of the above, I’ll be very impressed. Good luck to the ISPs on stopping this, they are going to need it.
Have a tip? Want to contact the author? You can do so by sending a PM via the forums or via e-mail at [email protected].
Update: Your e-mails are greatly appreciated. Thank you everyone for the supporting notes!
Related
- PROTECT IP Would Destabilize Internet Security, Consultants Warn
- Guide: How to Circumvent US DNS Censorship (Obtaining Server IPs)
- Guide: How to Defeat US DNS Censorship (Using DNS Web Tools)
- Guide: How to Defeat US DNS Censorship (Changing Your DNS Server)
- Law Professors Line Up to Oppose the PROTECT IP Act
Share
|
|
You jerk, you didn’t put in my method of overthrowing the government.
Not all VPN services log activity. There are some that keep no logs.
Also you can simply purchase a Pre-Paid Credit Card and sign up if security is a bigger concern signing up for a VPN. Most only keep temporary logs and will tell you how long they keep them for before deletion if not stating on their site via a email query. A good VPN will not keep logs for longer than 7 days and even then the logs hardly tell you much except time stamps and ip’s that were connected to or requested from the original IP (you).
The VPN I use, Perfect Privacy, uses PayPal, and does not store your information. The take customer privacy verry seriously. I have tried many VPN services, but I find Perfect Privacy to be the best.
Again…why has no one created a worm that simply creates bogus traffic will waste/overwhelm Law Enforcement time if such an act goes into effect? Since governments spend so much time on kiddie porn and terrorism, I’m surprised one hasn’t been created, yet.
Well I’d like to point out that in the recent raid on that international pedophile ring, law enforcement blew past the proxies and tor “protection” and EASILY found everyone even though they weren’t all in america. I’m not saying that torrenting an 80s rock cd has the same priority for law enforcement as a worldwide pedo ring but the fact remains the same that tor and proxies only give an illusion of anonymity. If someone wants to track you and your activity online, they’ll do it and that stuff won’t be a deterrent of any kind. Also VPN services log all that activity and will be more than happy to hand it over to any law agencies that demand to see it. The vpn does not “hide your tracks” in the exact words of a vyprvpn tech.
As far as hiding your IP, it also depends on the country where the proxy or VPN is. Back before there were legal options for downloading music, and pirate sites (e.g Kazaa, or the original Napster) where the only way, I never used proxies in Western countries. I always used proxies in countries like China, or even North Korea, where they would gladly tell the American government to drop dead.
Also I want to point out before anyone else does that I realize that my last post ISN’T the point of the article. The point was various ways to get around stupid internet censorship and the VPN, proxies, tor and all that other stuff is MORE than capable of doing that so I agree 100% with the article. I just wanted to point out that just because you are hiding your real ip, you are hardly anonymous.
Whether you hide your real IP depends on the proxy. There are some VPN services that keep no logs. Check with a particular VPN provider before signing up;
If laws have been thrown out that required ISP’s to block access to sites that trade child porn–which they have–DNS censorship will never survive First Amendment scrutiny, especially when it gives the censored website no notice or opportunity to respond.
And as far as that big porn ring, I haven’t seen any government claims that they actually tracked people who were using proxies or Tor. What I see is lots of bluster about how “users were advised to use proxies” and “we busted lots of people” but no “we busted lots of people who were using proxies.” Probably what really happened is the government got the people who weren’t using proxies at all and are peacocking.
I began the Wikipedia article on Operation Delego. Only 72 individuals out of the approximately 600 members of Dreamboard were charged, and twenty of them as John Does. While Dreamboard itself gave advice to its members as to which encryption to use (according to the Twitched Indictment), the Feds obviously aren’t broadcasting about the security protocols which they weren’t able to break or otherwise circumvent. Proxies? Tor? Public-key encryption? Carrier pigeons? Some particular mix of the methods mentioned in the article? You have to read between the lines, I suppose.
I’m not quite sure that it will matter how you attempt to circumvent the censor, when the censor will just shutdown the information portal or individual/group websites.
Sure, there’s always newsbins, mailing lists, irc, etc.. but I am not going to pay money to access an internet that has been stifled to such a point.
Another way to bypass any ISP blocking of DNS lookups to an overseas DNS Server is to choose a DNS server that allows you to use a port other than 53. Then it’s a matter of applying an outgoing map from port 53 to xxx. If your hardware can’t do that, then a small program could be written to do the port mapping on your PC.
If an ISP is coerced into censoring DNS lookups to anything but their own (poisoned/damaged) servers, they would be defeated if everyone used some random port. It would be easy to set up a DNS server to accept requests on a wide range of ports; simply forward all incoming requests in that range to port 53 internally.
What troubles me, though, is the fact that these copywrong idiots have no regard for the integrity of the Internet, and are prepared to damage the infrastructure (DNS) that makes the Internet as useable as it is. These people are truly vandals, and are performing criminal acts when they break our communications systems.
Not surprised to see paid VPN listed as solution #1. A solid VPN service will give you a dynamic IP, the ability to connect to overseas servers, strong encryption, unlimited bandwidth, and high speeds. In return for the few dollars a month, you get all that, and basically the peace of mind that crap legislation like this won’t bother you. Is that worth $10-$20/mo? I definitely think so.
A good VPN provider also won’t keep logs, but be aware, US VPN providers are required to do so. As are international VPN providers operating US based servers. Moral of that story? Don’t use US VPN servers if you require “significant” anonymity. Although there hasn’t really been any publicized instances of US VPN giving up details on say, file sharing. Sweden, NL, and other places are your best bet there.
An interesting fact is that with all this legislation (not just in the US either), law enforcement and intelligence agencies are becoming increasingly worried about the growth of VPN and encryption. So really, they’ll have no one to thank but the legislators when everybody and there brother is inside a 256bit AES data tunnel.
Speaking of, for gods sakes don’t get a VPN provider that only offers PPTP. Your best bets are L2TP, OpenVPN, and the new SSTP (from Microsoft of all places). L2TP can sometimes be blocked though (UAE and others are known to block it). OpenVPN is much harder to block and provider many options for encryption (because it uses OpenSSL). SSTP is virtually impossible to block because it disguises itself as a regular HTTPS session.
A couple of good options, if you’re interested in VPN:
HideMyAss is $11.52/mo for Unlimited and High Speeds
VyprVPN comes free with Giganews Usenet or $15/mo
VPNTunnel.SE is run out of Sweden with absolutely no logging
iVPN.net has true Multihop bouncing your connection through 2 locations
VPN is also good practice in general. Do you use open/public wifi? You better be on VPN, otherwise someone just jacked your email (or whatever else – see session hijacking).
In any case, this was a really good article. ZP did a great job on this. Hopefully folks will continue to get educated and stay smart.
So explain to me how ping finds the address. Does it invent one? Does it try all of the IPv4 address range until it finds the right place or does it use the default DNS.
Cretin.
Option 6 doesn’t circumvent anything.
Since it seems that there’s some confusion on why I included command prompt as an option, I’ll clarify for those that didn’t read the guide:
If you are worried that a domain you use might be censored, you ping the domain and retrieve the IP address BEFORE it is censored. Then, you simply replace the domain name with the IP address. Preferably, you take the IP address and drop it into your HOSTs file.
It’s a VERY low tech method and the only two ways it wouldn’t work is if the domain in question redirects you to the domain name or the ISP blocks the server IP address as well. Unless ISPs interpret the PROTECT IP act in a way that forces them to block the IP address as well, then this is actually a bit beyond the scope of the legislation (has not passed yet)
It’s also very low on the list as well for the reason that I can see such a technique be plugged quickly. Nevertheless, it is a possible way to circumvent DNS censorship, so that is why it is even included at all. Besides, even if it doesn’t work at all, there’s still 7 other options at your disposal.
Also, if anyone is reading these comments with more knowledge in this area, I am open to suggestions on other ways of circumventing DNS censorship as I’m having a hard time finding anything else that is not only different from the list above and is available for testing, I’d be interested in giving it a shot. I’m aware that there is some experimental methods being developed ATM that further hides your traffic and activities.
Ok,
Almost all are very good points but some clarifications and corrections….
From point 2:
“Side benefit of having an effective way of blocking ads on the web (hint: Use 127.0.0.1 for domains that deliver ads).”
Err… wrong you shouldn’t point anything to your local-loopback besides that you are making your own computer process more requests to himself you are making a security mistake which can lead your computer to an easy way to compromise some of your own services so it is more wise to choose an invalid address rather than the loopback address… more info about the problem: hackademix.net/2009/07/01/abe-warnings-everywhere-omg/
From point 6:
Well m not gonna quote everything here but you are wrong, actually you should entirely remove this point because a ping to a hostname will always first resolve the hostname so if you are actually being blocked in DNS this will also lead to the same “blocked ip-address” so this point is entirely useless and its actually fare better to use a web dns tool (like dns crawler which sometimes querys the root-servers) that you already recommend in point 4.
Also i will add that is far better to run your own DNS Server and from start caching.
Many Operating Systems today already do this but only for caching purposes you can fully enable it and start using it as a local dns-server, if you are scare of running your own server then just use the one at your modem-router or plain router, sometimes they include a mini dns server (due to space and processor constrains) but for “performance” they just forward dns querys to your ISP’s so actually enabling them will help to circumvent protect-ip obviously if they configured well.
Best Regards
Consumer grade modem-routers often provide a mini-dns server that allows the user to chose the DNS server to forward requests to. This is usually quite a simple task done through the routers web based config utilities. Most likely the easiest solution for users with limited technical ability.
You are right in that an anonymous browsing session using TOR will reduce functionality, however simply visiting an overseas website does not require anonymity since being blocked by DNS servers does not make viewing the web material illegal. The only downside to onion routing used in this context is the speed penalty.
to avoid a court case when downloading material, one should always encrypt the data being downloaded regardless of any tools used to circumvent web censorship.