Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No internet on spoofed domains #65

Open
molaeiali opened this issue Jul 23, 2024 · 6 comments
Open

No internet on spoofed domains #65

molaeiali opened this issue Jul 23, 2024 · 6 comments

Comments

@molaeiali
Copy link

molaeiali commented Jul 23, 2024
edited
Loading

I am using the default configuration, + some custom domains, ports 53, 80 and 443 are open and mapped in compose to 8443 8080 and 5300/udp

I have access to internet on non-spoofed domains but not on spoofed ones:

On my client (which it's ip is in ALLOWED_CLIENTS list):

  • Spoofed:
$ nslookup ifconfig.co
Server:		VPS_IP
$ curl -v https://ifconfig.co
*   Trying VPS_IP:443...
* Connected to ifconfig.co (VPS_IP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=ifconfig.co
*  start date: Jul  3 19:24:55 2024 GMT
*  expire date: Oct  1 19:24:54 2024 GMT
*  subjectAltName: host "ifconfig.co" matched cert's "ifconfig.co"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x562882cfde90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: ifconfig.co
> user-agent: curl/7.81.0
> accept: */*
>

It hangs here and time out.

Non-spoofed:

nslookup ident.me
Server:		VPS_IP
curl ident.me
CLIENT_IP

Here's my compose logs:

snidust  | [INFO] Dnsdist webserver password not set - generating one
snidust  | [INFO] Generated WebServer Password: PASSWORD
snidust  | [INFO] Dnsdist webserver api key not set - generating one
snidust  | [INFO] Generated WebServer API Key: API_KEY
snidust  | [INFO] Installing default domains...
snidust  | '/var/lib/snidust/domains.d/00-debug.lst' -> '/etc/snidust/domains.d/00-debug.lst'
snidust  | '/var/lib/snidust/domains.d/01-cdn_akamai.lst' -> '/etc/snidust/domains.d/01-cdn_akamai.lst'
snidust  | '/var/lib/snidust/domains.d/02-amazon.lst' -> '/etc/snidust/domains.d/02-amazon.lst'
snidust  | '/var/lib/snidust/domains.d/03-hbo.lst' -> '/etc/snidust/domains.d/03-hbo.lst'
snidust  | '/var/lib/snidust/domains.d/04-hulu.lst' -> '/etc/snidust/domains.d/04-hulu.lst'
snidust  | '/var/lib/snidust/domains.d/05-netflix.lst' -> '/etc/snidust/domains.d/05-netflix.lst'
snidust  | '/var/lib/snidust/domains.d/06-molotov_tv.lst' -> '/etc/snidust/domains.d/06-molotov_tv.lst'
snidust  | '/var/lib/snidust/domains.d/07-srf_ch.lst' -> '/etc/snidust/domains.d/07-srf_ch.lst'
snidust  | '/var/lib/snidust/domains.d/09-zattoo.lst' -> '/etc/snidust/domains.d/09-zattoo.lst'
snidust  | '/var/lib/snidust/domains.d/10-yallo.lst' -> '/etc/snidust/domains.d/10-yallo.lst'
snidust  | '/var/lib/snidust/domains.d/11-youtube.lst' -> '/etc/snidust/domains.d/11-youtube.lst'
snidust  | [INFO] Generating ACL...
snidust  | [INFO] Generating DNSDist Config...
snidust  | [INFO] Starting DNSDist...
snidust  | [INFO] Starting nginx..
snidust  | dnsdist 1.9.4 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2
snidust  | [INFO] [SniDust] *** Loading Domain Lists... ***
snidust  | [INFO] [SniDust] *** Domain List: /etc/snidust/domains.d/00-debug.lst***
snidust  | [INFO] [SniDust] Adding domain ifconfig.co to list
snidust  | [INFO] [SniDust] *** End of Domain List ***
snidust  | [INFO] [SniDust] *** Domain List: /etc/snidust/domains.d/01-cdn_akamai.lst***
snidust  | [INFO] [SniDust] Adding domain akadns.net to list
snidust  | [INFO] [SniDust] Adding domain akam.net to list
snidust  | [INFO] [SniDust] Adding domain akamai.com to list
snidust  | [INFO] [SniDust] Adding domain akamai.net to list
snidust  | [INFO] [SniDust] Adding domain akamaiedge.net to list
snidust  | [INFO] [SniDust] Adding domain akamaihd.net to list
snidust  | [INFO] [SniDust] Adding domain akamaistream.net to list
snidust  | [INFO] [SniDust] Adding domain akamaitech.net to list
snidust  | [INFO] [SniDust] Adding domain akamaitechnologies.com to list
snidust  | [INFO] [SniDust] Adding domain akamaitechnologies.fr to list
snidust  | [INFO] [SniDust] Adding domain akamaized.net to list
snidust  | [INFO] [SniDust] *** End of Domain List ***
snidust  | [INFO] [SniDust] *** Domain List: /etc/snidust/domains.d/02-amazon.lst***
snidust  | [INFO] [SniDust] Adding domain amazon.com to list
snidust  | [INFO] [SniDust] Adding domain amazon.co.uk to list
snidust  | [INFO] [SniDust] Adding domain amazonvideo.com to list
snidust  | [INFO] [SniDust] *** End of Domain List ***
snidust  | [INFO] [SniDust] *** Domain List: /etc/snidust/domains.d/03-hbo.lst***
snidust  | [INFO] [SniDust] Adding domain hbonow.com to list
snidust  | [INFO] [SniDust] Adding domain hbogo.com to list
snidust  | [INFO] [SniDust] Adding domain hbo.com to list
snidust  | [INFO] [SniDust] *** End of Domain List ***
snidust  | [INFO] [SniDust] *** Domain List: /etc/snidust/domains.d/04-hulu.lst***
snidust  | [INFO] [SniDust] Adding domain hulu.com to list
snidust  | [INFO] [SniDust] Adding domain huluim.com to list
snidust  | [INFO] [SniDust] *** End of Domain List ***
snidust  | [INFO] [SniDust] *** Domain List: /etc/snidust/domains.d/05-netflix.lst***
snidust  | [INFO] [SniDust] Adding domain netflix.com to list
snidust  | [INFO] [SniDust] Adding domain netflix.de to list
snidust  | [INFO] [SniDust] Adding domain nflximg.net to list
snidust  | [INFO] [SniDust] Adding domain nflximg.com to list
snidust  | [INFO] [SniDust] Adding domain nflxvideo.net to list
snidust  | [INFO] [SniDust] Adding domain netflix.net to list
snidust  | [INFO] [SniDust] Adding domain nflximg.net to list
snidust  | [INFO] [SniDust] Adding domain nflxvideo.net to list
snidust  | [INFO] [SniDust] Adding domain nflxso.net to list
snidust  | [INFO] [SniDust] Adding domain nflxext.com to list
snidust  | [INFO] [SniDust] *** End of Domain List ***
snidust  | [INFO] [SniDust] *** Domain List: /etc/snidust/domains.d/06-molotov_tv.lst***
snidust  | [INFO] [SniDust] Adding domain molotov.tv to list
snidust  | [INFO] [SniDust] *** End of Domain List ***
snidust  | [INFO] [SniDust] *** Domain List: /etc/snidust/domains.d/07-srf_ch.lst***
snidust  | [INFO] [SniDust] Adding domain srgssr.ch to list
snidust  | [INFO] [SniDust] Adding domain cdn.rts.ch to list
snidust  | [INFO] [SniDust] Adding domain srgsnitch.herokuapp.com to list
snidust  | [INFO] [SniDust] Adding domain srg.live.ott.irdeto.com to list
snidust  | [INFO] [SniDust] *** End of Domain List ***
snidust  | [INFO] [SniDust] *** Domain List: /etc/snidust/domains.d/09-zattoo.lst***
snidust  | [INFO] [SniDust] Adding domain zattoohds-a.akamaihd.net to list
snidust  | [INFO] [SniDust] Adding domain zathdslive-a.akamaihd.net to list
snidust  | [INFO] [SniDust] Adding domain zahs.tv to list
snidust  | [INFO] [SniDust] Adding domain zatsslive-a.akamaihd.net to list
snidust  | [INFO] [SniDust] Adding domain chromecast-receiver.zattoo.com to list
snidust  | [INFO] [SniDust] Adding domain box30030.wemfbox.ch to list
snidust  | [INFO] [SniDust] Adding domain zattoo.wemfbox.ch to list
snidust  | [INFO] [SniDust] Adding domain zatsslive-a.akamaihd.net to list
snidust  | [INFO] [SniDust] Adding domain zattoo.com to list
snidust  | [INFO] [SniDust] *** End of Domain List ***
snidust  | [INFO] [SniDust] *** Domain List: /etc/snidust/domains.d/10-yallo.lst***
snidust  | [INFO] [SniDust] Adding domain y3o.tv to list
snidust  | [INFO] [SniDust] Adding domain yallo.tv to list
snidust  | [INFO] [SniDust] *** End of Domain List ***
snidust  | [INFO] [SniDust] *** Domain List: /etc/snidust/domains.d/11-youtube.lst***
snidust  | [INFO] [SniDust] Adding domain youtube.com to list
snidust  | [INFO] [SniDust] Adding domain googlevideo.com to list
snidust  | [INFO] [SniDust] Adding domain youtubei.googleapis.com to list
snidust  | [INFO] [SniDust] Adding domain youtube.googleapis.com to list
snidust  | [INFO] [SniDust] Adding domain youtube-nocookie.com to list
snidust  | [INFO] [SniDust] Adding domain youtu.be to list
snidust  | [INFO] [SniDust] Adding domain s.ytimg.com to list
snidust  | [INFO] [SniDust] *** End of Domain List ***
snidust  | [INFO] [SniDust] *** Domain List: /etc/snidust/domains.d/99-custom.lst***
snidust  | [INFO] [SniDust] Adding domain docker.com to list
snidust  | [INFO] [SniDust] Adding domain docker.io to list
snidust  | [INFO] [SniDust] Adding domain gitlab.com to list
snidust  | [INFO] [SniDust] Adding domain gitlab.io to list
snidust  | [INFO] [SniDust] Adding domain github.com to list
snidust  | [INFO] [SniDust] Adding domain github.io to list
snidust  | [INFO] [SniDust] Adding domain githubusercontent.com to list
snidust  | [INFO] [SniDust] Adding domain npmjs.com to list
snidust  | [INFO] [SniDust] *** End of Domain List ***
snidust  | [INFO] [SniDust] *** Complete! ***
snidust  | Added downstream server 8.8.8.8:853
snidust  | Added downstream server 8.8.4.4:853
snidust  | Added downstream server 1.1.1.1:443
snidust  | Added downstream server 1.0.0.1:443
snidust  | Listening on 0.0.0.0:5300
snidust  | ACL allowing queries from: CLIENT_IP/32, 127.0.0.1/32
snidust  | Console ACL allowing connections from: 127.0.0.0/8, ::1/128
snidust  | Marking downstream cloudflare-dns (1.0.0.1:443) as 'up'
snidust  | Marking downstream cloudflare-dns (1.1.1.1:443) as 'up'
snidust  | Marking downstream dns.google (8.8.4.4:853) as 'up'
snidust  | Marking downstream dns.google (8.8.8.8:853) as 'up'
snidust  | ===================================================================
snidust  | [INFO] SniDust started => Using VPS_IP - Point your DNS settings to this address
snidust  | ===================================================================

Any idea what's happening? It looks like the dns is working but it cannot get data from the VPS
@molaeiali
Copy link
Author

When I spoof all I get this:

~$ curl https://ifconfig.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

http connections are OK, but https connections will timeout or end up with an error

@stream2me
Copy link
Contributor

I am using the latest image and everything works as it should.
Have you checked your firewall rules?
If you try "dig" from the client, do you get the VPS-IP?

dig +short @VPS-IP yallo.tv
VPS-IP

@Seji64
Copy link
Owner

Seji64 commented Jul 23, 2024

ifconfig.com does indeed not have a valid ssl cert. So the curl error is correct

@molaeiali
Copy link
Author

I am using the latest image and everything works as it should. Have you checked your firewall rules? If you try "dig" from the client, do you get the VPS-IP?

dig +short @VPS-IP yallo.tv
VPS-IP

Yes I get VPS-IP

ifconfig.com does indeed not have a valid ssl cert. So the curl error is correct

On other https websites it just hangs, for example:
HTTPS:

$ curl -v https://www.google.com
*   Trying VPS-IP:443...
* Connected to www.google.com (VPS-IP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.google.com
*  start date: Jul  1 07:34:52 2024 GMT
*  expire date: Sep 23 07:34:51 2024 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: C=US; O=Google Trust Services; CN=WR2
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x555c28717e90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: www.google.com
> user-agent: curl/7.81.0
> accept: */*
>

HTTP:

$ curl -v http://www.google.com
*   Trying VPS-IP:80...
* Connected to www.google.com (VPS-IP) port 80 (#0)
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.26.1
< Date: Wed, 24 Jul 2024 08:32:04 GMT
< Content-Type: text/html; charset=ISO-8859-1
< Transfer-Encoding: chunked
< Connection: keep-alive
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-VuzWcYyjsC0o6rxObhflCA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: AEC=AVYB7cq9i6_7vCWs7ngGKIY7VeLR53yYR1Eqh6e_UY55njHnOarMWqQXLzU; expires=Mon, 20-Jan-2025 08:32:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
< Set-Cookie: NID=516=pWXai-sY1vgE7jxg44sw8ZXE1daDYFaJ5eGGGHKpjJxQTEsADggFj4LBKrmSijmPsSbbR5V4aKDXSeTHsPm9DvyyUNr47cuEzaLiZOv1nNPZzd1hazOky_hXkWm3ZxYY3bPfdgAL0EsxVJ0LsD0vjGX0-7EiOR1-4OGaoJdmxAY; expires=Thu, 23-Jan-2025 08:32:04 GMT; path=/; domain=.google.com; HttpOnly
< Accept-Ranges: none
< Vary: Accept-Encoding
< 
<!doctype html><html itemscope="" itemtype=  THE REST OF HTML PAGE

@Seji64
Copy link
Owner

Seji64 commented Jul 24, 2024

Does the curl command work in the Container?

@molaeiali
Copy link
Author

molaeiali commented Jul 24, 2024
edited
Loading

Does the curl command work in the Container?

Yes it works

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@molaeiali @Seji64 @stream2me