How to differentiate different human network faults in the domestic Internet Environment

As we all know, there may be various artificial network faults on the Internet in China, making it impossible for us to access many websites. However, because many people are not familiar with the network, they are often unable to distinguish between different network faults. As a result, network faults are clearly considered as server faults or server faults, but it is regarded as a network fault. I think it is necessary to describe the characteristics of different network faults and how to distinguish them and solve them.

In the domestic Internet environment, we often encounter the following network faults: DNS hijacking, DNS pollution, IP blocking, server firewall IP filtering, server downtime, keyword-based TCP Connection Reset, stateless TCP Connection Reset, SSL Certificate filtering, SSL hijacking, HTTP session hijacking and other network faults. Next I will explain it in sequence:

1. DNS hijacking

DNS hijacking may cause us to access some non-existent or unstable websites, but China Telecom 114 searches (for details, see the moonlight blog "browser hijacking of interconnected stars after network disconnection"). or visit Google to display the Baidu home page (for details, see the moonlight blog "Google blog search changes to a hundred degrees").

If you need to confirm whether you are in the DNS hijacking environment, in Windows Command Line cmd, we can use the network diagnostic tool nslookup provided by Windows to find a non-existent or unstable domain name for Network diagnosis:

C: \> nslookup www.SomeRandomDomainName.com

Server: ns-pd.online.sh.cn

Address: 202.96.209.20.

Non-authoritative answer:

Name: www.SomeRandomDomainName.com

Address: 218.83.175.155

We can see that www.SomeRandomDomainName.com should be a nonexistent domain name, And the DNS server should tell us that this domain name does not exist, however, we can see that the DNS server tells us that the IP address of this domain name is 218.83.175.155 (the 114 search IP addresses in different regions are different, and the possible IP address is not 218.83.175.155, it is the Server IP address searched for 114 in the region where it is located. However, this IP address is the IP address searched for 114. As a result, when we access this website in a browser, we can see the web page searched for 114.

If you need to solve the DNS hijacking problem, you can change your domain name resolution server to a foreign one, such as OpenDNS. (For details, refer to "use OpenDNS to solve DNS domain hijacking" in the moonlight blog.) or Google DNS (For details, refer to the moonlight blog "Google launches free DNS Service").

Then, we can use nslookup again to find the website:

C: \> nslookup www.SomeRandomDomainName.com

Server: google-public-dns-a.google.com

Address: 8.8.8.8

* Google-public-dns-a.google.com can't find www.SomeRandomDomainName.com: Non-existent domain

We can see that the DNS server correctly tells us that this domain name does not exist and we will not be hijacked to 114 for search.

However, as described in the last section "using OpenDNS to address DNS hijacking", "however, the use of OpenDNS cannot solve DNS hijacking ". Next, I will introduce DNS pollution.

2. DNS pollution

Because DNS hijacking can solve the problem by replacing the domain name resolution server with a foreign one, the system needs to use DNS pollution to block some domain names. In this way, even if you use a foreign Domain Name Server, you cannot get the correct IP address of the server, so you cannot access these servers. For example, the twitter homepage of the famous micro-blog has suffered DNS pollution.

If you need to confirm that the domain name is contaminated by DNS, rather than other faults, you must first understand that DNS hijacking is completed by the domestic domain name server, so we can solve the problem by changing the Domain Name Server to a foreign one, and the DNS pollution is completed by the system, so even if the Domain Name Server is changed, the system can still send forged domain name resolution results to replace the correct resolution results. Therefore, we can use a non-existent foreign IP address as our Domain Name Server to diagnose whether it is DNS hijacking or DNS pollution. We still use nslookup for Network diagnosis, and select a foreign IP address that does not exist as 144.223.234.234:

C: \> nslookup twitter.com 144.223.234.234

DNS request timed out.

Timeout was 2 seconds.

* ** Can't find server name for address 144.223.234.234: Timed out

Server: UnKnown

Address: 144.223.234.234

Name: twitter.com

Address: 93.46.8.89

As we can see, because 144.223.234.234 does not exist, there should be no return. However, we get an incorrect IP Address: 93.46.8.89. Let's test the DNS hijacking:

C: \> nslookup www.SomeRandomDomainName.com 144.223.234.234

DNS request timed out.

Timeout was 2 seconds.

* ** Can't find server name for address 144.223.234.234: Timed out

Server: UnKnown

Address: 144.223.234.234

DNS request timed out.

Timeout was 2 seconds.

DNS request timed out.

Timeout was 2 seconds.

* ** Request to UnKnown timed-out

We can see that www.SomeRandomDomainName.com does not return results, so it is not contaminated by DNS.

To solve DNS pollution, we can only use various encrypted proxies for remote DNS resolution, VPN, or system vulnerabilities.

3. IP address Blocking

IP address blocking refers to adding the IP addresses of foreign servers to the blacklist of the system in China, leading to direct access to servers in most regions and even nationwide. Because the system is distributed, some regions may be accessible and some regions cannot. For example, the homepage of the well-known cloud storage service Dropbox is blocked by IP addresses.

First, we set the Domain Name Server as a foreign server to eliminate the DNS hijacking problem. Then, we can determine whether the domain name of dropbox has been contaminated by DNS:

C: \> nslookup www.dropbox.com 144.223.234.234

DNS request timed out.

Timeout was 2 seconds.

* ** Can't find server name for address 144.223.234.234: Timed out

Server: UnKnown

Address: 144.223.234.234

DNS request timed out.

Timeout was 2 seconds.

DNS request timed out.

Timeout was 2 seconds.

* ** Request to UnKnown timed-out

It is clear that DNS is not contaminated. Next, we can filter the ICMP protocol in a network environment without the ICMP protocol (some residential broadband and some internal networks of some companies filter the ICMP protocol and tracert cannot be used ), in Windows Command Line cmd, we can use Windows's network diagnostic tool tracert to diagnose whether the website is blocked by IP addresses or other faults:

C: \> tracert-d www.dropbox.com

Tracing route to www.dropbox.com [174.36.30.70]

Over a maximum of 30 hops:

1 18 MS 19 MS 26 MS 58.35.240.1

2 15 MS 20 MS 29 MS 58.35.240.1

3 13 MS 10 MS 14 MS 124.74.20.45

4 14 MS 14 MS 15 MS 124.74.209.20.

5 10 MS 15 MS 14 MS 61.152.86.58

6 *** Request timed out.

7 *** Request timed out.

8 *** Request timed out.

......

• 2 pages in total:
• Previous Page
• 1
• 2
• Next Page