Category Archives: China

Securing DNS Traffic in China

Overview

DNS poisoning is one of the most common cause of nuisance when accessing websites
that are outside this 1.4 billion-people Oriental country. So far, the best way to protect yourself from this trouble is to route all your DNS traffic through an encrypted channel, and the method I am going to introduce is DNSCrypt. There is not yet a standard for encrypted DNS, DNSCrypt is a project done by OpenDNS. According my experience, DNSCrypt is very reliable and robust, the cryptography of the protocol is called DNSCurve, which is a public-key crypto that employes an extremely strong elliptic-curve cryptography called Curve25519.

If you have read my previous writing, you should know my setup is a Raspberry Pi, and so the rest of this article is based on that, running Raspbian. Dnsmasq will be used as the first DNS caching proxy to serve incoming DNS queries from machines on the network. If the queried domain name is a China one, the request will be served by a China DNS. This is necessary because for some domains, answers from DNS servers in China and global ones could be different. If the requested domain does not belong to any known China domains, the request will be forwarded to dnscrypt-proxy, which will ask a DNSCrypt server for an answer.

After DNSCrypt is used, your DNS traffic will look like this:

Setting up DNSCrypt

As illustrated in the above diagram, dnscrypt-proxy is the piece of software that handles DNSCrypt, but it is not available in Raspbian’s Wheezy and Jessie releases, only in testing (currently Stretch). You can either compile it yourself, or grab the debian package I built and install it. You can find the package here. It is based on the Raspbian package in testing repo, with some modification to debian packaging files, since the one in testing depends on systemd, which had not yet been adopted when Wheezy was released.

If you really want to build the package yourself, first install the libsodium packages. The package are also not available in Wheezy repo but the ones from testing, libsodium13_1.0.3-1_armhf.deb and libsodium-dev_1.0.3-1_armhf.deb, can be installed without any problem. Download and install them, then follow these steps to build your dnscrypt-proxy package:

After dnscrypt-proxy is installed, you have to update the port it uses. Change DNSCRYPT_PROXY_LOCAL_ADDRESS in /etc/default/dnscrypt-proxy to another port other than 53 (as it will be used by dnsmasq later), like this:

You can also change the remote DNSCrypt server, but since the default (cisco) works well for me, I left it unchanged.

Now test it to make sure it works as expected:

Setting up dnsmasq

Dnsmasq is very common and is available in Raspbian, installing it is easy:

Now we have to do some configuration in /etc/dnsmasq.conf. These are my recommended settings. Please note that the interface option is the network interface that dnsmasq will serve, and in my case that is wlan0. You have to change it to the one that applies to your case.

Now comes the interesting part. We are going to tell dnsmasq to use a China DNS server (114.114.114.114 in my example) for China domains and DNSCrypt server for all others. This is done by using the server option in /etc/dnsmasq.conf. Here is an example:

This is pretty straightforward. The last line tells dnsmasq to use your dnscrypt proxy if the domain you query does not match any China domains. In my config file there are 12238 lines for China domains so I’m not going to post them all here, you can get the snippet of my dnsmasq.conf here, and put it into your own dnsmasq.conf. The problem is to maintain the list for all China hosts. I am now using the list from the fqrouter project, it has been serving me well, since most common domains are already there. What’s worrying is due to the abandon of the project by it’s author, the list is now unmaintained. If you know a more updated list, please let me know!

Obfuscated SSH tunnel

VPN providers were cracked down, open source anti-censorship tools were eliminated. This is what’s happening in China and has become even more severe than ever. Shadowsocks alone is no longer reliable due to more powerful deep packet inspection implemented at the GFW.

I am now replacing shadowsocks on my gateway with obfuscated SSH tunnel, based on Tor‘s obfsproxy. To the impatient ones, I will first give a concise summary of the necessary steps of my set up. You can follow it without drilling down the details. I will explain in more details later. But please note that you have to follow the other instructions in this blog post to complete the whole set up.

Quick Set up

On your server

Assume your server runs Debian 8 (jessie) or Ubuntu, and its IP is 1.2.3.4, run these commands:

On Raspberry Pi gateway

Edit ~/.ssh/config:

Run these commands:

Deploy Shadowsocks on Raspberry Pi with ChinaDNS and Redsocks

Assume you already have a Raspberry Pi configured as a WIFI router like mine shown below, but you live in China and have to deal with the fact that many websites can’t be accessed due to GFW. Don’t be despair and with some hacking you can get your Internet freedom back.

IMG_20150714_134341

The mechanism is to use shadowsocks on your router which directs any traffic to a shadowsocks server in the free world. It’s simple to get it up and running on a local machine, but on a router you need to use redsocks to redirect traffic to the shadowsocks client running on your Raspberry Pi. DNS traffic has to be routed by redsocks as well otherwise your DNS replies will be contaminated. To remain as fast as normal when accessing China websites you also need to skip routing traffic to Redsocks for anything within the China IP ranges. Even if you don’t care about performance, this is still necessary in some circumstances like geoip restriction such as tv.sohu.com does not deliver contents if you live outside of China.

Finally, we want to improve the performance even further by using ChinaDNS. To avoid DNS poisoning, we can always resolve DNS over our secured shadowsocks connection, but this is not optimal if a China website have CDNs outside China. ChinaDNS queries local DNS servers to resolve Chinese domains and queries foreign DNS servers to resolve foreign domains, and from my testing it is useful to avoid DNS poisoning with the “DNS compression pointer mutation” option. (Update: I have switched from ChinaDNS to dnsmasq+dnscrypt, please read Securing DNS Traffic in China to see how it works.)

Shadowsocks

I assume that you have shadowsocks server running on a public server, so I will skip that part and only talk about the client side.

Installing shadowsocks is very simple, note that it will be installed under /usr/local/.

Start up shadowsocks while listening on local port 1080:

Redsocks

Install redsocks, simply apt-get from the archive:

Then you need to change the START option in /etc/default/redsocks from NO to YES, so that redsocks will start automatically at boot time and also can be started by sudo /etc/init.d/redsocks start:

Then update /etc/redsocks.conf. Most of the default settings work fine, just need to change local_ip in the redsocks section to your address of the network interface that accepts traffic from your local network. The default is 127.0.0.1, but that does not work well if you want to re-route traffic from other machines on your network, so change it to something like:

But we want traffic from other hosts in your network to be redirected by redsocks to your local shadowsocks client, which in turn sent to the the remote shadowsocks server. We need to pay special attention to DNS traffic, as DNS poisoning is prevalent in China. We need to take special care to redirect DNS traffic through redsocks/shadowsocks.

We also want all China traffic NOT to go through shadowsocks for performance. This can be easily done by looking at the destination IP, if it is in the China IP range we skip going through the REDSOCKS china. First we need to get all network segments allocated to China and save it to a file called chnroute.txt:

These all can be accomplished by iptables. You need to run the following iptables commands, or put them in a local script and run it with sudo.

Run iptables -t nat -L -n to make sure the rules have been added correctly. Now start up redsocks by sudo /etc/init.d/redsocks start and let’s test it out by doing some web browsing on another computer in your local network. If that works fine, congratulations and you have set up everything correctly! If not, look at shadowsocks output and also turn on redsock’s log_debug and check if there is anything useful in /var/log/daemon.log.

ChinaDNS

ChinaDNS is not absolutely necessary, but as explained at the beginning it is desirable. There is no pre-built package so we need to compile it. It is simple to do:

After it is successfully compiled, test it out:

If it goes well, run src/chinadns -m -c chnroute.txt when your router boots.

That’s it! I hope these are useful to you.

Update: I have switched from ChinaDNS to dnsmasq+dnscrypt, please read Securing DNS Traffic in China to see how to set it up.

Hack a fan – 自製空氣淨化器

上週日在北京 Bookworm 書店+咖啡廳參加了一個很有趣的 DIY 土炮空氣淨化器活動。北京經常被陰霾籠罩, AQI (空氣質素指數) 大部份時間處於不健康水平,在北京生活,口罩和空氣淨化器必不可少。其實空氣淨化器的構造不複雜,簡單說就是由風機抽取室內空氣,通過濾網把空氣中的顆粒隔除 。濾網包括 HEPA,活性炭等。很多市面上賣的淨化器都用 HEPA,HEPA 效能高,相對廉宜,技術成熟,能過濾 99.7% 以上 0.3 微米的粒子,所以對付 PM 2.5 很有效。當然,淨化器廠商不會只滿足於此,爲了提高利潤,都會加些有的沒的功能,譬如除甲醛、除臭、殺菌等。不過,這些 fancy 的功能往往只是錦上添花,至少在帝都這些功能遠遠比不上過濾 PM 2.5 來得重要 (沒聽說北京的細菌特別猖狂)。

說回這個 workshop,它是由一位在北京做研究的美國心理學博士生 Thomas Talhelm 舉辦的。話說他對北京的空氣污染很擔心,但又發現市面上的空氣淨化器貴的離譜,所以就開始着手研究自製淨化器,然後把結果發表到 http://particlecounting.tumblr.com/。目前他做了兩款,一款售價 200 RMB(我自己算了一下,成本大概 160 RMB),另一款過濾效能更高名叫「大炮」的賣 450 RMB。

在他的「發明」面世前,就已經有人嘗試過空氣淨化器,把過濾網放在風扇的前面(或後面),這件事誰都會幹,你想問這有什麼值得講的吧?答案就是 open data。Thomas 爲了證明他的淨化器有用,他做了非常多的實驗,在特定的環境下,採集了大量的數據,並進行對照實驗,跟量產的淨化器對比,證明他的 poor man’s air purifier 效果不比那些賣幾千塊錢的過濾器差。最重要是他把實驗方法和數據公佈在 smart air 網站particlecounting 博客,他對數據的嚴謹和認真態度都是長年在學術界鍛鍊出來的。他的朋友取笑他不願意付錢買淨化器,卻願意花 260 USD 買個粒子測量器,求真就是這個態度。
跟量產的過濾器對比

更買了各種不同的風扇,找出最好的一個用在下一代的「大炮」當中:

瘋狂的對不同風扇做實驗

他還在不斷的進行各種實驗,目前正在測試 HEPA 在長期使用下效能的變化

剛才說到 AQI,要注意 AQI 在各國的計算方法都不同。雖然美國中國所用的算式一樣,但等級分類卻有點差別。分別在於 AQI 200 以下的時候,美國所用標準要求更高,AQI 200 以上則幾乎一樣,所以會出現下面的情況,左圖按照中國標準,右圖按照美國標準,以後 quote AQI 要小心囉:

    
    
 

最後順便推薦幾款監察中國 PM 2.5 的 Android app:

商業電台網站大混亂

真係未見過有公司咁樣 launch website 嘅,原本個 website run 得好地地,為咗推新 service,將成個 site 換咗佢,結果係搞到好多俾咗錢聽 archive 嘅人聽唔到,特別係一眾 Mac user 同非 Windows user。嗰個新推出嘅 Toolbar 又唔 support OS X,又唔 support Firefox 3。原本嗰 site 都仲有得俾 user 揀用 RealPlayer 定係 Windows Media Player (Microsoft ASF format) 來收聽 realtime 廣播同 archive,但係個新 website 淨係 serve ASF 同埋用佢個 P2P toolbar。香港公司搞 website,已經無眼睇好耐。宜家咩年代啊,做 website 竟然仲唔注意係唔係 cross-platform。雖然 Real Audio 同 ASF 都係 proprietary,但係點計 RealPlayer 嘅 cross-platform support 都好過 ASF 好多,Mac 有 client,Linux 又有,連 Unix 都有。宜家商台竟然仲廢埋 Real Audio,有無搞錯。其實商台真係好天真好傻,將個 site outsource 俾大陸公司做,大陸公司做 website 出名 IE-only,商台自己嘅 project management 又好有問題,無做好 testing 唔駛講,個 site 宜家俾人媽到飛起,俾咗錢嘅用唔到應有服務,咁都仲唔 rollback 番個舊 site 出來,又或者同時間放番個舊 site 出來一齊行,咁係咪即係話根本無諗過任何 fallback plan,無 contingency plan 嘅呢?前幾日入去商台個 website,赫然發現個 domain name 變咗 beta.881903.com,心諗,唔係唔記得改番 DNS 吓嘛,邊有人用咁嘅 domain name 架,後來先發現原來商台係認真嘅,仲喺埋個 logo 寫住 beta,懶係 web 2.0 咁,真係膠到無朋友。人哋啲 website 寫住 beta,好似 gmail 咁,alpha, beta, gamma 都無問題,因為第一,佢就算係 beta 都仍然好 stable,第二,佢無收我錢。但係商台呢個 case 唔係咁,我真係唔信竟然有人 launch beta service 俾 paid service 嘅 user 咁樣搵香蕉皮自己踩。

好,鬧完,既然俾咗錢,唯有自救,用 XCode + Applescript + shell script 寫咗個 application 俾 Mac OS 10.5 嘅 user 用(唔知 10.4 得唔得,得嘅話通知聲),可以聽得番 archive,呢度 download。Download 完記得睇 README 點樣用!為咗獲得最佳效果,請同時下載 Real Player & Flip4Mac,得閒可以順手裝埋 Perian

更新 2/7/2008 6:25pm: 如果你安裝咗 Flip4Mac,你要先響 System Preferences 度打開 Flip4Mac,make sure “Use Filp4Mac WMV Browser Plug-in” 選項無被揀中。