Webmaster’s blocking of a banned site without settings and client-side software
I saw somehow IPv6 Teredo of peers in µTorrent under Windows, which shook the pieces at a fairly decent speed, and then it dawned on me ...
')
Make sure your web server is listening to IPv6 addresses. For nginx, this is the listen parameter.
My config looks like this:
I made a test page where you can listen to the wonderful Panty Shot track from Mindless Self Indulgence. I think it can be considered illegal, given the bunch of canceled concerts of soulless bands.
5yo.panty.shot.valdikss.org.ru
The page should open only if you are using Windows 7, 8 or 8.1 and do not have other IPv6 connections (native, 6to4, 6in4).
UPD : Microsoft disconnected the Teredo servers, which were used for Windows Vista and 7. Now Teredo, by default, only works on Windows 8, 8.1 and Windows 10.
What is Teredo?
Teredo is an IPv6 tunneling technology over IPv4 UDP packets. She conceived of as a transitional technology that works for NAT, and, in general, more or less fulfills the duties assigned to it. Teredo allows you to access IPv6 Internet through public Teredo servers. Interestingly, in Windows 7, 8 and 8.1, Teredo is configured and enabled by default, right out of the box, and uses Microsoft's Teredo server (teredo.ipv6.microsoft.com).Why do we need it?
Websites that have certain links for one reason or another are in the registry of banned sites can organize access using Teredo, which will allow about 80-85% of users to return access to the site to users of modern versions of Windows without additional settings and software! Access through Teredo allows you to bypass all the tested DPI-solutions used by providers. Roskomnadzor not only cannot add such pages to the registry, but also cannot access them (probably Teredo does not work for them):Hidden text
In addition, Roskomnadzor does not have the authority to block pages that redirect to other pages, and the "Actual Bulk" button confirms this.Hello
Thank you for your active citizenship, but we inform you that your application was rejected for the following possible reasons:
- at the time of the examination by experts, the address specified in your appeal was http: // [2001: 0: 9d38: 6ab8: 30c4: d940: 9469: f43e] / was not available;
- the address specified in your appeal http: // [2001: 0: 9d38: 6ab8: 30c4: d940: 9469: f43e] / is entered incorrectly, or is being redirected to another address;
- the address specified in your appeal http: // [2001: 0: 9d38: 6ab8: 30c4: d940: 9469: f43e] / requires mandatory registration / authorization.
Respectfully,
FEDERAL SERVICE FOR SUPERVISION IN THE SPHERE OF COMMUNICATION, INFORMATION TECHNOLOGIES AND MASS COMMUNICATION.
Thank you for your active citizenship, but we inform you that your application was rejected for the following possible reasons:
- at the time of the examination by experts, the address specified in your appeal was http: // [2001: 0: 9d38: 6ab8: 30c4: d940: 9469: f43e] / was not available;
- the address specified in your appeal http: // [2001: 0: 9d38: 6ab8: 30c4: d940: 9469: f43e] / is entered incorrectly, or is being redirected to another address;
- the address specified in your appeal http: // [2001: 0: 9d38: 6ab8: 30c4: d940: 9469: f43e] / requires mandatory registration / authorization.
Respectfully,
FEDERAL SERVICE FOR SUPERVISION IN THE SPHERE OF COMMUNICATION, INFORMATION TECHNOLOGIES AND MASS COMMUNICATION.
')
Features of Microsoft's Teredo Server
To access the “normal” IPv6, Teredo uses Relay servers that have full IPv6 access and work as proxy servers. In turn, Microsoft's Teredo relay servers do not allow access to “regular” IPv6 or other Teredo servers, allowing only the connectivity of Teredo clients configured on the Microsoft server and forming such a large closed network of Windows computers.Features of the implementation of DNS in Windows
If Windows has only a Teredo IPv6 address, the DNS resolver will not even try to get AAAA records from domains. Thus, just going to the site by a domain name, even if it has only an AAAA record and no A record, will not work. This can be disabled by a special parameter in the registry, but it is not interesting, because requires action on the client side.What to do?
The output is simple and not very elegant - use a domain with access over IPv4, which will make an HTTP redirect to Teredo's IPv6 address. You can do either the usual redirection code 307 or 301, or through javascript, first checking the availability of Teredo addresses or combining with other solutions to bypass the block.How to setup?
To host a website in Teredo for Linux, you need to use the miredo Teredo client, and be sure to configure it to use win8.ipv6.microsoft.com. Also, so that your Teredo address changes as rarely as possible, I recommend setting a static outgoing port in the miredo configuration file ( /etc/miredo/miredo.conf or /etc/miredo.conf , depending on the distribution), i.e. set the BindPort parameter.Make sure your web server is listening to IPv6 addresses. For nginx, this is the listen parameter.
My config looks like this:
Hidden text
server { server_name 5yo.panty.shot.valdikss.org.ru; location / { return 307 http://[2001:0:9d38:90d7:899:d93f:9469:f43e]/; } } server { listen [2001:0:9d38:90d7:899:d93f:9469:f43e]:80; server_name [2001:0:9d38:90d7:899:d93f:9469:f43e]; root /usr/share/nginx/html/pantyshot/; index index.html index.htm; location / { try_files $uri $uri/ =404; } } I made a test page where you can listen to the wonderful Panty Shot track from Mindless Self Indulgence. I think it can be considered illegal, given the bunch of canceled concerts of soulless bands.
5yo.panty.shot.valdikss.org.ru
The page should open only if you are using Windows 7, 8 or 8.1 and do not have other IPv6 connections (native, 6to4, 6in4).
Conclusion
In my opinion, this technology will significantly affect the availability of blocked sites.UPD : Microsoft disconnected the Teredo servers, which were used for Windows Vista and 7. Now Teredo, by default, only works on Windows 8, 8.1 and Windows 10.
Source: https://habr.com/ru/post/252611/
All Articles