We reanimate the Nintendo Switch and PlayStation gaming service after locks on the RKN
Good day readers.
This is my first article in many years of reading Habr, so please "understand and forgive."
In it, I want to share how to try to bring to life the game services, whose addresses are blocked by the RKN in theagony of attempts to ban Telegram.
')
In my case, it was the Nintendo Switch, but I suppose the PSN service (and others too) is unlocked in the same way. I just got lucky and PSN worked initially. In any case, I have a PlayStation and I can investigate the problem and write a separate post on this topic.
Running straight to the end - in my case, with Nintendo, it worked out.
If you are too lazy to read a lot of letters, then the recipe: drive a foreign DNS from another continent, for example, from here . It did not work - we take the following. I want consistency - read on.
Now another spoiler for the advanced, who only needto read the essence of laziness :
The domain names to which the prefix is ​​addressed contain more than one ip address and the final backends of Nintendo services are located in geo-distributed data centers (this can be seen in the pictures below). By dns request you are given some kind of address and one, but you can always find out the full list of all ip addresses.
Thus, in the general case, the followingcrutch is obtained for the reanimation algorithm for an advanced audience:
Now in more detail
1. We learn the domain names and ip addresses where the prefix climbs in a non-working case.
To do this, we need to turn on the console through the laptop so that we can analyze the traffic coming from it.
The set we need for this is the following:
1.1 It is advisable to turn on and turn off the console, before starting to analyze the inactive service. This is necessary in order to securely catch DNS requests from it.
1.2 Turn on the prefix (Power on), start the traffic analyzer to listen to the WiFi port.
1.3 We connect the prefix via WiFi and play back the non-working case (in my case it was a connection status check).
1.4 We reach the end point of the case or error. We stop the analyzer.
1.5 We need to see the captured DNS requests. We drive the word dns into the filter of the traffic analyzer and rewrite the domain names that appear in the query packets (dns query) into the table, we will need them later. We map domain names in the ip table of addresses that come from the dns server (dns response packets). As a result, we get a table, dns - ip.
DNS address, IP address
aauth-lp1.ndas.srv.nintendo.net, 54.85.208.211
nncs1-lp1.nnsrv.nintendo.net, 35.158.74.61
nncs2-lp1.nnsrv.nintendo.net, 35.157.230.202
ctest-dl-lp1.cdn.nintendo.net - not required
ctest-ul-lp1.cdn.nintendo.net - not required
The last 2 domain names work exactly. They are related to the U / D bandwidth check service. In addition, they are located on the CDN (a further link leads to akamai).
2. Check these ip addresses for blocking RKN.
2.1 Open the blocking address checker. I used the telegram bot @rknblockbot, but you can use the RNN verification service itself .
2.2 Check the ip address from the table of paragraph 1.5.
2.3 Blocked ip addresses - mark.
2.4 As a result, we have a table in which domain names are visible, where, without intervention, we will not be able to get.
Domain name, ip address blocked.
nncs1-lp1.nnsrv.nintendo.net, 35.158.74.61
nncs2-lp1.nnsrv.nintendo.net, 35.157.230.202
3. Find out all the ip addresses related to the domain name, where there is a problem.
3.1 I solved this problem in the forehead, simply having started the services where you can see all the addresses.
It just shows that the servers are geographically distributed across different continents.
3.2 Check the entire list of received addresses for blocking. Add unblocked addresses to the table. I did this:
Domain name, ip address blocked, new ip address.
nncs1-lp1.nnsrv.nintendo.net, 35.158.74.61, 52.14.47.244
nncs2-lp1.nnsrv.nintendo.net, 35.157.230.202, 52.14.237.148
4. “Nailing in” working addresses in DNS-e, to which the prefix will address.
4.1 There are a lot of options for solving this task (for example, to find a foreign dns that returns the necessary ip addresses, as I indicated above, or to raise your own dns).
I chose my simple option. In the settings of my router (MGTS GPON ZTE F660), I indicated on the LAN tab that you need to use the DNS router 192.168.1.1, and in the Application-> DNS Service I registered new ip addresses for the problematic domain names (in fact, this content goes directly to the file / etc / hosts on the router).
4.2 We will overload the router, from the laptop we check with the utility nslookup / dig, that the necessary ip addresses are being returned.
4.3 Reconnect the console to the router, check.
And yes, do not forget that the "working type NAT" (in Nintendo terms) for an online game is NAT type A, B. For this you need to do, in my opinion, a shaped disgrace: Assign port forwarding incoming UDP 49000-65535 (yeah ..) to the ip address of your console. The address of the console must be static, or registered in the DHCP bundles of your router.
My personal opinion is laziness / timing of programmers. It was possible to easily raise on the UDP ServerSocket and wait for answers from the outside world on it. Routers would be configured more correctly. Yes, and UPnP has not been canceled. Well, it's all fantasy ..
But this is better than recommending Nintendo to open UDP 1-65535 .
In addition :
Splatoon 2 is treated with the same algorithm. I have to say a bunch:
Nncs2.app.nintendowifi.net 52.14.237.96
Login to PSN is treated as follows:
elb001-csla-edge01.csla.usw2.np.cy.s0.playstation.net 52.88.123.195
It is necessary to understand that the scheme is not eternal, and sooner or later something will break in it (for example, the ip-address will change). There is only one remedy here - bomb your beloved RKN with letters asking you to unblock the collected addresses.
This is my first article in many years of reading Habr, so please "understand and forgive."
In it, I want to share how to try to bring to life the game services, whose addresses are blocked by the RKN in the
')
In my case, it was the Nintendo Switch, but I suppose the PSN service (and others too) is unlocked in the same way. I just got lucky and PSN worked initially. In any case, I have a PlayStation and I can investigate the problem and write a separate post on this topic.
Running straight to the end - in my case, with Nintendo, it worked out.
If you are too lazy to read a lot of letters, then the recipe: drive a foreign DNS from another continent, for example, from here . It did not work - we take the following. I want consistency - read on.
Now another spoiler for the advanced, who only need
The domain names to which the prefix is ​​addressed contain more than one ip address and the final backends of Nintendo services are located in geo-distributed data centers (this can be seen in the pictures below). By dns request you are given some kind of address and one, but you can always find out the full list of all ip addresses.
Thus, in the general case, the following
- We learn the domain names and ip addresses where the prefix climbs in a non-working case.
- We check these ip addresses for blocking RKN.
- Find out all the ip addresses related to the domain name, where there is a problem.
- “We nail” working addresses in DNS-e, to which the prefix will address.
Now in more detail
1. We learn the domain names and ip addresses where the prefix climbs in a non-working case.
To do this, we need to turn on the console through the laptop so that we can analyze the traffic coming from it.
The set we need for this is the following:
- Prefix Nintendo Switch connected via wifi to the laptop.
- A laptop with a traffic analyzer installed (for example, Wireshark), with WiFi turned on in HotSpot mode. Uplink via Ethernet laptop connected to a home router that distributes the Internet. ICS (in the case of Windows), Internet sharing (in the case of Mac OS), iptables (in the case of Linux) are configured on the laptop.
- Router, distributing Internet.
1.1 It is advisable to turn on and turn off the console, before starting to analyze the inactive service. This is necessary in order to securely catch DNS requests from it.
1.2 Turn on the prefix (Power on), start the traffic analyzer to listen to the WiFi port.
1.3 We connect the prefix via WiFi and play back the non-working case (in my case it was a connection status check).
1.4 We reach the end point of the case or error. We stop the analyzer.
1.5 We need to see the captured DNS requests. We drive the word dns into the filter of the traffic analyzer and rewrite the domain names that appear in the query packets (dns query) into the table, we will need them later. We map domain names in the ip table of addresses that come from the dns server (dns response packets). As a result, we get a table, dns - ip.
DNS address, IP address
aauth-lp1.ndas.srv.nintendo.net, 54.85.208.211
nncs1-lp1.nnsrv.nintendo.net, 35.158.74.61
nncs2-lp1.nnsrv.nintendo.net, 35.157.230.202
ctest-dl-lp1.cdn.nintendo.net - not required
ctest-ul-lp1.cdn.nintendo.net - not required
The last 2 domain names work exactly. They are related to the U / D bandwidth check service. In addition, they are located on the CDN (a further link leads to akamai).
2. Check these ip addresses for blocking RKN.
2.1 Open the blocking address checker. I used the telegram bot @rknblockbot, but you can use the RNN verification service itself .
2.2 Check the ip address from the table of paragraph 1.5.
2.3 Blocked ip addresses - mark.
2.4 As a result, we have a table in which domain names are visible, where, without intervention, we will not be able to get.
Domain name, ip address blocked.
nncs1-lp1.nnsrv.nintendo.net, 35.158.74.61
nncs2-lp1.nnsrv.nintendo.net, 35.157.230.202
3. Find out all the ip addresses related to the domain name, where there is a problem.
3.1 I solved this problem in the forehead, simply having started the services where you can see all the addresses.
It just shows that the servers are geographically distributed across different continents.
3.2 Check the entire list of received addresses for blocking. Add unblocked addresses to the table. I did this:
Domain name, ip address blocked, new ip address.
nncs1-lp1.nnsrv.nintendo.net, 35.158.74.61, 52.14.47.244
nncs2-lp1.nnsrv.nintendo.net, 35.157.230.202, 52.14.237.148
4. “Nailing in” working addresses in DNS-e, to which the prefix will address.
4.1 There are a lot of options for solving this task (for example, to find a foreign dns that returns the necessary ip addresses, as I indicated above, or to raise your own dns).
I chose my simple option. In the settings of my router (MGTS GPON ZTE F660), I indicated on the LAN tab that you need to use the DNS router 192.168.1.1, and in the Application-> DNS Service I registered new ip addresses for the problematic domain names (in fact, this content goes directly to the file / etc / hosts on the router).
4.2 We will overload the router, from the laptop we check with the utility nslookup / dig, that the necessary ip addresses are being returned.
4.3 Reconnect the console to the router, check.
And yes, do not forget that the "working type NAT" (in Nintendo terms) for an online game is NAT type A, B. For this you need to do, in my opinion, a shaped disgrace: Assign port forwarding incoming UDP 49000-65535 (yeah ..) to the ip address of your console. The address of the console must be static, or registered in the DHCP bundles of your router.
My personal opinion is laziness / timing of programmers. It was possible to easily raise on the UDP ServerSocket and wait for answers from the outside world on it. Routers would be configured more correctly. Yes, and UPnP has not been canceled. Well, it's all fantasy ..
But this is better than recommending Nintendo to open UDP 1-65535 .
In addition :
Splatoon 2 is treated with the same algorithm. I have to say a bunch:
Nncs2.app.nintendowifi.net 52.14.237.96
Login to PSN is treated as follows:
elb001-csla-edge01.csla.usw2.np.cy.s0.playstation.net 52.88.123.195
It is necessary to understand that the scheme is not eternal, and sooner or later something will break in it (for example, the ip-address will change). There is only one remedy here - bomb your beloved RKN with letters asking you to unblock the collected addresses.
Source: https://habr.com/ru/post/354730/
All Articles