sniproxy: https://www.google.com/about/careers/applications/ 403's from IR

Hi @mosajjal,

I was helping someone from Iran access a google domain website and they reported to me that they are getting 403, even after setting their DNS to the sni proxy I have in Vultr.

My experiment confirms that: I setup a fresh instance of sniproxy in Vultr. Now from my machine outside Iran, websties like udemy.com do load after setting DNS to my sniproxy, but when I experiment with a datacenter in Iran, I get the 403 back:

  1. Setting DNS to my vultr instance IP 209.250.255.214 from Iran:
cat /etc/resolv.conf  
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
# nameserver 8.8.8.8 
# nameserver 8.8.4.4
# nameserver 95.179.163.92
# nameserver 127.0.0.53
nameserver 209.250.255.214
  1. Digging to make sure that my DNS has actually changed:
dig udemy.com

; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> udemy.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25881
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;udemy.com.			IN	A

;; ANSWER SECTION:
udemy.com.		3600	IN	A	209.250.255.214

;; Query time: 87 msec
;; SERVER: 209.250.255.214#53(209.250.255.214) (UDP)
;; WHEN: Tue Apr 04 00:11:38 UTC 2023
;; MSG SIZE  rcvd: 52
  1. Access to udemy.com is still blocked from the machine in IR:
wget udemy.com
--2023-04-04 00:14:43--  http://udemy.com/
Resolving udemy.com (udemy.com)... 209.250.255.214, 209.250.255.214
Connecting to udemy.com (udemy.com)|209.250.255.214|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-04-04 00:14:43 ERROR 403: Forbidden.
  1. Access to udemy.com is also blocked from the Vultr machine itself!
root@sniproxy:~# wget https://www.udemy.com/
--2023-04-04 00:22:04--  https://www.udemy.com/
Resolving www.udemy.com (www.udemy.com)... 2606:4700::6812:a05a, 2606:4700::6810:e25b, 104.16.226.91, ...
Connecting to www.udemy.com (www.udemy.com)|2606:4700::6812:a05a|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-04-04 00:22:04 ERROR 403: Forbidden.

The original website that my tester was trying to access was a google domain, but I figured if we solve it for udemy.com it will be solved for other websites too.

Is this expected behavior?

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 20 (18 by maintainers)

Most upvoted comments

two things:

  1. editing /etc/resolve.conf usually doesn’t work very well. use the following command instead:
sed -i 's/#DNS=/DNS=217.69.9.127/; s/#DNSStubListener=yes/DNSStubListener=no/' /etc/systemd/resolved.conf
systemctl restart systemd-resolved

this disables the stub listener, and changes your DNS to 217.69.9.127. replace it with the current public IP of sniproxy and then restart systemd-resolved

  1. if that doesn’t work, try hard-coding google.com in your /etc/hosts with the IP of sniproxy. your file will look like this:
217.69.9.127 google.com

this will bypass DNS altogether so you can test where the issue is. If editing /etc/hosts actually works, the midboxes in Iran are rewriting your DNS and “correcting” it back.

there is a neat way to avoid having DNS query and response altogether using another pet project of mine here. This sets up a “fake” DNS server in your own machine, so you can hard-code your sniproxy address for ALL domains. Use it like this:

  1. install it using:
go install github.com/mosajjal/go-exp/fakedns@latest
  1. set up a simple rules.csv file with only one line:
$ cat /tmp/rules.csv
.,suffix,217.69.9.127
  1. disable the default stub resolver (as mentioned above) and change your DNS server to 127.0.0.1

  2. start fakedns as root:

sudo fakedns -rule /tmp/rules.csv

if fakedns is not in your PATH, you’ll get a file not found error. if that’s the case, find the full path and replace fakedns with it. Full path is usually /home/USER/go/bin/fakedns

hopefully this helps.

I’ll look into it. can you please also share the sniproxy logs (in debug mode).