Comments (13)
Allow me to fill in the blanks from the serverside of things.
On us-lax-wg-202
we cannot resolve www.baidu.com
:
oskaralmlov@us-lax-wg-202:~$ dig www.baidu.com
[...]
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19987
[...]
;; connection timed out; no servers could be reached
[...]
Let's figure out which servers are authoritative (responsible) for baidu.com
:
oskaralmlov@us-lax-wg-202:~$ dig baidu.com NS +short
ns2.baidu.com.
ns7.baidu.com.
dns.baidu.com.
ns3.baidu.com.
ns4.baidu.com
Let's try resolving www.baidu.com
by asking these servers directly:
oskaralmlov@us-lax-wg-202:~$ \
for hostname in $(dig baidu.com NS +short); do
> echo $hostname
> dig @$hostname www.baidu.com +short || echo "Timed out"
> done
ns4.baidu.com.
Timed out
ns2.baidu.com.
Timed out
ns3.baidu.com.
Timed out
ns7.baidu.com.
www.a.shifen.com.
It appears we can't reach the majority of the servers that are authoritative for this hostname.
Running the same task on a completely different server (se-sto-wg-009
) yields very different results:
ns4.baidu.com.
www.a.shifen.com.
dns.baidu.com.
www.a.shifen.com.
ns2.baidu.com.
www.a.shifen.com.
ns3.baidu.com.
www.a.shifen.com.
ns7.baidu.com.
www.a.shifen.com.
Conclusion/Theorizing:
- The authoritative servers for baidu.com appears to, from a DNS perspective, be configured correctly.
- Some of our relays cannot reach the authoritative servers for baidu.com. Or the response from the authoritative servers can't reach some of our relays. Either way the relay sends a query and does not get a response.
- Since the queries are leaving our relays as they should, we can't really do anything else. Someone or something is dropping our queries or the answers to our queries on the way. Speaking from experience this is most likely because there is some blocklist in use that is blocking traffic from known VPN IPs.
If you absolutely need to connect via a relay that can't resolve these domains you can configure a custom DNS to have your connections be routed through the relay but have DNS queries resolved by an external server. See the link below.
https://mullvad.net/en/blog/2021/4/15/support-custom-dns-servers-launched/
In order to get you the right support it's better to reach out to our support at [email protected]
since our support team does not have a presence on GitHub.
Hope this answers your questions :)
from dns-blocklists.
All our VPN servers run their own DNS resolvers that do not block anything by default. Try using our service without any toggles set, or without using any custom DNS IPs.
from dns-blocklists.
yes when i turn off your app and use my providers DNS IP's i am able to reach the site with no problem. In your app, when i connect to certain servers i am able to use weibo but the latency is so high since i am in south america the only one that works well is miami, florda. if i switch to japan or anywhere in asia everything works fine. for now i have created a new firefox profile that uses my providers dns ip's instead of yours because your app lets me tunnel an app but not with an particular instance of an app since i have many firefox browsers running with different setups.
from dns-blocklists.
Some chinese websites can not reach because some mullvad server's DNS sucks: https://www.reddit.com/r/mullvadvpn/comments/10sht67/open_chinese_search_machines/
I made a shell script to test if target mullvad wireguard server can reach www.baidu.com
or not: https://codeberg.org/flyxyz123/public_archive_codes/src/commit/4d96b7d54f56d4371759c8b8d6fa5ef75e228043/sh/mrt
This script only test wireguard relays. It default outputs Los Angeles wireguard relays that can reach www.baidu.com
to stdout and $XDG_DOCUMENTS_DIR/logs/mrt_los_angeles_www.baidu.com.log
. Currently, the default outpus are:
us-lax-wg-101
us-lax-wg-102
us-lax-wg-103
us-lax-wg-104
us-lax-wg-301
us-lax-wg-302
us-lax-wg-303
us-lax-wg-401
us-lax-wg-402
us-lax-wg-403
us-lax-wg-404
us-lax-wg-405
Which means us-lax-wg-201, us-lax-wg-202, and us-lax-wg-203 can not reach www.baidu.com
If you want to test New York relays, you do mrt -l 'New York'
which outputs:
us-nyc-wg-303
us-nyc-wg-501
us-nyc-wg-502
us-nyc-wg-503
us-nyc-wg-504
us-nyc-wg-505
us-nyc-wg-601
us-nyc-wg-602
us-nyc-wg-604
us-nyc-wg-605
If you want to test if New York relays can reach www.baomitu.com
, you do mrt -l 'New York' -w www.baomitu.com
In the past, the situation is much worse and about more than half of the wireguard relays can not reach www.baidu.com
. About two weeks ago the situation become better but still not all relays are good.
What's interesting is that recently us-lax-wg-202 can not reach store.steampowered.com
which is not a chinese site. However, this does not seems like a DNS issue because drill store.steampowered.com
gives ip. But can't reach chinese sites should be a DNS issue because you can't even resolve their sites.
My script may have false positive due to not enough curl time, you can change the curl time with -m
ex: mrt -m 12
means 12 seconds
from dns-blocklists.
from dns-blocklists.
from dns-blocklists.
from dns-blocklists.
from dns-blocklists.
i do not have the mrt command in my bin and does not work. i am on arch linux.
mrt
is a shell script wrote by myself, you can copy the source code here: https://github.com/flyxyz123/config_local_arch/blob/master/home/xyz/.local/bin/mrt
from dns-blocklists.
I'm not working for mullvad. I'm a hobbyist user, I don't have too much technical knowledge so my answers maybe incorrect.
if use another dns server like what some redditors suggested, doesn't that then make my traffic visible to my isp? so for example i changed one instance of firefox to use cloudfare and ran your command line to see if all was ok and it says i am "leaking dns" information. Does this mean now my isp can only see which sites i am visiting but not the traffic since i am still routing through our vpn?
All my following answers assume you are using default mullvad.
If you use 1.1.1.1, you will not have DNS problems visiting chinese sites. Only mullvad DNS have DNS problems visiting chinese site. My scripts is to test mullvad DNS when using mullvad DNS, not when using 1.1.1.1. This means if there's no problems other than DNS problems, if you use 1.1.1.1 and run my script, it will always show all mullvad servers can reach chinese sites.
If you use 1.1.1.1, your DNS query can be seen by cloudflare and your ISP, your traffic can not be seen by them. This means "your ISP can only see which sites you are visiting but not the traffic." You can do encrypted DNS to prevent your ISP to see your DNS query, but cloudflare can still see your DNS query, I'm not sure if mullvad enabled this by default if you set 1.1.1.1 as custom DNS server, and I'm not familiar with this. EDIT: I am not sure if ISP can see your DNS query when using mullvad and set custom DNS server as 1.1.1.1.
My choice is to not use 1.1.1.1, I use default mullvad DNS, and when there's a problem, I change mullvad server, my scripts is just tell me what servers are good.
from dns-blocklists.
from dns-blocklists.
I am not sure if ISP can see your DNS query when using mullvad and set custom DNS server as 1.1.1.1. I did more search and some people say that after set custom DNS server as 1.1.1.1, DNS query is inside the VPN tunnel, so ISP won't see your DNS query. (https://www.reddit.com/r/mullvadvpn/comments/o5pzv5/when_using_a_custom_dns_server_are_those_dns/) I also edited my old incorrect respond to avoid misleading anyone. If DNS queries are inside VPN tunnel, although cloudflare can see your DNS queries, I do not think it matters much tho.
from dns-blocklists.
from dns-blocklists.
Related Issues (20)
- Question about blocking of www.lyrical-nonsense.com HOT 2
- www.googleadservices.com resolves
- base.dns.mullvad.net not working as expected since recent changes HOT 3
- Namecheap doesn't open with blocklists on HOT 2
- "www.sedaily.com" is blocked HOT 1
- Getting 400 when resolving DoH base DNS HOT 4
- Add Reddit and LinkedIn to Social Block list HOT 1
- Consider switching gambling block list provider due to inactivity HOT 3
- License? HOT 4
- CERT.PL list of malicious domains HOT 1
- Achievements not working in Apple "Game Center" HOT 16
- Startpage anonymous view bypass adult/porn blocking HOT 2
- vk.com not blocked HOT 1
- Add amorcing unencrypted dns into the readme HOT 1
- Block OneTrust Privacy Annoyances HOT 1
- Please add oisd big HOT 1
- Please add 1Hosts (Lite) HOT 2
- Apple apps all images are being blocked HOT 2
- adding hagezi blocklist HOT 4
- *.ingest.sentry.io not blocked on anti-tracker dns endpoints
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dns-blocklists.