https://www.google.com/about/careers/applications/ 403's from IR #44

62w71st · 2023-04-04T00:20:52Z

62w71st
Apr 4, 2023

I was helping someone from Iran access a google domain website and they reported to me that they are getting 403, even after setting their DNS to the sni proxy I have in Vultr.

My experiment confirms that: I setup a fresh instance of sniproxy in Vultr. Now from my machine outside Iran, websties like udemy.com do load after setting DNS to my sniproxy, but when I experiment with a datacenter in Iran, I get the 403 back:

Setting DNS to my vultr instance IP 209.250.255.214 from Iran:

cat /etc/resolv.conf  
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
# nameserver 8.8.8.8 
# nameserver 8.8.4.4
# nameserver 95.179.163.92
# nameserver 127.0.0.53
nameserver 209.250.255.214

Digging to make sure that my DNS has actually changed:

dig udemy.com

; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> udemy.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25881
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;udemy.com.			IN	A

;; ANSWER SECTION:
udemy.com.		3600	IN	A	209.250.255.214

;; Query time: 87 msec
;; SERVER: 209.250.255.214#53(209.250.255.214) (UDP)
;; WHEN: Tue Apr 04 00:11:38 UTC 2023
;; MSG SIZE  rcvd: 52

Access to udemy.com is still blocked from the machine in IR:

wget udemy.com
--2023-04-04 00:14:43--  http://udemy.com/
Resolving udemy.com (udemy.com)... 209.250.255.214, 209.250.255.214
Connecting to udemy.com (udemy.com)|209.250.255.214|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-04-04 00:14:43 ERROR 403: Forbidden.

Access to udemy.com is also blocked from the Vultr machine itself!

root@sniproxy:~# wget https://www.udemy.com/
--2023-04-04 00:22:04--  https://www.udemy.com/
Resolving www.udemy.com (www.udemy.com)... 2606:4700::6812:a05a, 2606:4700::6810:e25b, 104.16.226.91, ...
Connecting to www.udemy.com (www.udemy.com)|2606:4700::6812:a05a|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-04-04 00:22:04 ERROR 403: Forbidden.

The original website that my tester was trying to access was a google domain, but I figured if we solve it for udemy.com it will be solved for other websites too.

Is this expected behavior?

62w71st · 2023-04-04T00:26:32Z

62w71st
Apr 4, 2023
Author

Another experiment with the URL that my tester tried:

google.com/about/careers/applications/signin from Vultr succeeds:

wget google.com/about/careers/applications/signin
--2023-04-04 00:24:19--  http://google.com/about/careers/applications/signin
Resolving google.com (google.com)... 2a00:1450:400e:810::200e, 142.250.179.206
Connecting to google.com (google.com)|2a00:1450:400e:810::200e|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.google.com/about/careers/applications/signin [following]
--2023-04-04 00:24:19--  https://www.google.com/about/careers/applications/signin
Resolving www.google.com (www.google.com)... 2a00:1450:400e:801::2004, 142.250.179.164
Connecting to www.google.com (www.google.com)|2a00:1450:400e:801::2004|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.google.com/about/careers/applications/apply [following]
--2023-04-04 00:24:19--  https://www.google.com/about/careers/applications/apply
Reusing existing connection to [www.google.com]:443.
HTTP request sent, awaiting response... 302 Found
Location: https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://www.google.com/about/careers/applications/apply&followup=https://www.google.com/about/careers/applications/apply [following]
--2023-04-04 00:24:20--  https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://www.google.com/about/careers/applications/apply&followup=https://www.google.com/about/careers/applications/apply
Resolving accounts.google.com (accounts.google.com)... 2a00:1450:400e:800::200d, 216.58.214.13
Connecting to accounts.google.com (accounts.google.com)|2a00:1450:400e:800::200d|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://accounts.google.com/InteractiveLogin?continue=https://www.google.com/about/careers/applications/apply&followup=https://www.google.com/about/careers/applications/apply&passive=1209600&ifkv=AQMjQ7TvHtXxi5L2S5ebl-KSIISHYbPI9JyCKvPZ0Hf5TGD2n_-k1il7-hgvzkzT6yaXo313FUY0 [following]
--2023-04-04 00:24:20--  https://accounts.google.com/InteractiveLogin?continue=https://www.google.com/about/careers/applications/apply&followup=https://www.google.com/about/careers/applications/apply&passive=1209600&ifkv=AQMjQ7TvHtXxi5L2S5ebl-KSIISHYbPI9JyCKvPZ0Hf5TGD2n_-k1il7-hgvzkzT6yaXo313FUY0
Reusing existing connection to [accounts.google.com]:443.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://accounts.google.com/v3/signin/identifier?dsh=S1393193365%3A1680567860089479&continue=https%3A%2F%2Fwww.google.com%2Fabout%2Fcareers%2Fapplications%2Fapply&followup=https%3A%2F%2Fwww.google.com%2Fabout%2Fcareers%2Fapplications%2Fapply&ifkv=AQMjQ7Q-PcS1-qUMys5bHSsB4R_mH0XzZumEOGsBJrRGql1ZcsKBZy4PjlN5E50Og300yBJvfi6A&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin [following]
--2023-04-04 00:24:20--  https://accounts.google.com/v3/signin/identifier?dsh=S1393193365%3A1680567860089479&continue=https%3A%2F%2Fwww.google.com%2Fabout%2Fcareers%2Fapplications%2Fapply&followup=https%3A%2F%2Fwww.google.com%2Fabout%2Fcareers%2Fapplications%2Fapply&ifkv=AQMjQ7Q-PcS1-qUMys5bHSsB4R_mH0XzZumEOGsBJrRGql1ZcsKBZy4PjlN5E50Og300yBJvfi6A&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin
Reusing existing connection to [accounts.google.com]:443.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘signin’

signin                                                      [ <=>                                                                                                                         ] 149.48K  --.-KB/s    in 0.04s   

2023-04-04 00:24:20 (3.71 MB/s) - ‘signin’ saved [153068]

google.com/about/careers/applications/signin from Iran 403s:

wget google.com/about/careers/applications/signin
--2023-04-04 00:25:00--  http://google.com/about/careers/applications/signin
Resolving google.com (google.com)... 216.239.38.120, 216.239.38.120
Connecting to google.com (google.com)|216.239.38.120|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.google.com/about/careers/applications/signin [following]
--2023-04-04 00:25:00--  https://www.google.com/about/careers/applications/signin
Resolving www.google.com (www.google.com)... 216.239.38.120, 216.239.38.120
Connecting to www.google.com (www.google.com)|216.239.38.120|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-04-04 00:25:00 ERROR 403: Forbidden.

0 replies

mosajjal · 2023-04-04T02:19:25Z

mosajjal
Apr 4, 2023
Maintainer

I'll look into it. can you please also share the sniproxy logs (in debug mode).

0 replies

62w71st · 2023-04-04T03:28:14Z

62w71st
Apr 4, 2023
Author

sniproxy.log I got this with journalctl -u sniproxy.

How do I get more verbose logs?

0 replies

mosajjal · 2023-04-04T03:48:18Z

mosajjal
Apr 4, 2023
Maintainer

so there are a few interesting bits here..

IPv6 connectivity might be causing the issue for Google. can you please disable ipv6 temporarily on the client and test again
there's a potential bug related to juhannusjemut.vilkkuv.fi that I'm looking into as well.

0 replies

mosajjal · 2023-04-04T09:16:33Z

mosajjal
Apr 4, 2023
Maintainer

if you're keen to test the experimental ipv6 support and you got Go installed, you can install the alpha version of sniproxy using:

go install github.com/mosajjal/sniproxy@240d9153096668a508a5fd7aba753c7fa4e6b223

0 replies

62w71st · 2023-04-05T21:55:20Z

62w71st
Apr 5, 2023
Author

IPv6 connectivity might be causing the issue for Google. can you please disable ipv6 temporarily on the client and test again

I created another Vultr instance (ipv4sni) with IP V6 disabled, installed sniproxy and still get the 403 err for udemy.com:

root@ipv4sni:~# wget udemy.com
--2023-04-05 21:52:29--  http://udemy.com/
Resolving udemy.com (udemy.com)... 104.16.226.91, 104.18.160.90, 2606:4700::6812:a05a, ...
Connecting to udemy.com (udemy.com)|104.16.226.91|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-04-05 21:52:29 ERROR 403: Forbidden.

Forcing ipv4:

root@ipv4sni:~# wget --inet4-only udemy.com
--2023-04-05 21:57:32--  http://udemy.com/
Resolving udemy.com (udemy.com)... 104.16.226.91, 104.18.160.90
Connecting to udemy.com (udemy.com)|104.16.226.91|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-04-05 21:57:32 ERROR 403: Forbidden.

This actually seems to be a udemy.com specific issue, because I'm getting 403 even from the sniproxy machine (in Paris). I think it's a measure udemy.com put in place to prevent downloading course material.

A more interesting problem is perhaps the google career website which loads from sniproxy in Paris, but 403's from Tehran:

Experiment A1) Vultr instance in Paris:

 wget --inet4-only google.com/about/careers/applications/signin
--2023-04-05 22:15:39--  http://google.com/about/careers/applications/signin
Resolving google.com (google.com)... 172.217.18.206
Connecting to google.com (google.com)|172.217.18.206|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.google.com/about/careers/applications/signin [following]
--2023-04-05 22:15:39--  https://www.google.com/about/careers/applications/signin
Resolving www.google.com (www.google.com)... 142.250.178.132
Connecting to www.google.com (www.google.com)|142.250.178.132|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.google.com/about/careers/applications/apply [following]
--2023-04-05 22:15:39--  https://www.google.com/about/careers/applications/apply
Reusing existing connection to www.google.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://www.google.com/about/careers/applications/apply&followup=https://www.google.com/about/careers/applications/apply [following]
--2023-04-05 22:15:39--  https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://www.google.com/about/careers/applications/apply&followup=https://www.google.com/about/careers/applications/apply
Resolving accounts.google.com (accounts.google.com)... 142.250.178.141
Connecting to accounts.google.com (accounts.google.com)|142.250.178.141|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://accounts.google.com/InteractiveLogin?continue=https://www.google.com/about/careers/applications/apply&followup=https://www.google.com/about/careers/applications/apply&passive=1209600&ifkv=AQMjQ7TzuSrkZPe4gt-7P1wvFqhLw_Y8YdxCSXmspT58G-mJ7PoBhAr6dFBs27i6BT0Qjkn_NyWV [following]
--2023-04-05 22:15:40--  https://accounts.google.com/InteractiveLogin?continue=https://www.google.com/about/careers/applications/apply&followup=https://www.google.com/about/careers/applications/apply&passive=1209600&ifkv=AQMjQ7TzuSrkZPe4gt-7P1wvFqhLw_Y8YdxCSXmspT58G-mJ7PoBhAr6dFBs27i6BT0Qjkn_NyWV
Reusing existing connection to accounts.google.com:443.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://accounts.google.com/v3/signin/identifier?dsh=S772541774%3A1680732940047542&continue=https%3A%2F%2Fwww.google.com%2Fabout%2Fcareers%2Fapplications%2Fapply&followup=https%3A%2F%2Fwww.google.com%2Fabout%2Fcareers%2Fapplications%2Fapply&ifkv=AQMjQ7RQy1e6uE9S8vQfX7_z1ixok6K8Q7BudBOuba57kMiVyUzoIm5Vfk1BTv4pms-0IAwThm_y&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin [following]
--2023-04-05 22:15:40--  https://accounts.google.com/v3/signin/identifier?dsh=S772541774%3A1680732940047542&continue=https%3A%2F%2Fwww.google.com%2Fabout%2Fcareers%2Fapplications%2Fapply&followup=https%3A%2F%2Fwww.google.com%2Fabout%2Fcareers%2Fapplications%2Fapply&ifkv=AQMjQ7RQy1e6uE9S8vQfX7_z1ixok6K8Q7BudBOuba57kMiVyUzoIm5Vfk1BTv4pms-0IAwThm_y&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin
Reusing existing connection to accounts.google.com:443.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘signin.3’
signin.3                                                  [ <=>

Experiment A2) IR machine in a data center with its DNS set to the Vultr instance:

 wget --inet4-only google.com/about/careers/applications/signin
--2023-04-05 22:10:54--  http://google.com/about/careers/applications/signin
Resolving google.com (google.com)... 216.239.38.120
Connecting to google.com (google.com)|216.239.38.120|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.google.com/about/careers/applications/signin [following]
--2023-04-05 22:10:54--  https://www.google.com/about/careers/applications/signin
Resolving www.google.com (www.google.com)... 216.239.38.120
Connecting to www.google.com (www.google.com)|216.239.38.120|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-04-05 22:10:54 ERROR 403: Forbidden.

Note the IP address that google.com resolves: 216.239.38.120, while my sniproxy ip address is: 217.69.9.127. Is this expected?

Experiment A3) From a NY machine, I am actually able to set my DNS to the sniproxy and wget the google career page with the correct IP: 217.69.9.127

wget --inet4-only google.com/about/careers/applications/signins/signin
--2023-04-05 18:38:51--  http://google.com/about/careers/applications/signin
Resolving google.com (google.com)... 217.69.9.127
Connecting to google.com (google.com)|217.69.9.127|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.google.com/about/careers/applications/signin [following]
--2023-04-05 18:38:51--  https://www.google.com/about/careers/applications/signin
Resolving www.google.com (www.google.com)... 217.69.9.127
Connecting to www.google.com (www.google.com)|217.69.9.127|:443... connected.
HTTP request sent, awaiting response... 302 Found

So the problem seems to be that in my IR machine, somehow wget is not resolving via sniproxy.

I suspect that Iran Telecom is intercepting the DNS request and replacing it with their own IP (216.239.38.120). This IP actually belongs to Google: https://mxtoolbox.com/SuperTool.aspx?action=ptr%3a216.239.38.120&run=toolpage

0 replies

mosajjal · 2023-04-06T02:14:38Z

mosajjal
Apr 6, 2023
Maintainer

looks like your DNS is not working properly. how are you setting your DNS? use dig or nslookup to make sure your current DNS always returns the correct IP. keep in mind that the default list that I've shipped, doesn't have google.com as a proxied domain so it actually becomes direct. if you want sniproxy to forward all traffic, add --allDomain when running sniproxy

0 replies

62w71st · 2023-04-06T23:54:01Z

62w71st
Apr 6, 2023
Author

looks like your DNS is not working properly. how are you setting your DNS? use dig or nslookup to make sure your current DNS always returns the correct IP.

I'm setting the DNS by changing /etc/resolv.conf:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
# nameserver 8.8.8.8 
# nameserver 8.8.4.4
# nameserver 95.179.163.92
# nameserver 127.0.0.53
# nameserver 209.250.255.214
nameserver 217.69.9.127

Starting with --allDomains:

Apr 06 23:44:04 ipv4sni systemd[1]: Started sniproxy.
Apr 06 23:44:05 ipv4sni sniproxy[52880]: time=2023-04-06T23:44:05.166Z level=WARN msg="Domain list (--domainListPath) is not specified, routing ALL domains through the SNI proxy"
Apr 06 23:44:05 ipv4sni sniproxy[52880]: time=2023-04-06T23:44:05.167Z level=INFO msg="server info" public_ip=217.69.9.127
Apr 06 23:44:05 ipv4sni sniproxy[52880]: time=2023-04-06T23:44:05.168Z level=INFO msg="Certificate was not provided, using a self signed cert"
Apr 06 23:44:05 ipv4sni sniproxy[52880]: time=2023-04-06T23:44:05.168Z level=INFO msg="Started UDP DNS" service=dns host=0.0.0.0 port=53
Apr 06 23:44:26 ipv4sni sniproxy[52880]: time=2023-04-06T23:44:26.254Z level=INFO msg="returned sniproxy address for domain" service=dns fqdn=google.com/about/careers/applications.
Apr 06 23:45:39 ipv4sni sniproxy[52880]: time=2023-04-06T23:45:39.409Z level=INFO msg="returned sniproxy address for domain" service=dns fqdn=google.com/about/careers/applications.

dig on my Tehran machine:

dig google.com/about/careers/applications 

; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> google.com/about/careers/applications
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51440
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;google.com/about/careers/applications. IN A

;; ANSWER SECTION:
google.com/about/careers/applications. 3600 IN A 217.69.9.127

;; Query time: 95 msec
;; SERVER: 217.69.9.127#53(217.69.9.127) (UDP)
;; WHEN: Thu Apr 06 23:49:26 UTC 2023
;; MSG SIZE  rcvd: 108

That corroborates the logs: 217.69.9.127 is being returned as the A record for google.com/about/careers/applications.

However:

wget google.com/about/careers/applications/signin
--2023-04-06 23:45:49--  http://google.com/about/careers/applications/signin
Resolving google.com (google.com)... 216.239.38.120, 216.239.38.120
Connecting to google.com (google.com)|216.239.38.120|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.google.com/about/careers/applications/signin [following]
--2023-04-06 23:45:49--  https://www.google.com/about/careers/applications/signin
Resolving www.google.com (www.google.com)... 216.239.38.120, 216.239.38.120
Connecting to www.google.com (www.google.com)|216.239.38.120|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-04-06 23:45:49 ERROR 403: Forbidden.

And I think it's because wget is not using the system DNS, as it's resolving into 216.239.38.120.

Now, when I dig google.com, I get that IP:

dig google.com

; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16464
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		418	IN	A	216.239.38.120

;; Query time: 3 msec
;; SERVER: 217.69.9.127#53(217.69.9.127) (UDP)
;; WHEN: Thu Apr 06 23:51:26 UTC 2023
;; MSG SIZE  rcvd: 44

On sniproxy:

dig google.com

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44771
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		50	IN	A	216.58.213.78

;; Query time: 0 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Thu Apr 06 23:52:36 UTC 2023
;; MSG SIZE  rcvd: 55

216.239.38.120 is never returned on my sniproxy. So I think google.com DNS response is being tampered with.

I think google.com query is never reaching the proxy, because these are all the logs I have:

Apr 06 23:44:05 ipv4sni sniproxy[52880]: time=2023-04-06T23:44:05.166Z level=WARN msg="Domain list (--domainListPath) is not specified, routing ALL domains through the SNI proxy"
Apr 06 23:44:05 ipv4sni sniproxy[52880]: time=2023-04-06T23:44:05.167Z level=INFO msg="server info" public_ip=217.69.9.127
Apr 06 23:44:05 ipv4sni sniproxy[52880]: time=2023-04-06T23:44:05.168Z level=INFO msg="Certificate was not provided, using a self signed cert"
Apr 06 23:44:05 ipv4sni sniproxy[52880]: time=2023-04-06T23:44:05.168Z level=INFO msg="Started UDP DNS" service=dns host=0.0.0.0 port=53
Apr 06 23:44:26 ipv4sni sniproxy[52880]: time=2023-04-06T23:44:26.254Z level=INFO msg="returned sniproxy address for domain" service=dns fqdn=google.com/about/careers/applications.
Apr 06 23:45:39 ipv4sni sniproxy[52880]: time=2023-04-06T23:45:39.409Z level=INFO msg="returned sniproxy address for domain" service=dns fqdn=google.com/about/careers/applications.
Apr 06 23:49:26 ipv4sni sniproxy[52880]: time=2023-04-06T23:49:26.249Z level=INFO msg="returned sniproxy address for domain" service=dns fqdn=google.com/about/careers/applications.
Apr 06 23:51:08 ipv4sni sniproxy[52880]: time=2023-04-06T23:51:08.766Z level=ERROR msg= service=https err="Finished parsing the Extension block without finding an SN block"

WDYT?

0 replies

62w71st · 2023-04-07T00:04:48Z

62w71st
Apr 7, 2023
Author

Ah!!

It's Iran enforcing safesearch: https://support.opendns.com/hc/en-us/articles/227986807-How-to-Enforcing-Google-SafeSearch-YouTube-and-Bing

216.239.38.120 is the IP address of google's safesearch.

0 replies

mosajjal · 2023-04-07T00:22:50Z

mosajjal
Apr 7, 2023
Maintainer

two things:

editing /etc/resolve.conf usually doesn't work very well. use the following command instead:

sed -i 's/#DNS=/DNS=217.69.9.127/; s/#DNSStubListener=yes/DNSStubListener=no/' /etc/systemd/resolved.conf
systemctl restart systemd-resolved

this disables the stub listener, and changes your DNS to 217.69.9.127. replace it with the current public IP of sniproxy and then restart systemd-resolved

if that doesn't work, try hard-coding google.com in your /etc/hosts with the IP of sniproxy. your file will look like this:

217.69.9.127 google.com

this will bypass DNS altogether so you can test where the issue is. If editing /etc/hosts actually works, the midboxes in Iran are rewriting your DNS and "correcting" it back.

there is a neat way to avoid having DNS query and response altogether using another pet project of mine here. This sets up a "fake" DNS server in your own machine, so you can hard-code your sniproxy address for ALL domains. Use it like this:

install it using:

go install github.com/mosajjal/go-exp/fakedns@latest

set up a simple rules.csv file with only one line:

$ cat /tmp/rules.csv
.,suffix,217.69.9.127

disable the default stub resolver (as mentioned above) and change your DNS server to 127.0.0.1
start fakedns as root:

sudo fakedns -rule /tmp/rules.csv

if fakedns is not in your PATH, you'll get a file not found error. if that's the case, find the full path and replace fakedns with it. Full path is usually /home/USER/go/bin/fakedns

hopefully this helps.

0 replies

62w71st · 2023-04-09T19:31:08Z

62w71st
Apr 9, 2023
Author

Thank you @mosajjal for the instructions on changing DNS and bypassing the safesearch DNS rewrite.

Some progress but not quite there: I added 217.69.9.127 google.com to my /etc/hosts and now the URL does resolve to the sniproxy as expected, however, it gets rerouted to https://www.google.com/about/careers/applications/apply, and then gets stuck:

wget google.com/about/careers/applications/signin
--2023-04-09 19:08:40--  http://google.com/about/careers/applications/signin
Resolving google.com (google.com)... 217.69.9.127
Connecting to google.com (google.com)|217.69.9.127|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.google.com/about/careers/applications/signin [following]
--2023-04-09 19:08:40--  https://www.google.com/about/careers/applications/signin
Resolving www.google.com (www.google.com)... 217.69.9.127
Connecting to www.google.com (www.google.com)|217.69.9.127|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.google.com/about/careers/applications/apply [following]
--2023-04-09 19:08:41--  https://www.google.com/about/careers/applications/apply
Reusing existing connection to www.google.com:443.
HTTP request sent, awaiting response...

On the sniproxy machine itself, wget google.com/about/careers/applications/signin is able to download the signin page.

And when on my Tehran machine, I just go to .../apply, I get stuck again:

wget https://www.google.com/about/careers/applications/apply
--2023-04-09 19:12:26--  https://www.google.com/about/careers/applications/apply
Resolving www.google.com (www.google.com)... 217.69.9.127
Connecting to www.google.com (www.google.com)|217.69.9.127|:443... connected.
HTTP request sent, awaiting response...

Server logs are as follows for google.com/about/careers/applications/signin:

Apr 09 19:25:57 ipv4sni sniproxy[52880]: time=2023-04-09T19:25:57.652Z level=INFO msg="rejected request" service=http ip=188.121.117.21:60116
Apr 09 19:25:57 ipv4sni sniproxy[52880]: time=2023-04-09T19:25:57.653Z level=INFO msg=REQ service=http method=GET host=google.com url=/about/careers/applications/signin
Apr 09 19:25:57 ipv4sni sniproxy[52880]: time=2023-04-09T19:25:57.683Z level=INFO msg="http response" service=http status_code="301 Moved Permanently"
Apr 09 19:25:57 ipv4sni sniproxy[52880]: time=2023-04-09T19:25:57.911Z level=INFO msg="establishing connection" service=https remote_ip=142.250.180.4 source_ip=188.121.117.21:39084 host=www.google.com

And for https://www.google.com/about/careers/applications/apply:

Apr 09 19:26:45 ipv4sni sniproxy[52880]: time=2023-04-09T19:26:45.815Z level=INFO msg="rejected request" service=http ip=188.121.117.21:40346
Apr 09 19:26:45 ipv4sni sniproxy[52880]: time=2023-04-09T19:26:45.815Z level=INFO msg=REQ service=http method=GET host=google.com url=/about/careers/applications/apply
Apr 09 19:26:45 ipv4sni sniproxy[52880]: time=2023-04-09T19:26:45.827Z level=INFO msg="http response" service=http status_code="301 Moved Permanently"
Apr 09 19:26:46 ipv4sni sniproxy[52880]: time=2023-04-09T19:26:46.045Z level=INFO msg="establishing connection" service=https remote_ip=142.250.180.4 source_ip=188.121.117.21:38020 host=www.google.com

So it looks sniproxy is not handling 301 moves (redirects)?

0 replies

mosajjal · 2023-04-09T22:10:52Z

mosajjal
Apr 9, 2023
Maintainer

so this confirms that /etc/hosts solves the google.com domain issue, I bet if you add www.google.com to your /etc/hosts that'll solve the 301 issue as well.

but obviously this won't be a long-term solution since you have to literally add every single FQDN to /etc/hosts and also /etc/hosts doesn't support wildcards :P

my suggestion for you is to use fakedns as mentioned above and configure your host to use it as a DNS resolver.

if that doesn't work or it's too hard to implement or the performance is too slow (possible since I haven't actually tested fakedns properly) let me know so I can share you a coredns config that'll leverage DNS-over-TCP which usually goes undetected by midboxes :)

0 replies

62w71st · 2023-04-11T22:26:02Z

62w71st
Apr 11, 2023
Author

Actually, /etc/hosts does have www.google.com mapped out to the sniproxy ip:

217.69.9.127 google.com
217.69.9.127 www.google.com
217.69.9.127 accounts.google.com
127.0.0.1 localhost

Logs from IR machine failing to wget https://www.google.com/about/careers/applications/ :

wget https://www.google.com/about/careers/applications/ 
--2023-04-11 22:30:00--  https://www.google.com/about/careers/applications/
Resolving www.google.com (www.google.com)... 217.69.9.127
Connecting to www.google.com (www.google.com)|217.69.9.127|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://www.google.com/about/careers/applications/&followup=https://www.google.com/about/careers/applications/ [following]
--2023-04-11 22:30:01--  https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://www.google.com/about/careers/applications/&followup=https://www.google.com/about/careers/applications/
Resolving accounts.google.com (accounts.google.com)... 217.69.9.127
Connecting to accounts.google.com (accounts.google.com)|217.69.9.127|:443... connected.
HTTP request sent, awaiting response...

sniproxy logs indicate that the accounts.google.com call does reach the proxy:

Apr 11 22:14:06 ipv4sni sniproxy[52880]: time=2023-04-11T22:14:06.109Z level=INFO msg="establishing connection" service=https remote_ip=142.250.180.4 source_ip=188.121.117.21:48118 host=www.google.com
Apr 11 22:14:07 ipv4sni sniproxy[52880]: time=2023-04-11T22:14:07.101Z level=INFO msg="establishing connection" service=https remote_ip=142.250.187.237 source_ip=188.121.117.21:48130 host=accounts.google.com
Apr 11 22:15:05 ipv4sni sniproxy[52880]: time=2023-04-11T22:15:05.614Z level=INFO msg="establishing connection" service=https remote_ip=142.250.180.4 source_ip=188.121.117.21:48060 host=www.google.com

Logs from a machine in the same provider as the sniproxy (Vultr) with its DNS set to the sniproxy succeeds:

wget https://www.google.com/about/careers/applications/ 
--2023-04-11 22:30:09--  https://www.google.com/about/careers/applications/
Resolving www.google.com (www.google.com)... 217.69.9.127, 217.69.9.127
Connecting to www.google.com (www.google.com)|217.69.9.127|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://www.google.com/about/careers/applications/&followup=https://www.google.com/about/careers/applications/ [following]
--2023-04-11 22:30:10--  https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://www.google.com/about/careers/applications/&followup=https://www.google.com/about/careers/applications/
Resolving accounts.google.com (accounts.google.com)... 217.69.9.127, 217.69.9.127
Connecting to accounts.google.com (accounts.google.com)|217.69.9.127|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://accounts.google.com/InteractiveLogin?continue=https://www.google.com/about/careers/applications/&followup=https://www.google.com/about/careers/applications/&passive=1209600&ifkv=AQMjQ7Rk2XOQB74heXTqsRmJmvdyXkPSwtn3UpnkszOd6oKLUKgtqKaB-6J_ZSAqRfBDkbdkIqe91g [following]
--2023-04-11 22:30:10--  https://accounts.google.com/InteractiveLogin?continue=https://www.google.com/about/careers/applications/&followup=https://www.google.com/about/careers/applications/&passive=1209600&ifkv=AQMjQ7Rk2XOQB74heXTqsRmJmvdyXkPSwtn3UpnkszOd6oKLUKgtqKaB-6J_ZSAqRfBDkbdkIqe91g
Reusing existing connection to accounts.google.com:443.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://accounts.google.com/v3/signin/identifier?dsh=S-922685490%3A1681252210468494&continue=https%3A%2F%2Fwww.google.com%2Fabout%2Fcareers%2Fapplications%2F&followup=https%3A%2F%2Fwww.google.com%2Fabout%2Fcareers%2Fapplications%2F&ifkv=AQMjQ7RBjQyXOfuEWxF8qHZtLgfsrjFGlgNh3TWMLqvqNxb-PHCo7_QB-3Yf0FVenyfaaYZRI7tSRA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin [following]
--2023-04-11 22:30:10--  https://accounts.google.com/v3/signin/identifier?dsh=S-922685490%3A1681252210468494&continue=https%3A%2F%2Fwww.google.com%2Fabout%2Fcareers%2Fapplications%2F&followup=https%3A%2F%2Fwww.google.com%2Fabout%2Fcareers%2Fapplications%2F&ifkv=AQMjQ7RBjQyXOfuEWxF8qHZtLgfsrjFGlgNh3TWMLqvqNxb-PHCo7_QB-3Yf0FVenyfaaYZRI7tSRA&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin
Reusing existing connection to accounts.google.com:443.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                                    [ <=>                                                                                                                                 ] 149.57K  --.-KB/s    in 0.05s   

2023-04-11 22:30:10 (2.92 MB/s) - ‘index.html’ saved [153161]

Thanks for the hints on fakedns and coredns. I'd like to get this working with manual settings first before adding other tools into the mix.

0 replies

mosajjal · 2023-04-12T03:52:32Z

mosajjal
Apr 12, 2023
Maintainer

yeah you might be onto something. looks like something new in the midboxes that block a legitimate TLS connection. have you tried setting /etc/hosts and then using an actual browser to visit the site? lately I've seen "non-standard" TLS clients being blocked.

0 replies

ExtremeDot · 2023-04-18T12:20:53Z

ExtremeDot
Apr 18, 2023

as my experience on vultr services, we need to start cloudflare warp on vultr vps, then route the traffics from specific sites into cloudflare warp connection.

for example i had a problem while usuing chat.openai.com, installed warp-go created by chinese developer, then route traffics from openai.com site to cloudflare warp app instead of default main network on vultr vps.

i wish we had a speech as persian language 👯

0 replies

62w71st · 2023-04-21T19:36:35Z

62w71st
Apr 21, 2023
Author

yeah you might be onto something. looks like something new in the midboxes that block a legitimate TLS connection. have you tried setting /etc/hosts and then using an actual browser to visit the site? lately I've seen "non-standard" TLS clients being blocked.

I tried the same experiment on a Chrome browser running on a Windows server machine in IR and got pretty much the same results.

ERR_TIMED_OUT on the browser, and windows wget both times out.

Do you have benchmark experiments or probers running in Iran or plans to have them in the future? That would show whether this problem is local to my setup or not.

Would be happy to help test out the proxy in the future using my IR nodes. Thank you for helping with this issue so far. ✌️

0 replies

mosajjal · 2023-04-22T07:28:53Z

mosajjal
Apr 22, 2023
Maintainer

as my experience on vultr services, we need to start cloudflare warp on vultr vps, then route the traffics from specific sites into cloudflare warp connection.

for example i had a problem while usuing chat.openai.com, installed warp-go created by chinese developer, then route traffics from openai.com site to cloudflare warp app instead of default main network on vultr vps.

i wish we had a speech as persian language

assuming WARP overrides the fake IP that sniproxy needs so it won't work, but needs more testing.

the reason that Farsi is not used here is the fact that other countries also use the proxy for different purposes and it'd be good to include everyone into these conversations. Farsi limits the amount of people that can read the comments and discussions.

0 replies

mosajjal · 2023-04-22T07:30:55Z

mosajjal
Apr 22, 2023
Maintainer

yeah you might be onto something. looks like something new in the midboxes that block a legitimate TLS connection. have you tried setting /etc/hosts and then using an actual browser to visit the site? lately I've seen "non-standard" TLS clients being blocked.

I tried the same experiment on a Chrome browser running on a Windows server machine in IR and got pretty much the same results.

ERR_TIMED_OUT on the browser, and windows wget both times out.

Do you have benchmark experiments or probers running in Iran or plans to have them in the future? That would show whether this problem is local to my setup or not.

Would be happy to help test out the proxy in the future using my IR nodes. Thank you for helping with this issue so far. v

I think we identified the root cause didn't we? the DNS looks to be the culprit.

you can potentially run a tcpdump against port 53 (tcpdump -nni any port 53) and conduct your tests that give you the timeout, and look at the DNS packets. happy to take a look myself too.

0 replies

prooshani · 2023-05-04T09:10:50Z

prooshani
May 4, 2023

I had exact same issue with my DNS server which provided by sniproxy.
I have several VPS located all around the Europe and US and believe me, it is not location related issue. All results from different servers are the same.
The google's sign-in page returns 403 forbidden if I use 9.9.9.9 as upstream DNS resolver. However, if I use other resolvers like NextDNS or AdGuard this issue will not appear again. Please be noted that you should use DoT or DoH for upstream connection.

0 replies

mosajjal · 2023-05-08T00:11:14Z

mosajjal
May 8, 2023
Maintainer

since this doesn't look like a bug in sniproxy and more of a functionality discussion, I'll convert the issue to a discussion and close this out.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

https://www.google.com/about/careers/applications/ 403's from IR #44

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 20 comments

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

https://www.google.com/about/careers/applications/ 403's from IR #44

62w71st Apr 4, 2023

Replies: 20 comments

62w71st Apr 4, 2023 Author

mosajjal Apr 4, 2023 Maintainer

62w71st Apr 4, 2023 Author

mosajjal Apr 4, 2023 Maintainer

mosajjal Apr 4, 2023 Maintainer

62w71st Apr 5, 2023 Author

mosajjal Apr 6, 2023 Maintainer

62w71st Apr 6, 2023 Author

62w71st Apr 7, 2023 Author

mosajjal Apr 7, 2023 Maintainer

62w71st Apr 9, 2023 Author

mosajjal Apr 9, 2023 Maintainer

62w71st Apr 11, 2023 Author

mosajjal Apr 12, 2023 Maintainer

ExtremeDot Apr 18, 2023

62w71st Apr 21, 2023 Author

mosajjal Apr 22, 2023 Maintainer

mosajjal Apr 22, 2023 Maintainer

prooshani May 4, 2023

mosajjal May 8, 2023 Maintainer

62w71st
Apr 4, 2023

62w71st
Apr 4, 2023
Author

mosajjal
Apr 4, 2023
Maintainer

62w71st
Apr 4, 2023
Author

mosajjal
Apr 4, 2023
Maintainer

mosajjal
Apr 4, 2023
Maintainer

62w71st
Apr 5, 2023
Author

mosajjal
Apr 6, 2023
Maintainer

62w71st
Apr 6, 2023
Author

62w71st
Apr 7, 2023
Author

mosajjal
Apr 7, 2023
Maintainer

62w71st
Apr 9, 2023
Author

mosajjal
Apr 9, 2023
Maintainer

62w71st
Apr 11, 2023
Author

mosajjal
Apr 12, 2023
Maintainer

ExtremeDot
Apr 18, 2023

62w71st
Apr 21, 2023
Author

mosajjal
Apr 22, 2023
Maintainer

mosajjal
Apr 22, 2023
Maintainer

prooshani
May 4, 2023

mosajjal
May 8, 2023
Maintainer