[caiu] Bloqueio do DNS Cloudflare 1.1.1.1 TIM SP
Pedro Guizeline
pedro em guizeline.com
Qui Dez 13 11:25:39 -02 2018
Prezados,
A Cloudflare disponibiliza serviços de DNS Anycast via os endereços 1.1.1.1
e 1.0.0.1, fiz uma série de testes de conexão utilizando tanto conexão via
TIM Live fixa, e TIM móvel, em ambos os casos os resultados são os mesmos.
Abaixo estão os testes executados:
# MTR
~# mtr --report-wide -c 5 1.1.1.1
Start: Thu Dec 13 11:05:03 2018
HOST: mufasa Loss% Snt Last Avg Best
Wrst StDev
1.|-- 175.251.40.189.isp.timbrasil.com.br 0.0% 5 5.4 5.6 5.4
5.9 0.0
2.|-- 10.216.250.229 0.0% 5 14.1 13.8 13.5
14.1 0.0
3.|-- 10.223.255.142 0.0% 5 14.2 15.3 14.1
16.6 0.9
4.|-- 10.223.229.82 0.0% 5 13.2 13.1 12.8
13.3 0.0
5.|-- 10.208.163.33 20.0% 5 14.1 14.4 14.1
14.7 0.0
6.|-- one.one.one.one 0.0% 5 12.6 12.8 12.4
13.6 0.0
~# mtr --report-wide -c 5 1.0.0.1
Start: Thu Dec 13 11:05:28 2018
HOST: mufasa Loss% Snt Last Avg Best
Wrst StDev
1.|-- 175.251.40.189.isp.timbrasil.com.br 0.0% 5 5.7 11.3 5.4
34.4 12.9
2.|-- 10.216.250.197 0.0% 5 7.4 7.3 7.0
7.7 0.0
3.|-- 10.223.255.113 0.0% 5 6.9 7.1 6.8
7.3 0.0
4.|-- 10.223.238.62 0.0% 5 10.9 9.8 8.5
10.9 0.9
5.|-- as13335.saopaulo.sp.ix.br 0.0% 5 8.8 8.9 8.8
8.9 0.0
6.|-- one.one.one.one 0.0% 5 9.0 9.1 9.0
9
# DIG
~# dig google.com @1.1.1.1
; <<>> DiG 9.10.3-P4-Debian <<>> google.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached
~# dig google.com @1.0.0.1
; <<>> DiG 9.10.3-P4-Debian <<>> google.com @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44262
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 83 IN A 172.217.29.14
;; Query time: 9 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Thu Dec 13 11:03:56 -02 2018
;; MSG SIZE rcvd: 55
# CURL
~# curl -v
https://1.1.1.1/dns-query?ct=application/dns-json&name=cloudflare.com
[1] 6819
~# * Trying 1.1.1.1...
* TCP_NODELAY set
* connect to 1.1.1.1 port 443 failed: Connection refused
* Failed to connect to 1.1.1.1 port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 1.1.1.1 port 443: Connection refused
^C
[1]+ Exit 7 curl -v
https://1.1.1.1/dns-query?ct=application/dns-json
~# curl -v
https://1.0.0.1/dns-query?ct=application/dns-json&name=cloudflare.com
[1] 6821
~# * Trying 1.0.0.1...
* TCP_NODELAY set
* Connected to 1.0.0.1 (1.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=*.
cloudflare-dns.com
* start date: Mar 30 00:00:00 2018 GMT
* expire date: Mar 25 12:00:00 2020 GMT
* subjectAltName: host "1.0.0.1" matched cert's IP address!
* issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade:
len=0
* Using Stream ID: 1 (easy handle 0x5639e67eddc0)
> GET /dns-query?ct=application/dns-json HTTP/1.1
> Host: 1.0.0.1
> User-Agent: curl/7.52.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 400
< date: Thu, 13 Dec 2018 12:52:53 GMT
< content-length: 31
< access-control-allow-origin: *
< expect-ct: max-age=604800, report-uri="
https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 488892078ff14b45-GRU
<
* Curl_http_done: called premature == 0
* Connection #0 to host 1.0.0.1 left intact
A valid query name must be set.^C
[1]+ Done curl -v
https://1.0.0.1/dns-query?ct=application/dns-json
É possível observar que o DNS primário 1.1.1.1 está sendo bloqueado
enquanto o secundário funciona normalmente. Já entrei em contato com o
suporte da TIM, não obtive nenhuma resposta. Enviei email para o
responsável no domínio TIM conforme o registro WHOIS, mas o email está
desativado.
Um outro teste bem rápido pode ser realizado acessando via navegador esta
página:
https://cloudflare-dns.com/help/
Agradeço desde já qualquer ajuda e/ou testes de outras localidades para
corroborar os dados obtidos nos testes acima.
--
Pedro Guizeline
p <pedro em guizeline.com>edro em guizeline.com
Mais detalhes sobre a lista de discussão caiu