[caiu] Bloqueio do DNS Cloudflare 1.1.1.1 TIM SP

Pedro Guizeline pedro em guizeline.com
Qui Dez 13 11:25:39 -02 2018


Prezados,

A Cloudflare disponibiliza serviços de DNS Anycast via os endereços 1.1.1.1
e 1.0.0.1, fiz uma série de testes de conexão utilizando tanto conexão via
TIM Live fixa, e TIM móvel, em ambos os casos os resultados são os mesmos.
Abaixo estão os testes executados:

# MTR

~# mtr --report-wide -c 5 1.1.1.1
Start: Thu Dec 13 11:05:03 2018
HOST: mufasa                              Loss%   Snt   Last   Avg  Best
Wrst StDev
  1.|-- 175.251.40.189.isp.timbrasil.com.br  0.0%     5    5.4   5.6   5.4
 5.9   0.0
  2.|-- 10.216.250.229                       0.0%     5   14.1  13.8  13.5
14.1   0.0
  3.|-- 10.223.255.142                       0.0%     5   14.2  15.3  14.1
16.6   0.9
  4.|-- 10.223.229.82                        0.0%     5   13.2  13.1  12.8
13.3   0.0
  5.|-- 10.208.163.33                       20.0%     5   14.1  14.4  14.1
14.7   0.0
  6.|-- one.one.one.one                      0.0%     5   12.6  12.8  12.4
13.6   0.0

~# mtr --report-wide -c 5 1.0.0.1
Start: Thu Dec 13 11:05:28 2018
HOST: mufasa                              Loss%   Snt   Last   Avg  Best
Wrst StDev
  1.|-- 175.251.40.189.isp.timbrasil.com.br  0.0%     5    5.7  11.3   5.4
34.4  12.9
  2.|-- 10.216.250.197                       0.0%     5    7.4   7.3   7.0
 7.7   0.0
  3.|-- 10.223.255.113                       0.0%     5    6.9   7.1   6.8
 7.3   0.0
  4.|-- 10.223.238.62                        0.0%     5   10.9   9.8   8.5
10.9   0.9
  5.|-- as13335.saopaulo.sp.ix.br            0.0%     5    8.8   8.9   8.8
 8.9   0.0
  6.|-- one.one.one.one                      0.0%     5    9.0   9.1   9.0
 9

# DIG

~# dig google.com @1.1.1.1

; <<>> DiG 9.10.3-P4-Debian <<>> google.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

~# dig google.com @1.0.0.1

; <<>> DiG 9.10.3-P4-Debian <<>> google.com @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44262
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             83      IN      A       172.217.29.14

;; Query time: 9 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Thu Dec 13 11:03:56 -02 2018
;; MSG SIZE  rcvd: 55

# CURL

~# curl -v
https://1.1.1.1/dns-query?ct=application/dns-json&name=cloudflare.com
[1] 6819
~# *   Trying 1.1.1.1...
* TCP_NODELAY set
* connect to 1.1.1.1 port 443 failed: Connection refused
* Failed to connect to 1.1.1.1 port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 1.1.1.1 port 443: Connection refused
^C
[1]+  Exit 7                  curl -v
https://1.1.1.1/dns-query?ct=application/dns-json

~# curl -v
https://1.0.0.1/dns-query?ct=application/dns-json&name=cloudflare.com
[1] 6821
~# *   Trying 1.0.0.1...
* TCP_NODELAY set
* Connected to 1.0.0.1 (1.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=*.
cloudflare-dns.com
*  start date: Mar 30 00:00:00 2018 GMT
*  expire date: Mar 25 12:00:00 2020 GMT
*  subjectAltName: host "1.0.0.1" matched cert's IP address!
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade:
len=0
* Using Stream ID: 1 (easy handle 0x5639e67eddc0)
> GET /dns-query?ct=application/dns-json HTTP/1.1
> Host: 1.0.0.1
> User-Agent: curl/7.52.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 400
< date: Thu, 13 Dec 2018 12:52:53 GMT
< content-length: 31
< access-control-allow-origin: *
< expect-ct: max-age=604800, report-uri="
https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 488892078ff14b45-GRU
<
* Curl_http_done: called premature == 0
* Connection #0 to host 1.0.0.1 left intact
A valid query name must be set.^C
[1]+  Done                    curl -v
https://1.0.0.1/dns-query?ct=application/dns-json

É possível observar que o DNS primário 1.1.1.1 está sendo bloqueado
enquanto o secundário funciona normalmente. Já entrei em contato com o
suporte da TIM, não obtive nenhuma resposta. Enviei email para o
responsável no domínio TIM conforme o registro WHOIS, mas o email está
desativado.

Um outro teste bem rápido pode ser realizado acessando via navegador esta
página:
https://cloudflare-dns.com/help/

Agradeço desde já qualquer ajuda e/ou testes de outras localidades para
corroborar os dados obtidos nos testes acima.

-- 
Pedro Guizeline
p <pedro em guizeline.com>edro em guizeline.com


Mais detalhes sobre a lista de discussão caiu