Can you think of any other ways of defeating DNS censorship?

[Drew Wilson]

I, for one, have been laughing at the attempt to censor the internet through the PROTECT-IP act at this point. I've actually decided to see just how many ways I can defeat any possible internet censorship and writing highly detailed guides so that it is way easier for average users to defeat it too.

So far, I have written guides on the following methods:

1. Via command prompt

2. Via web DNS tools

3. Using a HOSTs file

4. Using MAFIAAFire

5. Using TOR

6. Using Foxy Proxy

7. Changing Your DNS Server

My plan is to eventually write guides for the following methods as well:

8. Using a Free VPN service (unless, of course, someone is willing to show me the guts of a pay service in a way that allows me to write a guide)

Methods I can't write a guide about:

a. Using SOCKS - I could figure out the software, but the problem is that I have no means of testing it. If I had an SSH proxy, I would have written a nice guide about using PuTTY rout past censored websites not only in FireFox, but in uTorrent as well. Since I don't have access to any usable SSH proxies, I can't confirm if the method I'm using works, so it's pointless to even write the guide. :frown:

Anyone have any thoughts so far? Anyone know of any other method that I'm missing? I'm hopeful I can get this list eventually up to ten before the FBI tracks me down and throws me in to a secret jail for unauthorized use of free speech and publicly available material as well as having the nerve to question the government.

[Drew Wilson]

Post updated to show that the latest guide was finally written.

Bumping this thread as well.

[Aaron_Walkhouse]

I have a couple of OpenDNS servers at the bottom of my DNS list as a
backup but since they are all about censorship and are based in California
I would advise putting any censorship-busting DNS services above them
in your TCP driver's server list and above your ISP's servers if they also
start allowing censorship.

There are a lot of DNS servers around the world that have no restrictions
on where their users are located so you could easily find one from an ISP
out of reach of censors who are in the U.S. This would only be reliable if
you find them yourself because if people started listing available servers
large crowds would start using them, get noticed and then get kicked out
so the server doesn't get swamped with outside traffic. Large ISPs in
western countries could also be open to MAFIAA manipulation and close
access to their DNS servers from outside their own networks; so if you
pick one of those you should have a backup from another ISP in another
country right below your first choice in the list.

Actually doing this is very easy. Once you find a DNS server's IP address
add it to the list in your TCP drivers settings. Here's the list in Windows XP:


Anti-censorship DNS services will probably be using encryption for added
security but most operating systems, especially older ones, have no ability
to use it for DNS queries because there was no need for it until recently.
In that case you can use stunnel on your own computer with it configured
to listen on port 53 and tunnel your DNS queries to the server. With that
tunnel you would just add "127.0.0.1" to your DNS server list above any
that are censoring. This enables Windows to use encrypted DNS without
special software or drivers. Little tunnelling proxies are probably available
for all operating systems because they are small and easy to port between
different environments.

Configuration for encrypted DNS in stunnel would look something like this:
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration

; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = stunnel.pem
;key = stunnel.pem

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log

; Use it for client mode
client = yes
compression = zlib


; Use the "accept" address to get an SSL connection to the "connect" address.
[DNS]
accept = 127.0.0.1:53
connect = dns.wherever.net:53
; ( If somebody censors the DNS server's domain name use it's IP address here instead. )

; Teranews free newsgroup servers. Use entries like this if your newsgroup reader can't use SSL or
; you are using yProxy Free (http://www.yproxy.com/free/) or yDecode (http://www.ydecode.com/) to
; translate yEnc(oded) binary downloads for Outlook Express, Windows Mail, Windows Live Mail, or
; Mozilla Thunderbird, which can't use yEnc. It's off topic but I'll throw it in for free. ;]

[nntps]
accept = 127.0.0.1:120
connect = public.teranews.com:80

[nntps2]
accept = 127.0.0.1:118
connect = public.teranews.com:563

; Service-level configuration

[pop3s]
accept = 995
connect = 110

[imaps]
accept = 993
connect = 143

[ssmtp]
accept = 465
connect = 25

;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0

; vim:ft=dosini


Once it is set up and you put a shortcut to stunnel.exe in your startup folder
you won't have to worry about DNS censors anymore.

That's assuming you have an uncensored, encrypted DNS server you can trust.
If you do, don't tell me just yet. :spy: I don't keed to know that, do I?

If anybody is thinking of setting up an anti-censorship DNS service you should
familiarize yourself with these little proxies and preferably make your own because
many of your users will need an installer to set them up automatically.

[Drew Wilson]

Well, looks like the SOCKS tutorial (probably would have been two: 1 for FireFox and 1 for uTorrent) is a bust without an SSH proxy server. I find it unlikely I'll find a free one given the amount of traffic involved would be. Since I don't have one readily available for testing purposes, writing a guide would be pointless.

Looks like I'm off to writing the DNS tutorial next.

[Drew Wilson]

OK, done the DNS tutorial. Yup, a lot is different about XP and 7. I've included your screenshots and a link to your comments on the latest guide. You were actually quite helpful in that your screen shots reminded me of my fun with port forwarding. Once I remembered that, it was simply relocating that screen since I saw the DNS server in the same window. Really appreciate all your help here! One guide left to go and I should be finished with the series.

I'm still stumped on what else would work. The only thing I can think of is variations of the previous guides (i.e. using a proxy plug-in that's not Foxy Proxy, etc.) Still, it seems sufficient to have these 8 methods to go on for now. I'm sure variations of some of these will surface in the future. I've heard of one method in which the traffic is spoofed to make the ISP think you are accessing an authorized website when really you are accessing a banned website. Since the software is only in its preliminary stages of development (re: not testable), won't be able to write anything about it. *shrugs*

[mountain_rage]

Overthrow the U.S. government and replace it with a government who represent the will of the people, united against corporate greed.

[Drew Wilson]

Overthrow the U.S. government and replace it with a government who represent the will of the people, united against corporate greed.

[Drew Wilson]

Wow. Uh, it seems that we got a lot of attention now. I've posted a general wrap-up article that lists all of the methods I've written guides for. As of right now, there's 40 comments on the story, so I think that's a good sign.

Anyway, I want to thank everyone here on their help in getting these guides written - especially Aaron who really gave me quite a nice bit of background info on some of my questions. So, thank you very much for helping me make this possible. If I do have any questions in the future on things I know less about, I won't hesitate to ask here.