Guide on collecting data using OONI to test for Transparent DNS Proxies

We had previously reported that transparent DNS Proxy is being implemented by Malaysian ISPs on Cloudflare and Google Public DNS Servers

As the OONI Probes on Desktop and Mobile are unable to conclusively test this, we would like to reach out to volunteers who have access to a Linux terminal/ CLI to collect data on networks in Malaysia:

Risks: Things you should know before running the OONI Probe

Read the OONI data policy here

Step 1: Download the miniooni tool:

curl -LO https://github.com/ooni/probe-cli/releases/download/v3.23.0/miniooni-linux-amd64 && chmod +x miniooni-linux-amd64

Step 2: Run the following tests

Using an example of a blocked website “murrayhunter.substack.com” we may test using various Public DNS addresses:

On Linux

Download the list of Public DNS addresses:

wget https://raw.githubusercontent.com/Sinar/test-lists/test-lists-v2/lists/dns.csv

Run the tests:-

On the first run, you will need to consent to running the OONI tool and understanding that anyone monitoring your internet activity (e.g. government or ISP) will see that you are running the tool.

~/miniooni-linux-amd64 dnsping --input-file dns.csv -O Domains="murrayhunter.substack.com" --yes

On subsequent runs

~/miniooni-linux-amd64 dnsping --input-file dns.csv -O Domains="murrayhunter.substack.com"

Note: If you can test it on other platforms with different versions of miniooni and would consider writing a brief guide, please email it to [email protected]. We will add it to this guide and include credit to you, if you allow.

How to read the results

As reference, we can conclude that the network is likely to be implementing a Transparent DNS Proxy when `175.139.142.25` appears in the output. A confirmed blocking on OONI shows that there has been DNS blocking on the website whereby the DNS had been tampered to redirect to MCMC’s IP address: 175.139.142.25.

The output of the tests should look like this:

[ 0.000004] <info> Current time: 2024-08-08 03:42:47 UTC
[ 0.000046] <info> miniooni home directory: $HOME/.miniooni
[ 0.000149] <info> ooniprobe-engine/v3.22.0 97f1df33611097fdcd8e0cc53fe096c0c7727487 dirty=false go1.21.10
[ 0.000409] <info> Looking up OONI backends; please be patient...
[ 0.000802] <info> sessionresolver: lookup api.ooni.io using https://dns.google/dns-query... started
[ 0.245042] <info> sessionresolver: lookup api.ooni.io using https://dns.google/dns-query... ok
[ 0.245365] <info> httpsDialer: [#2] tactic '{"Address":"162.55.247.208","InitialDelay":0,"Port":"443","SNI":"api.ooni.io","VerifyHostname":"api.ooni.io"}' is ready
[ 0.245382] <info> httpsDialer: [#2] TCPConnect 162.55.247.208:443... started
[ 0.425093] <info> httpsDialer: [#2] TCPConnect 162.55.247.208:443... ok
[ 0.425167] <info> httpsDialer: [#2] TLSHandshake with 162.55.247.208:443 SNI=api.ooni.io ALPN=[h2 http/1.1]... started
[ 0.611212] <info> httpsDialer: [#2] TLSHandshake with 162.55.247.208:443 SNI=api.ooni.io ALPN=[h2 http/1.1]... ok
[ 0.611230] <info> httpsDialer: [#2] TLSVerifyCertificateChain api.ooni.io... started
[ 0.612417] <info> httpsDialer: [#2] TLSVerifyCertificateChain api.ooni.io... ok
[ 0.777776] <info> session: using probe services: {Address:https://api.ooni.io Type:https Front:}
[ 0.777798] <info> Looking up your location; please be patient...
[ 0.777845] <info> iplookup: using cloudflare
[ 0.778028] <info> sessionresolver: lookup www.cloudflare.com using https://dns.google/dns-query... started
[ 0.859214] <info> sessionresolver: lookup www.cloudflare.com using https://dns.google/dns-query... ok
[ 2.276310] <info> - country: MY
[ 2.276333] <info> - network: TT DOTCOM SDN BHD (AS9930)
[ 2.276341] <info> - resolver's IP: 172.217.44.221
[ 2.276348] <info> - resolver's network: Google LLC (AS15169)
[ 2.276393] <info> [1/1] running with input: udp://8.8.4.4:53
[ 2.276499] <info> DNSPing #0 8.8.4.4:53 murrayhunter.substack.com... started
[ 2.363578] <info> DNSPing #0 8.8.4.4:53 murrayhunter.substack.com... 175.139.142.25
[ 3.276540] <info> DNSPing #1 8.8.4.4:53 murrayhunter.substack.com... started
[ 3.306279] <info> DNSPing #1 8.8.4.4:53 murrayhunter.substack.com... 175.139.142.25
[ 4.277124] <info> DNSPing #2 8.8.4.4:53 murrayhunter.substack.com... started
[ 4.358362] <info> DNSPing #2 8.8.4.4:53 murrayhunter.substack.com... 175.139.142.25
[ 5.277023] <info> DNSPing #3 8.8.4.4:53 murrayhunter.substack.com... started
[ 5.328287] <info> DNSPing #3 8.8.4.4:53 murrayhunter.substack.com... 175.139.142.25
[ 6.276885] <info> DNSPing #4 8.8.4.4:53 murrayhunter.substack.com... started
[ 6.321691] <info> DNSPing #4 8.8.4.4:53 murrayhunter.substack.com... 175.139.142.25
[ 7.276615] <info> DNSPing #5 8.8.4.4:53 murrayhunter.substack.com... started
[ 7.320531] <info> DNSPing #5 8.8.4.4:53 murrayhunter.substack.com... 175.139.142.25
[ 8.276719] <info> DNSPing #6 8.8.4.4:53 murrayhunter.substack.com... started
[ 8.404188] <info> DNSPing #6 8.8.4.4:53 murrayhunter.substack.com... 175.139.142.25
[ 9.277423] <info> DNSPing #7 8.8.4.4:53 murrayhunter.substack.com... started
[ 9.298909] <info> DNSPing #7 8.8.4.4:53 murrayhunter.substack.com... 175.139.142.25
[ 10.277215] <info> DNSPing #8 8.8.4.4:53 murrayhunter.substack.com... started
[ 10.379227] <info> DNSPing #8 8.8.4.4:53 murrayhunter.substack.com... 175.139.142.25
[ 11.276854] <info> DNSPing #9 8.8.4.4:53 murrayhunter.substack.com... started
[ 11.354877] <info> DNSPing #9 8.8.4.4:53 murrayhunter.substack.com... 175.139.142.25


Domain IPAddress ASN Org #Seen LateResponse
--------------------------------------------------------------------------------------------------------------------------------------------------
murrayhunter.substack.com 175.139.142.25 4788 TM TECHNOLOGY SERVICES SDN BHD 10 false


[ 12.278218] <info> submitting measurement to OONI collector; please be patient...
[ 12.455485] <info> New reportID: 20240808T034300Z_dnsping_MY_9930_n1_YVnch5rH64o72Rop
2024/08/08 11:43:00 Measurement URL: https://explorer.ooni.org/m/20240808034300.269185_MY_dnsping_785d846ef5a41a99
[ 12.655537] <info> saving measurement to disk
[ 12.655742] <info> experiment: recv 0.00 byte, sent 0.00 byte
[ 12.656131] <info> whole session: recv 5.06 kbyte, sent 14.13 kbyte

If you need guidance on how to understand the results, you may send us an email together with the respective Measurement URL e.g. https://explorer.ooni.org/m/20240808034300.269185_MY_dnsping_785d846ef5a41a99 to [email protected] 

In the Explorer page, you may review in the Raw Measurement Data section.

Example of when a network is likely to be implementing Transparent DNS Proxies: https://explorer.ooni.org/m/20240808014325.274413_MY_dnsping_f15f8a46c0b4e54e 

"answers":[1 item
0:{3 items
"answer_type":string"CNAME"
"hostname":string"mcmc.time.net.my."
"ttl":NULL
}
]

 

"answers":[2 items
0:{5 items
"asn":int4788
"as_org_name":string"TM TECHNOLOGY SERVICES SDN BHD"
"answer_type":string"A"
"ipv4":string"175.139.142.25"
"ttl":NULL


Example of a network likely to be not implementing Transparent DNS Proxies:

https://explorer.ooni.org/m/20240808015522.690913_MY_dnsping_36bd718c0a1cb4ec 

"answers":[2 items
0:{5 items
"asn":int13335
"as_org_name":string"Cloudflare Inc"
"answer_type":string"AAAA"
"ipv6":string"2606:4700::6812:bdf"
"ttl":NULL