南京电信的 DNS 劫持是在路由做的
本以为电信是在 DNS Server 动的手脚。可测了一下才发现,南京电信的 DNS Hijack 是在路由做的,53 的 DNS Response 包如果是 NXDOMAIN 就会被换掉。真正的令人发指啊:
# nslookup non-exist.lrfz.com 211.93.80.129
Server: dns.lnsy.cnuninet.net
Address: 211.93.80.129
Name: A.test.test
Addresses: 202.102.113.182, 202.102.113.179, 202.102.113.180, 202.102.113.181
# nslookup jaisdjfaf.lrfz.com 202.112.20.131
Server: dns.whnet.edu.cn
Address: 202.112.20.131
Name: A.test.test
Addresses: 202.102.113.180, 202.102.113.181, 202.102.113.182, 202.102.113.179
也就是说,换 DNS 服务器都不行了,躲都躲不起啊。所以现在技术上可行的 walk around 办法只有用 dnsmasq 了,不过会用这玩意的用户恐怕连万分之一都没有。
又查了一下上海的(公司光纤接入,ADSL接入还待验证),发现居然还有点不一样——这是在 DNS 服务器劫持的:
# nslookup non-exist.keotag.com 202.27.184.3
Server: 202.27.184.3
Address: 202.27.184.3#53
Non-authoritative answer:
*** Can't find non-exist.keotag.com: No answer
# nslookup -type=PTR 202.27.184.3
Server: 192.168.1.11
Address: 192.168.1.11#53
Non-authoritative answer:
3.184.27.202.in-addr.arpa name = alien.xtra.co.nz.
Authoritative answers can be found from:
# nslookup non-exist.keotag.com 202.96.199.132
Server: 202.96.199.132
Address: 202.96.199.132#53
Non-authoritative answer:
*** Can't find non-exist.keotag.com: No answer
# nslookup -type=PTR 202.96.199.132
Server: 192.168.1.11
Address: 192.168.1.11#53
Non-authoritative answer:
132.199.96.202.in-addr.arpa name = nm.sta.net.cn.
Authoritative answers can be found from:
# nslookup non-exist.keotag.com 202.96.209.5
Server: 202.96.209.5
Address: 202.96.209.5#53
Non-authoritative answer:
Name: non-exist.keotag.com
Address: 218.83.175.154
# nslookup -type=PTR 202.96.209.5
Server: 192.168.1.11
Address: 192.168.1.11#53
Non-authoritative answer:
5.209.96.202.in-addr.arpa name = ns-px.online.sh.cn.
Authoritative answers can be found from:
果然戏法人人会变,巧妙各有不同。可不管怎么变,都是 DNS 劫持,都是侵害公民的通信自由和安全。
Labels: dnshijack, hijack, telecom
中国电信 DNS、HTTP 劫持相关链接
以下为不完整列表,包括各地消费者对中国电信近几年在中国大陆各省市进行 DNS 和 HTTP 的反应和相应维权文章。本列表将不定期维护。
我的诉求是,中国电信停止对中国大陆境内 Internet 业务用户的 DNS 和 HTTP 劫持行为,公开道歉和赔偿。由于个人的精力所限,我很可能无法在将这一维权行动独立进行到底。希望我最近所做的工作和提供的信息对其他同样受到中国电信非法侵害的朋友有所帮助。欢迎引用本 Blog 相关文章和提供各地的相关情况。
Labels: dnshijack, hijack, httphijack, telecom
OpenWRT NAS Watchdog
I set up a WDS network with two OpenWRT powered Wifi routers in my apartment. It was found soon that the client router, which has less memory and less services, breaks several time every day. Today, I found that the nas process crashed. Without check the patches I found at OpenWRT dev web (https://dev.openwrt.org/ticket/164, https://dev.openwrt.org/browser/trunk/package/madwifi/patches/111-wds_fix_PR_914.patch?rev=5903), which are quite old (I'm using the last version WhiteRussian), I just implemented a cron job watchdog with shell:
#!/bin/sh
# /usr/local/bin/nas_watchdog
pid="$(cat /var/run/nas.lan.pid 2>&-)"
[ -n "$pid" -a -d "/proc/$pid" ] && exit 0
echo "Restarting WPA ..."
/etc/init.d/S41wpa
exit 1
And my crontab:
*/2 * * * * /usr/local/bin/nas_watchdog
Labels: OpenWRT
中国电信 DNS、HTTP 劫持投诉摘要
中国电信 DNS、HTTP 劫持越来越猖獗。对于这一破坏公民通信自由和安全的行为,我正在投诉。以下为最近的相关记录,并将持续更新。
GET / HTTP/1.1
Host: www.scriblnotes.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008092510 Ubuntu/8.04 (hardy) Firefox/3.0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh-tw;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
HTTP/1.1 302 Object moved
Location: http://221.231.148.194/proxy.html?e=201eb54898bc6406OxhdeCjBoCkw_T7gZm3IwrYlOB3v6e1loxkWgx7nOe3WB36lPv0wfijr7vrvG0HLOe0WgbHgb0kJGi66m3pt_8DBmP3~RCHnFprvrrH6sTUJySOlbMkNqBOg0S3CH01R0Pzx
Content-Length: 20
Content-Type: text/html
Connection: close
Expires: 0
Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
<body> ... </body>
# nslookup jaidfjiadsf.com
Server: 218.2.135.1
Address: 218.2.135.1#53
Non-authoritative answer:
Name: A.test.test
Address: 202.102.113.181
Name: A.test.test
Address: 202.102.113.182
Name: A.test.test
Address: 202.102.113.179
Name: A.test.test
Address: 202.102.113.180
#nslookup
> set type=PTR
> 218.2.135.1
Server: 218.2.135.1
Address: 218.2.135.1#53
Non-authoritative answer:
1.135.2.218.in-addr.arpa name = a.center-dns.jsinfo.net.
Authoritative answers can be found from:
2.218.in-addr.arpa nameserver = ns.ptt.js.cn.
2.218.in-addr.arpa nameserver = ns.jsinfo.net.
ns.jsinfo.net internet address = 221.228.255.2
ns.ptt.js.cn internet address = 218.2.135.2
> 61.147.37.1
Server: 218.2.135.1
Address: 218.2.135.1#53
Non-authoritative answer:
1.37.147.61.in-addr.arpa name = d.center-dns.jsinfo.net.
Authoritative answers can be found from:
147.61.in-addr.arpa nameserver = ns.jsinfo.net.
147.61.in-addr.arpa nameserver = ns.ptt.js.cn.
ns.jsinfo.net internet address = 221.228.255.2
ns.ptt.js.cn internet address = 218.2.135.2
11月14日,我打南京 10000 投诉了 DNS 劫持问题。一位男性工作人员很耐心地询问了具体情况(我当时提供的例子为 www.keotag.com),并表示将向上级反应情况。随后他打电话给我并建议我使用 61.147.37.1 做 DNS 服务器,但并未解释 在 218.2.135.1 进行的 DNS 劫持行为。
11月15日,我再次拨打南京 10000 投诉了 HTTP 劫持问题。一位女性工作人员接了电话,未询问具体情况,仅表示将安排相关人员与我联系。
Labels: dnshijack, hijack, httphijack, telecom
HTML XPath/XSLT Access Example
In the comments to
a previous post of mine, Uche Ogbuji mentioned that there's an implementation of robust XPath and XSLT solution for HTML with html5lib + amara2. I tried
the sample he provided. With a quick bug fix, it works.
Amara is based on 4suite, which is not supported by Google App Engine now. So, I turned to look for a pure Python solution, and found lxml + html5lib. Following is a simple example:
import lxml.etree
import html5lib
import urllib
p = html5lib.HTMLParser(tree=html5lib.treebuilders.getTreeBuilder("etree",
lxml.etree, fullTree=True))
f=urllib.urlopen('http://www.tudou.com/playlist/id/4527368/')
t=p.parse(f)
f.close()
container=t.xpath("//div[@class='programs fix']/ancestor::*[1]")[0]
lxml.etree.tostring(container)
programs=t.xpath("//div[@class='programs fix']")[0]
fxsl=open('tudou.xsl')
xslt_doc = lxml.etree.parse(fxsl)
fxsl.close()
transform = lxml.etree.XSLT(xslt_doc)
lxml.etree.tostring(transform(programs))
HTML file used in above example.
XSL file used in above example:
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match='div'>
<html>
<body>
<h1><xsl:value-of select="h2" /></h1>
<ul>
<xsl:for-each select='div/div[@class="pack pack_clip"]'>
<li>
<xsl:value-of select="ul/li[1]/a/@title" />
</li>
</xsl:for-each>
</ul>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
Labels: appengine, html5lib, lxml, python, xml, xpath
RFC 1123 Datetime Parsing with Google App Engine
Since datetime.datetime.strptime() support RFC 1123 datetime format, which is used in MIME headers for mail protocols and HTTP, with limited timezones (i.e. UTC, GMT, and local timezone of the host). With the following code, ValueError will be raised on time strings of any other timezones.
def _pdatetime(s):
return datetime.strptime(s, '%a, %d %b %Y %H:%M:%S %Z')
With the help of module email and time, this issue was walked around:
import datetime, email, time
def _pdatetime(s):
return datetime.strptime(
time.strftime('%a, %d %b %Y %H:%M:%S %Z',
time.gmtime(email.Utils.mktime_tz(email.Utils.parsedate_tz( s )))),
'%a, %d %b %Y %H:%M:%S %Z')
Labels: appengine, google, python, time
Bypass GWF for Google AppEngine Panel
In China, GreatFireWall blocks web services hosted at
ghs.google.com,
and Google AppEngine panel (
appengine.google.com) also. Now, almost all
IPs of GHS are blocked, but AppEngine can still be accessed with
specified IP.
Just add following line to your /etc/hosts:
209.85.171.118 appengine.google.com
Labels: appengine, google
