this post was submitted on 09 Dec 2023
115 points (98.3% liked)

Selfhosted

40329 readers
352 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

It too me a while to work out why my Nextcloud stuff wasn't working on my phone. It wasn't until I went to http://duckdns.org on mobile data I saw the block. I had changed ISP from one with IPv6, which I had setup, to an ISP without it, and thought it might be that. But it was just coincidence.

I've written to O2 but I doubt they will change anything, so I'll be changing network.

So heads up UK O2 self hosting people!

all 37 comments
sorted by: hot top controversial new old
[–] Lemmchen@feddit.de 19 points 11 months ago* (last edited 11 months ago) (1 children)

If it's just a DNS block, you could use a different DNS server. You should do this anyway in my opinion.

[–] jabjoe 2 points 11 months ago (1 children)

It's not the DNS server. I'm sure of this because Termux uses a different DNS server but does the same. I also tried setting my phone to use OpenDNS directly. I'm pretty sure they are inspecting the DNS traffic. Exactly so changing DNS server doesn't help.

I don't see a problem when using IP directly. I mean the IP is static, so I could must buy a domain, but I'd also have to piss about with my setup.

[–] Lemmchen@feddit.de 7 points 11 months ago (1 children)

Modern Android versions can use DoH (DNS over HTTPS) which can not be intercepted. If you don't have this option or are not sure how to configure it, you could use the Quad9 app to enable secure DNS. This way you can make sure it is not related to DNS. Frankly, I can't imagine they are blocking the IPs of the DuckDNS servers directly.

[–] jabjoe 1 points 11 months ago* (last edited 11 months ago)

I've tried it with F-Droid's Rethink DNS already and everything is fine then.

Pretty sure they are doing DNS packet inspection. If the DNS is to duckdns (and no doubt other Dynamic DNS), then port 80 has their block page, and not sure what they are doing with 443, but it's not accepted.

Boringly, it's not being messed with right now. It's done this before. Coming and going. It's one of the things that stopped me working it out before.

Edit: I was wrong. It was just working again generally.Even with DoH DNS, I still see "Access denied" going to duckdns.org and my sites still don't work. Direct IP works. Not sure how this block is working yet.

[–] nodsocket@lemmy.world 12 points 11 months ago (4 children)
[–] Appoxo@lemmy.dbzer0.com 37 points 11 months ago

Save the children
Piracy concerns
Laws
Someone didnt get paid.

Pick at least one.

In all seriousness: I don't know.

[–] Supermariofan67@programming.dev 12 points 11 months ago

Lots of malware gets hosted using dynamic DNS domains, so they (or more likely some bot) probably saw the domain frequently showing up in malicious activity and blocked it without understanding that it itself isn't the source of the malicious activity.

[–] jabjoe 8 points 11 months ago (1 children)

"This page has been blocked for either a legal or technical reason."

But you can see the block page used yourself at: http://shieldcf.o2.co.uk/blacklist

[–] Rin@lemm.ee 1 points 11 months ago (1 children)
[–] jabjoe 1 points 11 months ago (1 children)

If you're not in the UK, try a UK proxy?

[–] Rin@lemm.ee 1 points 11 months ago* (last edited 11 months ago)

I have a London IP address...

Edit: the https website breaks but http works. It was my browser.

[–] Moonrise2473@feddit.it 2 points 11 months ago

someone was hosting phishing on that domain and they took a nuclear bomb approach. Unfortunately, all unlock requests are probably routed to /dev/null

[–] socphoenix@midwest.social 10 points 11 months ago (1 children)

T-mobile was doing this in the US but only blocking certain ports when talking to my home server, might try putting it on a non-standard port as well and see if you can access the service then.

[–] jabjoe 7 points 11 months ago (2 children)

Oh I know some ports are ok. My SSH and WireGuard get through. Port 80 is redirected to a block page place holder and 443 is interfered with so SSL fails.

[–] SheeEttin@lemm.ee 2 points 11 months ago (1 children)

Okay, so just run it on a different port.

[–] jabjoe 1 points 11 months ago (1 children)

Tried it. Makes no odds.

Interestingly it's fine if I use the static IP directly.

They are doing some packet inspection by the looks of it. Some rule like:

On IP address found from duckdns, mess with SSL and rewrite HTTP to go to this block page.

[–] SheeEttin@lemm.ee 1 points 11 months ago (1 children)

That is weird then. I'd change dynamic DNS providers.

[–] jabjoe 1 points 11 months ago

I don't know which other ones they have done this to. Also it's a faff to move domain now. If I'd move domain, I'd just buy one as the IP is static.

[–] droolio 2 points 11 months ago (1 children)

Wouldn't you be on CGNAT though? How are they blocking it - at the DNS level? Have you tried a CNAME record that points your own domain to the actual duckdns domain? Just curious how/why they might be doing this.

[–] jabjoe 3 points 11 months ago* (last edited 11 months ago)

I've been doing some investigating. It's not just DNS. Termux doesn't use the system DNS, it uses Google. But there is still a interference with SSL on 443 and a different page on port 80.

Edit: oh and the IP address is current with ping.

[–] randombullet@feddit.de 7 points 11 months ago (1 children)

You can try DoH to see if it is working.

It's port 443 so it won't get redirected by their filters.

Android uses DoT so maybe that works. Assuming that they don't block port 853.

Try the encrypted DNS option to see if they are blocking all DNS providers or just certain ones.

You can also setup your own encrypted DNS on a VPS if you're feeling brave.

[–] jabjoe 2 points 11 months ago* (last edited 11 months ago)

Yer, I used Rethink DNS in F-Droid to test this already. Basically it's fine when the DNS is encrypted.

Edit: I was wrong. It was just working again generally.Even with DoH DNS, I still see "Access denied" going to duckdns.org and my sites still don't work. Direct IP works. Not sure how this block is working yet.

[–] antsu@lemmy.wtf 5 points 11 months ago (3 children)

O2 has an on-by-default security filter that blocks all sorts of "bad stuff". For me, it was preventing connecting to any PIA VPN servers. Ping their customer support and they can disable it for you.

[–] Baku@aussie.zone 4 points 11 months ago

Telstra here in Australia seems to have this as well. Not sure about duckdns specifically, but last night I found out that they block a few monero mining pools. I emailed them about it, and apparently it's based off of virustotal ratings. They wouldn't turn it off, but they told me it's "trivial to bypass" (their words), suggesting google or CloudFlares DNS, or a VPN

[–] Moonrise2473@feddit.it 3 points 11 months ago

those "security filters" are the worst, a few years ago vodafone with their "rete sicura" was blocking githubcontent and it was a nightmare to have them disable the service for me, the operator was like "but this is a free premium service that protects you"

[–] jabjoe 2 points 11 months ago (1 children)

I've emailed them. See what they come back with. I mean unless they block SSH, Wireguard and Tor, I've got to hand work arounds. I just doesn't like them fighting me.

[–] antsu@lemmy.wtf 1 points 11 months ago (1 children)

If they take long or don't resolve it, try the live support chat. I used the chat inside their app to request it and it was unlocked pretty much instantly.

[–] jabjoe 1 points 11 months ago

I tried their help chat bot and it just said to install their app after a few exchanges. My phone is de-googled, so good chance their app won't work. Plus, I avoid installing closed apps as it is unhygienic. Each one seams to demand access to contacts and location and won't work if you deny it. Dystopian present, let alone future.

[–] Decronym@lemmy.decronym.xyz 4 points 11 months ago* (last edited 6 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
NAT Network Address Translation
PIA Private Internet Access brand of VPN
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

[Thread #341 for this sub, first seen 9th Dec 2023, 20:15] [FAQ] [Full list] [Contact] [Source code]

[–] notannpc@lemmy.world 3 points 11 months ago (1 children)

If it’s a dns block I’d highly recommend setting up your own recursive dns resolver. Something like pihole and unbound. That way you query the authoritative servers directly and your ISP can’t filter your content as effectively since they would be limited to incredibly ineffective IP based filtering.

[–] jabjoe 1 points 11 months ago

Pretty sure they are working via DNS packet inspection.

[–] 30021190@lemmy.cloud.aboutcher.co.uk 1 points 11 months ago (1 children)

Looks like Three doesn't block it....

[–] jabjoe -1 points 11 months ago

O2 didn't until recently. EE does't currently (wife's network)

[–] Cyber 1 points 11 months ago (1 children)

Interesting.

I have no idea how the piggyback operators work (ie, purely financial, nothing technical?), but a quick check shows Tesco (uses O2) responds the same way.

I'm lucky to have static IPs, but I have a noip.com and that appears to work ok, so it can't be a blanket policy on dynamic DNS per se.

[–] scrchngwsl 2 points 11 months ago

Giffgaff uses o2 and also blocks duckdns. Additionally, whatever blocklist my employer is using also blocks it, so it's probably a common thing now.

[–] jabjoe 1 points 6 months ago

Just a follow up to this.

So I never ended up contacting O2 to say "please stop this", I just used Wireguard to home and ignored it. Until the local Morrison's wifi started doing the same thing but worse and I couldn't event Wireguard round it.

So I finally just bought a domain and setup my Apache to redirect the old duckdns to the new domain.

So far this all seams to be working great.