2012-01-14: Accessing sites blocked by your ISP

Posted at 2012-01-14 20:53:21 by SHD

Just recently, MPAA/RIAA sock puppets Brein managed to convince some clueless judge to order two of the largest ISPs in the Netherlands, XS4ALL and Ziggo to block (in)famous torrent website The Pirate Bay. TPB have put up a message that is shown to anyone visiting from a Dutch IP address, as shown below. XSALL and Ziggo have both announced they will appeal to a higher court, which is a good thing. I don't even use TPB myself and wouldn't really miss it, but I do care deeply about worthless assholes doing anything limiting my internet access. So, how would this work and what can I (or anyone) do to give these lying thieves the finger and circumvent these blocks if they are upheld by the higher courts?

Listen up people of The Netherlands, your internet is being censored. In some few days your ISP will block this site! ... by a corrupt organisation called BREIN. They're famous internationally for forging evidence in court cases.

How can ISPs block access?

There are two main things providers can do to keep you from accessing a website. They can do either, or both:

  1. configure their DNS servers to no longer give the proper address when a request for the site in question comes in
  2. configure their routers and proxy to drop or redirect any traffic between the user and the blocked site

Both can be circumvented and I will be showing you how to do just that.

DNS blackouts

What happens

Whenever you enter an address, or click a link, in your web browser, the browser extracts a hostname from that, in case of my site, this is "www.shdon.com" and then sends a request to your configured DNS servers to convert this into an IP address. In the example of my site, that would be 85.214.89.27 (or if you have IPv6 enabled: 2a01:238:42f9:4900:80e1:ffe2:7670:692f). Finally, the browser connects to this IP address to fetch the page you actually requested. If the DNS server doesn't give this response, the browser can't access the site and will show you an error message.

Circumventing

A website can simply register another domain name or create a subdomain in another and thus circumvent the DNS blackout. You can also do something about it only for yourself. If the DNS blackouts are limited to your provider, or local to your country, you can instead use a different DNS server by changing your TCP IP settings. Good candidates are Google Public DNS or OpenDNS. Another option is to edit the hosts file.

Changing DNS servers on Windows Vista and 7

Open the Control Panel, select "Network and Internet", followed by "Netword and Sharing Center", then "Change adapter settings" (on Windows 7) or "Manage network connections" (on Windows Vista), then right-click the appropriate network connection, such as "Local Area Connection" or "Wireless Network Connection" and open "Properties". In the list popping up, choose "Internet Protocol Version 4 (TCP/IPv4)" and click the "Properties" button again. Rather than "Obtain DNS server address automatically", set it to "Use the following DNS server addresses" and enter either 8.8.8.8 and 8.8.4.4 (Google Public DNS) or 208.67.222.222 and 208.67.220.220 (OpenDNS). Then click OK. All further DNS requests should then go there, rather than to your provider's DNS service, thus circumventing whatever blocks they were ordered to put in place.

Changing the hosts file

If, for some reason, you can't or don't want to switch DNS providers, or if the block extends beyond your own ISP. You could bypass the DNS system entirely for the site. First you need to know the IP address for the site you want to visit. You can look this up, which tells you that the IP address for The Pirate Bay is 194.71.107.15 (look in the Answer Section).

Edit the hosts file using Notepad. It is called C:\Windows\System32\drivers\etc\hosts. On Windows Vista and 7, you'll need to run Notepad as Administrator. Add a single line to the file:

194.71.107.15 www.thepiratebay.org thepiratebay.org

This tells Windows not to check the DNS servers for www.thepiratebay.org or thepiratebay.org, but uses the address 194.71.107.15 directly.

Traffic blocks

What happens

ISPs act as gateways to the internet, all of your traffic passing through their routers onto the internet. The provider can simply make their equipment drop all traffic to- and from the IP addresses that are to be blocked. This goes quite a bit beyond simple DNS blackouts and the methods outlined above will do nothing to help the situation. What's even worse is that there may be other sites at a given IP address and those would be blocked too.

Circumventing

If a website registers another domain name and simply points it towards its existing IP addresses, the traffic block will still be effective and the only way around this would be for them to change IP addresses (Cloud service providers make this quite easy and blocking those would make large chunks of the internet inaccessible, but the cloud services could still be forced to delete the accounts). You can also hide your own traffic, thus circumventing the block. To your provider, it will seem like you're just accessing any random internet service other than the blocked site and it will go through unhindered. Whatever service you're using to hide your traffic will then route it to the appropriate destination, no longer subject to your provider's configuration and blockage. Common ways to do this are Tor, anonymising proxies and VPN services.

The Tor Project

The Tor Project is a way to encrypt your traffic and route it through a P2P network of volunteers. This way, your provider won't know where the traffic is going and unless the provider of the "exit node" from which your traffic goes from the Tor network onto the big bad internet has also put IP blocks in place, you can access the site.

When you visit the Tor Project homepage and follow the download link, you can download the Tor Browser Bundle. Once downloaded, run the executable and extract it where you want. Navigate to the extraction folder and double-click the "Start Tor Browser" executable. After some activity, this starts a preconfigured portable version of the Firefox browser, from the Aurora build channel. Using that browser is all you need for accessing the blocked site. Note that this browser doesn't come with addons such as Flash, QuickTime etc, as those can undermine your privacy on the internet. This may or may not be a problem. You also, definitely, should not route any BitTorrent traffic through Tor. It is probably not needed to circumvent the block, and as the Tor people explain, it puts too much of a load on the Tor network and like the plugins, does not hide your IP address. Still, it should allow you to visit The Pirate Bay and similar sites just fine. You should use your regular browser for normal unencumbered traffic. There's some good tips on the download page as well.

Anonymising proxies

Anonymising proxies, such as GoProxing allow you to browse the web in a similar fashion, but work through your regular web browser. They do rewrite the page to ensure it works, often injecting ads and not everything works properly. For TPB, while it is still possible to download torrent files, Magnet links do not currently seem to work. That'd be a bummer when TPB switches over to Magnet links entirely in the near future.

VPN services

There are many different VPN services around, some of them free, some of them paid. A simple web search will show up some that might be to your liking. For full instructions, just look at the web page for the service. The advantage of a VPN service is that, like Tor, it anonymises your traffic and allows you to circumvent the blocks by routing the traffic through another network that your provider knows nothing about and it additionally also handles the actual torrent traffic, if that's what you're interested in (and such ports may also have been blocked or throttled by your provider if there are no laws in your country to govern net neutrality).

Comments

I think my ISP is messing with my access to a few sites, I type in the URL and it just times out when I try to connect, but if I use a VPN the site is up and works perfectly. I have tried changing my DNS in multiple computers as well and it still will not work. How can I test this and prove it or call out my ISP on it?

Posted at 2014-03-19 17:10:02 by aqua.c

You haven't mentioned where you are, which sites you are trying to access and what ISP you have, but those sites being available through a VPN is already pretty damning. There are a few other things that can cause this problem (routing error between your ISP's gateway and the target site, your IP being blocked by the target site, DNS resolution errors, or even an IPv4/IPv6 interoperability issue, to name but a few). I suppose the best way to find out to actually ask your ISP whether they are blocking those sites.

Posted at 2014-03-19 18:24:10 by Steven Don

Post a comment

Note: HTML is not permitted, URLs will be linked automatically. Spam comments will result in a permanent ban.
Type these 4 symbols into the edit field