Domain existence check for Fastly IPs

I’ve discovered an interesting feature of censorship of the services which use Fastly. On Turkmentelecom and AGTS, the connection could be established only if the domain exist, i.e. does not return NXDOMAIN.

I used the following domains during the test:

  • dev.talent.stackoverflow.com, resolves to 198.252.206.27
  • dev-bonfire.stackoverflow.com, does not resolve (NXDOMAIN), but set up with proper SSL certificate on Fastly

The connection is made to one of stackoverflow.com IP address for both domains.

$ host -t a dev.talent.stackoverflow.com
dev.talent.stackoverflow.com has address 198.252.206.27

$ host -t a dev-bonfire.stackoverflow.com
Host dev-bonfire.stackoverflow.com not found: 3(NXDOMAIN)

$ host -t a stackoverflow.com
stackoverflow.com has address 151.101.193.69
stackoverflow.com has address 151.101.65.69
stackoverflow.com has address 151.101.1.69
stackoverflow.com has address 151.101.129.69

# This is fine, the cert is expired for this domain on Fastly
$ curl --connect-to ::151.101.1.69:443 https://dev.talent.stackoverflow.com -v
* Cert verify failed: BADCERT_EXPIRED
curl: (60) Cert verify failed: BADCERT_EXPIRED

# This domain is NXDOMAIN
$ curl --connect-to ::151.101.1.69:443 https://dev-bonfire.stackoverflow.com -v
* ssl_handshake returned - mbedTLS: (-0x0050) NET - Connection was reset by peer
curl: (35) ssl_handshake returned - mbedTLS: (-0x0050) NET - Connection was reset by peer

# Trying again
$ curl --connect-to ::151.101.1.69:443 https://dev-bonfire.stackoverflow.com -v
* ssl_handshake returned - mbedTLS: (-0x0050) NET - Connection was reset by peer
curl: (35) ssl_handshake returned - mbedTLS: (-0x0050) NET - Connection was reset by peer

# And trying over uncensored connection
$ curl --connect-to ::151.101.1.69:443 https://dev-bonfire.stackoverflow.com -v
* Connecting to hostname: 151.101.1.69
* Connecting to port: 443
*   Trying 151.101.1.69:443...
* Connected to (nil) (151.101.1.69) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
…

The same applies to AGTS.

A post was merged into an existing topic: VPS в Туркменистане