Turkmenistan AGTS reachability test 18 Dec 2021

Internet censorship all around the world Turkmenistan
1

AGTS Turkmenistan, ADSL. https://agts.tv/ censorship filtering test.
IP range whois has Azerbaijan geolocation.

  1. Many, many datacenters/hosting providers are blocked by IP ranges.
  2. Many websites are blocked with IP filter, by DPI or with DNS injection, or both/all of them. See magestic_top1000_127.0.0.1_dnsfilteredhosts.txt for the top 1000 Majestic domains resolving to 127.0.0.1 results.
    If you use proper IP address for the domain, in some cases the website becomes reachable, but this is rare — most of the time the IP ranges are blocked as well.
  3. HTTP requests with “vpn” string in host value are blocked. The connection instantly dropped with TCP RST. This does not occur with HTTPS requests.
  4. Not all TCP destination ports are reachable. From 65535, only about 1150 (!) are not filtered, other are blocked either with TCP RST or without the reply (depending on the ISP). Check reachabletcpports.txt file.
  5. DNS queries are filtered (resolved IP address is rewritten to 127.0.0.1) on both ISP and third-party DNS resolvers, including non-53 port.
  6. All known public DNS resolvers (Public recursive name server - Wikipedia UDP 53) are blacklisted by IP except Yandex DNS on secondary IP addresses (non-77.88.8.8).
  7. All known DNS-over-HTTPS are filtered by IP.
  8. Some Tor relays operating on ports 80 and 443 are reachable. Tor Browser 11.0.2 may be slow to connect but usually does that pretty steady, without using bridges or snowflake.

What have not been tested:

  1. Protocol filtering. There is an OpenVPN fingerprinting and filtering: it’s either tore down on first OpenVPN RESET packets or later in the session. I’ve made such tests before but this time didn’t test it.

turkmenistan_agts_18_Dec_2021.7z (38.4 KB)

Notable domain black list:

youtube.com (127.0.0.1)
twitter.com (127.0.0.1)
instagram.com (127.0.0.1)
youtu.be (127.0.0.1)
blogspot.com (127.0.0.1)
telegram.me (127.0.0.1)
groups.google.com (127.0.0.1)
whatsapp.com / api.whatsapp.com (127.0.0.1)
vk.com (127.0.0.1)
m.facebook.com / web.facebook.com (127.0.0.1)
tiktok.com (127.0.0.1)
s3.amazonaws.com (127.0.0.1)
livejournal.com (127.0.0.1)
docs.microsoft.com (127.0.0.1)
discord.gg (127.0.0.1)
snapchat.com (127.0.0.1)
2

Good find. It appears that the match is case-sensitive. Lowercase “vpn” in the Host gets blocked, uppercase “VPN” does not.

$ curl --connect-to ::95.85.125.162: --connect-timeout 5 http://$HOST/ -D -
Host result
example.com 301 Moved Permanently
examvpnle.com Connection reset by peer
EXAMVPNLE.COM 301 Moved Permanently
EXAMvpnLE.COM Connection reset by peer

I get the same results whether I test with 95.85.125.162 (agts.tv) or 95.85.120.6 (telecom.tm).