Bypass Unifi blocking and censoring using a DNS switch or VPN connection

B

If you’re on Unifi you might have noticed that some sites are blocked and it’s due to government directives to block these sites.  Now that goes against what the Government of Malaysia promised it’s stakeholders during the advent of the MsC, in which it promised to not censor the internet. If you remember, somewhere in August 2008, the government issued a similar directive to censor Malaysia Today.

So what’s a average user to do to bypass these internet blocks. The blocks themselves are issued by the government and issued to all ISPs, fortunately there are a couple of ways to bypass these internet blocks which amount to censorship, and it depends on what kind of mechanism your ISP uses to block it. I’m all for a free internet and here are some ways you can bypass those blocks.

A Domain Name Server (DNS) block

So let’s focus on the simplest mechanism the ISPs use to block the internet, and that’s a DNS block. A Domain Name Server (DNS) is a server that works in a similar fashion to a phone directory– you know that big book of phone numbers the telephone company use to give out.

What is a DNS?

So imagine the internet was like your phone network, and every website you wanted to call had a phone number, you may know the websites name like www.google.com or www.keithrozario.com, but in order to actually visit any website you’d need to know it’s IP address. A IP address is exactly like a phone number, in that once you have it you could just type it in an visit the website, however if you don’t have the websites IP address you’d need to look it up. A DNS would act as a phone directory, just that in a phone directory you look up a phone number based on a persons name, in a DNS you look up an IP address based on a websites name. Your browser automatically looks up every link you try to visit via DNS, it’s the only way it can find the IP addresses.

A DNS block is simply removing the entry for a particular website from ‘a’ DNS server and if that server happens to be the DNS Server TM configures on all their customers routers, than the implications can be huge. Essentially TM can redact a persons name out of the telephone directory so that no one looking for that person will be able to connect to them.

How do I bypass a DNS block? (Unifi has this)

Just use another DNS server. In the analogy before, Unifi is trying to block your access by preventing you from looking up phone number in phone directories Unifi has provided to you. What’s to stop you from using another publicly available phone directory? The answer: nothing.

All you have to do is to configure your network connection to lookup a separate DNS rather than the one recommended by TM (or Maxis or whoever your ISP is), my favorite is OpenDNS but there are others who prefer Google.

The method is pretty simple, here’s a step-by-step provided for Windows 8, and this one for Macs, here’s the Android and iPhone version as well.

For OpenDNS the settings are:

DNS Server : 208.67.222.222
Alternate DNS Server : 208.67.220.220

If you prefer Google then then:

DNS Server : 8.8.8.8
Alternate DNS Server: 8.8.4.4

On Windows your end result should look something like this:

I also have to stress, that changing your DNS server to OpenDNS has benefits above and beyond bypassing Unifis censorship. OpenDNS operates phishtank, which is a crowd-sourced application that signals out phishing websites and then blocks those websites via a DNS block. To a Layman what that means is that once you switch to OpenDNS, it’ll offer you some protection, whenever you lookup a domain of a website that it believes to be malicious, you’ll get a warning to inform you of the potential dangers.You can read up more here.

Also OpenDNS operates a parental control DNS where it blocks access to sites marked as Adult content.

This would easily by pass any DNS block your Internet service provider has set in place, but what if your ISP actually has a more sophisticated blocking mechanism. A DNS block is real kiddie stuff when it comes to online censorship and there should be other means to block users from accessing content and other means for users to bypass those blocking mechanisms.

by the way, if you prefer Google over OpenDNS you might want to read this.

What if my ISP is smarter than that?

In short there’s a WHOLE lot of stuff your ISP can do that you probably don’t know about. So a basic Virtual Private Network (VPN) would be the best option here.

In a VPN setup, what actually happens is that you setup a connection to a private server and then use that server as a proxy for all your connections. This means that as long as your Internet Service Provider doesn’t block the IP address of your VPN you can basically roam free. Another good reason to have a VPN is that they’re ‘usually’ encrypted, so that your ISP can’t look at what you’re looking at, some VPN providers provide encryption so strong it would take a super computer millions of years to crack. While you may not be starting the next revolution or Arab Spring, sometimes it feels a bit uncomfortable especially in Malaysia to know that your ISP could potentially be spying on your personal data, and a good VPN is a solid way to prevent that from happening.

So how do you setup a VPN. Well thankfully there’s a free version you can try, and it’s called proXPN. proXPN is a fantastic free VPN service that uses end-2-end encryption to keep the baddies and your local ISP out of your business, it utilizes a 2048 bit encryption. On the website, the company claims that:

With proXPN nobody* can…
  • see the websites you visit
  • hijack your passwords, credit cards, or banking details
  • intercept and spy on your email, IMs, calls, or anything else
  • record your web history
  • run traces to find out where you live

There’s a downside however, the free version is throttled to just 100kbps (less than 10% of the slowest Unifi speed), and you need to use a specific application to access the service. The paid version doesn’t have throttled speed but has an associated cost. If you’re willing to pay for a VPN, consider trying a service called privateinternetaccess (my review of it here), which is just as good and it’s cheaper, plus the affiliate program I have with them help provide for this blog. More importantly, I use them as well.

When you use a VPN, no man-in-the-middle like TM can even detect which website you’re visiting as ALL your communication is encrypted. Some VPN providers don’t protect against DNS-leak, which may cause issues, but private internet access specifically addresses this.

BolehVPN : Malaysias Best VPN provider

If you’re looking to support  a local organization, the guys over at bolehvpn are doing a pretty good job as well. While they don’t have a free version to offer, they do have a RM5 offering that last 2 days, and depending on your needs that could be good enough. I’ve used bolehvpn and can vouch for it’s quality and service.

Conclusion

The best way around a DNS Block like the one Unifi currently has on some websites, is to just change your DNS settings to OpenDNS or Google.

However, given that you may need extra security a VPN server like proXPN or BolehVPN or Privateinternetaccess would be your best bet to bypass any damn filter your ISP may throw at you, plus it’ll keep your internet browsing away from pesky eyes.

Of course this doesn’t mean anything if your local Wi-Fi at your home is compromised, so do yourself a favor and read this if you just recently had Unifi installed at your home, and I would add changing DNS server to that list of things to do.

With censorship rearing it’s ugly head in Malaysia, I may have to encourage other more drastic measures like using a remote desktop to an Amazon EC2 machine to download sensitive material. For now, happy hunting.

picture of roadblock courtesy of : http://www.flickr.com/photos/simon-james/2731182967/

33 comments

Leave a Reply to linda carterCancel reply

  • Hi Keith,

    There are also some websites that function as proxies. Like a binocular into another website.  Sure the display format doesnt look pretty, but fastest for me!

  • tm(unifi) is fuck it block all i use vpn speed i get only 10 kbps, first time i use vpn i get 500kbps after that dead

    • Hi Fauzi,

      I can vouch that I constantly use my office VPN at home with no issues. There are some latecy issues although I’m not entirely sure if that is caused by my VPN, Unifi or home WiFi.

  • It seems that the writer of this post is the owner of Bolehvpn. No wonder he encourages you lots on taking his product.

  • I have tried many ways, free and paid ways to open blocked websites, I think vpn works better than others, this is what I can recommend,try the service before you pay for it!

    I ordered my account from http://saturnvpn.com the price is great. 1Months $3.3 , 3Months $7 and 12 Months $16

    It has free test account and you can try the service for free.

    http://saturnvpn.com/free-test-account/

    It supports all protocols(PPTP, L2TP, OpenVPN,CiscoVpn), And you don’t have to buy different accounts for different devices(use 1 account to connect on your computer and your mobile at the same time)

  • Hey Keith, your excellent article is nothing but excellent, and yes, so long as providers here continue being silly enough to use DNS block, I wish that they’ll continue to be ignorant. But a note on proxy sites. They don’t work all the time even if you set them to receive cookies. Certain sites which require cookies and a loginid would not be accessible still.

    I’ve even gone as far as to put myself into ToR sometimes, but take note that encapsulating connections into the onion router would slow down your throughput considerably and is not recommended for games and such.

    • You’re right, TOR does slow things down. But the benefit of using TOR is two-fold, one is that you have anonymity (somewhat) and you provide cover traffic for others hoping to use for far more noble intentions.

      Thanks for the comment 🙂

  • I would like to share my experience
    1) free vpn
    If u are using chrome or firefox browser, you can use zenmate vpn
    as the extension in the browsers. Once you open the browsers, you
    the vpn will be activated
    2) router with cable
    some routers do not have the capability of a repeater so you need to buy
    a long cable and attached it to the router. Let us say the router name is
    “Router1”, so if you hook up to router1, the websites is not blocked provided
    you change the DNS to OpenDNS
    3) router with repeater capabilities
    The router is slightly expensive but you do not need the long cable.
    You can place the router in any part of the house and set it to repeater
    mode (follow router instructions) and you have the option to choose the
    router name as same as the unifi router name or set a new name for itself.
    Please set it to a different name say “Router2”. When you hook up to
    router2, the block websites is unblock

    I have experimented with all 3 methods above

    • I don’t know about Zenmate, but Hola which is a free ‘VPN’ is not something I recommend for reasons I cover elsewhere on the blog.

      As with point 2 and 3, I don’t quite get why a repeater would somehow ‘un-block’ websites? I suspect you’re just changing DNS settings, which can be done without any new router (with or without repeater functionality)

  • i use pdproxy before and it works fine.. suddenly i cant connect with pdproxy (both free user and premium acc).. i dont know why but i guess they(1bestari net service provider – YTL) stop or blocked any connection from pdproxy

  • It seems that the writer of this post is the owner of Bolehvpn. No wonder he encourages you lots on taking his product.

  • Hi Keith,

    There are also some websites that function as proxies. Like a binocular into another website.  Sure the display format doesnt look pretty, but fastest for me!

  • tm(unifi) is fuck it block all i use vpn speed i get only 10 kbps, first time i use vpn i get 500kbps after that dead

    • Hi Fauzi,

      I can vouch that I constantly use my office VPN at home with no issues. There are some latecy issues although I’m not entirely sure if that is caused by my VPN, Unifi or home WiFi.

  • Hey Keith, your excellent article is nothing but excellent, and yes, so long as providers here continue being silly enough to use DNS block, I wish that they’ll continue to be ignorant. But a note on proxy sites. They don’t work all the time even if you set them to receive cookies. Certain sites which require cookies and a loginid would not be accessible still.

    I’ve even gone as far as to put myself into ToR sometimes, but take note that encapsulating connections into the onion router would slow down your throughput considerably and is not recommended for games and such.

    • You’re right, TOR does slow things down. But the benefit of using TOR is two-fold, one is that you have anonymity (somewhat) and you provide cover traffic for others hoping to use for far more noble intentions.

      Thanks for the comment 🙂

  • i use pdproxy before and it works fine.. suddenly i cant connect with pdproxy (both free user and premium acc).. i dont know why but i guess they(1bestari net service provider – YTL) stop or blocked any connection from pdproxy

  • I have tried many ways, free and paid ways to open blocked websites, I think vpn works better than others, this is what I can recommend,try the service before you pay for it!

    I ordered my account from http://saturnvpn.com the price is great. 1Months $3.3 , 3Months $7 and 12 Months $16

    It has free test account and you can try the service for free.

    http://saturnvpn.com/free-test-account/

    It supports all protocols(PPTP, L2TP, OpenVPN,CiscoVpn), And you don’t have to buy different accounts for different devices(use 1 account to connect on your computer and your mobile at the same time)

  • I would like to share my experience
    1) free vpn
    If u are using chrome or firefox browser, you can use zenmate vpn
    as the extension in the browsers. Once you open the browsers, you
    the vpn will be activated
    2) router with cable
    some routers do not have the capability of a repeater so you need to buy
    a long cable and attached it to the router. Let us say the router name is
    “Router1”, so if you hook up to router1, the websites is not blocked provided
    you change the DNS to OpenDNS
    3) router with repeater capabilities
    The router is slightly expensive but you do not need the long cable.
    You can place the router in any part of the house and set it to repeater
    mode (follow router instructions) and you have the option to choose the
    router name as same as the unifi router name or set a new name for itself.
    Please set it to a different name say “Router2”. When you hook up to
    router2, the block websites is unblock

    I have experimented with all 3 methods above

    • I don’t know about Zenmate, but Hola which is a free ‘VPN’ is not something I recommend for reasons I cover elsewhere on the blog.

      As with point 2 and 3, I don’t quite get why a repeater would somehow ‘un-block’ websites? I suspect you’re just changing DNS settings, which can be done without any new router (with or without repeater functionality)