IP Address Database

Virtual Private Mesh comes with an IP Firewall that is used to manage the IP addresses used in both inbound and outbound traffic.

1. Encrypted DNS IP Address

Encrypted DNS services like DNS over HTTPS (DoH), DNS over TLS (DoT) etc. make it very difficult for you to discover which hostname is being access by your devices.

Encrypted DNS service is yet another transfer pf power to the Cloud, in this case they take out the visibility of your traffic from your ISP and YOU, making their visibility of your traffic even more valuable.

For example, Cloudflare (1.1.1.1) and Google (8.8.8.8) can now see ALL your traffic destinations.

All these Encrypted DNS should be blocked so your OWN DNS server can be used by ALL the apps on devices that you own.

Other security concerns about DoH are here:

  1. DNS-over-HTTPS causes more problems than it solves, experts say | ZDNET
  2. IEEE Xplore Full-Text PDF:
  3. https://santandergto.com/en/how-to-protect-from-malware-that-abuses-dns-over-https-doh/

Blocking Encrypted DNS

While encrypted DNS can be useful for hiding upstream traffic (between your OWN DNS server and external DNS servers), normally they are not used from your DNS server, they are instead used from your personal device thus hiding DNS traffic from you!

The main focus here is to block DoH and DoT which are the very popular, blocking other encrypted DNS protocols e.g DNScrypt, DNS over QUIC etc. is optional.

Notes:

  1. The rapid growth of DoH servers means they are very difficult to block using a centralised list. The use of Citizen Synergy to classify IP addresses is the only scalable way of handling such dynamic data.

  2. DNSSEC simply confirm that a DNS record is correct, it does not hide the hostname so should NOT be blocked.

1. Block DNS Ports

The following ports to NON local DNS servers can be blocked:

  1. To block normal DNS: port 53
  2. To block DNS over TLS: port 853

2. Block DNS IP

Since your Private Cyberspace monitors your DNS activity with its own DNS server, you need to block access to the IP addresses of all other DNS servers.

This is performed by Gateway Node and the blocked IPs can be checked at https:/id.88.io/ip

Currently the default list turn ON automatically on all Gateway Nodes.

  1. GitHub - dibdot/DoH-IP-blocklists: This repo contains the domain names and the IPv4/IPv6 addresses of public DoH server

Other DNS DoH Blocklists

One Off Dallas

  1. dohservers/iplist.txt at master · oneoffdallas/dohservers · GitHub
  2. dohservers/ipv6list.txt at master · oneoffdallas/dohservers · GitHub
  3. dohservers/list.txt at master · oneoffdallas/dohservers · GitHub
  4. dohservers/listv6.txt at master · oneoffdallas/dohservers · GitHub

The Great Wall

  1. TheGreatWall/TheGreatWall_ipv4 at master · Sekhan/TheGreatWall · GitHub
  2. TheGreatWall/TheGreatWall_ipv4 at master · Sekhan/TheGreatWall · GitHub
  3. TheGreatWall/TheGreatWall.txt at master · Sekhan/TheGreatWall · GitHub

DNScrypt Resolvers

  1. GitHub - DNSCrypt/dnscrypt-resolvers: Lists of public DNSCrypt / DoH DNS servers and DNS relays
  2. DNS server sources · DNSCrypt/dnscrypt-proxy Wiki · GitHub

Adguard DNS

  1. https://adguard-dns.io/kb/general/dns-providers/

Some others

  1. dns.google
  2. mask.icloud.com
  3. mask-canary.icloud.com
  4. mask-h2.icloud.com
  5. mask.apple-dns.net
  6. canary.mask.apple-dns.net

2. Published IP Address

It is increasing difficult to decode HTTPS traffic due to certificate pinning, but metadata analysis can still be performed.

Major Cloud providers publish their hosts and domains, the intention was so we can at least lookup the IPs for those to ensure that the destination traffic is really going to them.

Problem of course is that the lists can be incomplete!

For example, the domain apple-dns.net belongs to Apple and have traffic going to it yet it is NOT on the Apple published list above. How many people have asked about what traffic is actually going to gateway.fe.apple-dns.net and how many got an answer ?

3. Special IP Addresses

Address block Description
0.0.0.0/8 This Network [RFC791]
10.0.0.0/8 Private-Use [RFC1918]
100.64.0.0/10 Shared Address Space [RFC6598] e.g. carrier-grade NAT
127.0.0.0/8 Used for loopback addresses to the local host.[1]
169.254.0.0/16 Used for link-local addresses[5]
172.16.0.0/12 Used for local communications within a private network.[3]
192.0.0.0/24 IETF Protocol Assignments.[1]
192.0.2.0/24 Assigned as TEST-NET-1, documentation and examples.[6]
192.31.196.0/24 AS112-v4 [RFC7535]
192.52.193.0/24 AMT [RFC7450]
192.88.99.0/24 Deprecated (6to4 Relay Anycast) [RFC7526]
192.168.0.0/16 Used for local communications within a private network.[3]
192.175.48.0/24 Direct Delegation AS112 Service [RFC7534]
198.18.0.0/15 Used for benchmark testing [9]
198.51.100.0/24 Assigned as TEST-NET-2, documentation and examples.[6]
203.0.113.0/24 Assigned as TEST-NET-3, documentation and examples.[6]
224.0.0.0/4 In use for IP multicast.[10] (Former Class D network.)
240.0.0.0/4 Reserved for future use.[12] (Former Class E network.)
255.255.255.255/32 Reserved for the "limited broadcast" destination address.[1]

Reference:
https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml

4. IP Address Location

Free IP Location Sources

The following publicly available IP Location Sources are currently used as references to our own Citizen Synergy based IP Location Databases:

Their location accuracy are normally sufficient for locating to a specific country and in most cases locating to the Government Region level.