May 27, 2012

How to unblock websites in China for web owners

中文版,点这里http://www.percy.in/p/blog-page.html

Good news, everybody. We've worked out a simpler solution to unblock websites in China. Visit unblock.cn.com for more detail

This is a play by play guide on how to unblocked your website from visitors in Mainland China without efforts on their side.
Great FireWall of China is a complicated filtering system capable of blocking websites by a variety of methods. The common used ones are IP blocking, URL and Packet filtering by connection reset, TLS(SSL) certificate filtering by connection reset and DNS hijacking.
The method of distinguishing IP blocking and URL filtering is at the end of this post.

 

IP blocking

Use CDN(Count Delivery Network) to hide the real IP of your site from GFW.

I did a simple test myself. I created a google site and linked it with 4 subdomains as follows.

CNAME records: (ghs.google.com is currently not blocked in China)
test1.percy.in -> ghs.google.com   CDN enabled
test2.percy.in -> ghs.google.com

A records:( 216.239.32.21 is subject to IP blocking in China)
test3.percy.in -> 216.239.32.21  CDN enabled
test4.percy.in -> 216.239.32.21

Test 1 and test 2 merely serves to confirm the website is up. Test 3 and test 4 simulates  website with a blocked IP. 
I enabled CDN on test1 and test 3. The CDN I choose is CloudFlare with a free account.( You can pay to go pro or find another CDN if you like, I prefer to stay free)


Here're the test results. 
 test1 and test2 are both accessible in China.  test 3 is accessible while test 4 is blocked.



When CDN is enabled, it serves as a reverse proxy. So test3 actually resolved to an IP address owned by CDN--CloudFlare in my case and thus bypassing IP blocking.
Unless GFW blocked CDN's IP addresses, which will also blocked many other irrelevant websites[1],  IP blocking is nothing to fear anymore.Even if they did so, you can easily register a new account on CloudFlare and get a new set of IPs.
[1] That doesn't stop them before. The top level domain co.cc and net.ru were all censored during some time.

 

URL/Packet filtering

For example, your domain is example.com. They will fiter ".example.com"both in content and header; "host:example.com"only in http header. So that example.com is blocked while aaaexample.com is accessible in China.

If your domain is filtered as a restricted word , full site encryption should be employed.

Counter measure 1:  Install a SSL certificate on your server or VPS. Some certificates are expensive while others are completely free for an unlimited time.  StartSSL provide free certificates with minimum requirement --only a validated  email on your domain, which could also be obtained free of charge from Google Apps.

Counter measure 2: Use Flexible SSL by CloudFlare, one of its SSL options
 Visitor <-- SSL --> CloudFlare <-- non-SSL --> Origin
That way, you save the fuss installing certificate and could enable SSL with a click. However, this requires a pro account of CloudFlare and costs $20/month.


TLS(SSL) certificate filtering

This time GFW knows you are using encryption to evade censorship and decided to censor your certificate which is sent in plain text before encryption tunnel is established.

Two counter measures as before:
1. Because your certificate is completely free and assigned automatically by robots, there's nothing stopping you from changing it constantly while the filtering list of TLS(SSL) certificate updates rarely

2. Use the CloudFlare's SSL option. CloudFlare replied to me that multiple sites may use the same certificate Each site has its own subject alternate name (SAN) And  Common name will be some variation of SSL#.cloudflare.com. So as the case of IP address, GFW can't filter your certificates without blocking a bunch of innocent sites.
(Again that didn't stop them before. They could blocked SSL connections of a bunch of sites and then filter only your domain. In that way, other sites could be reached via http only)

 

DNS hijacking:

This is the toughest blocking measure which is seldom used. Known sites subjects to this kind of blocking are *facebook.com(facebook.com included), *twitter.com(twitter.com included), *youtube.com(youtube.com included), encrypted.google.com, www.kenengba.com. And possibly less than a hundred of sites are blocked in this way.

There're two forms of DNS hijacking performed (Wikipedia only documents the first one)

form 1: When visitors uses local DNS servers controlled by ISP,  this inquiry would simply  cause a connection timed out. This is performed by local DNS server.

form 2: When visitors uses foreign DNS servers such as OpenDns, Google Public DNS or even a random nonexistence  foreign IP,  GFW would return a blocked IP address of some random site to that DNS inquiry or block the real response.

(Look up a nonexistence address aaa.bbbtwitter.com in a nonexistent DNS server 1.1.1.1 in China)--form 2  hijacking
nslookup aaa.bbbtwitter.com 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53
Name: aaa.twitter.com
Address: 78.16.49.15
 
(Look up an existed address encrypted.google.com in an existed foreign DNS server 8.8.8.8 in China)--form 2 hijacking
nslookup encrypted.google.com 8.8.8.8
Server:  8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
*** Can't find encrypted.google.com: No answer 

The youtube case is very interesting.  *.youtube.com and youtube.com return a fake IP address while *youtube.com return No answer (it should be NXDOMAIN )

How to counter:

Method 1: Change your subdomains. We start with www.example.com
www.example.com --"www.example.com" is filtered --> 
change to www1(www2,www3,etc).example.com --".example.com" is filtered-->
change to example.com-- "example.com" is filtered
Filtering of naked domain is somewhat less likely, because, for example, if they filter oogl.com,  google.com would also be inaccessible in China.[Note that this is different from filtering of naked domain in URL/packet filtering described in section 2] 

Method 2:
Do not use domain. Use IP address directly e.g: http://12.34.56.78 or https://12.34.56.78
However, it will leave your site vulnerable to IP blocking because without a domain, CDN can't be used.
Since only prestigious sites are blocked this way, you sure have the money and server to build a encrypted reverse proxy or have tons of programmers to figure your move.

 ---------------------
The method of distinguishing IP blocking and URL filtering(or both)
If only part of your sites is inaccessible then it's URL filtering only(assume your site is located in one server only)

If your site(www.example.com) is totally inaccessible, visit
http://www.msn.com/www.example.com
http://www.msn.com/.example.com
http://www.msn.com/example.com
respectively in China.
Please wait a few minutes before visiting the next address, because GFW would block all traffic to www.msn.com from your computer for a short time when restricted words is triggered. So wait until you can see www.msn.com(usually a minute) before you try the next one.
If any URL above is unreachable, your site is subject to URL filtering.
(Those who can't run test in China, visit https://en.greatfire.org and enter URLs above)

Do a ping test in China to determine whether your IP is blocked.



Cross posted on https://en.greatfire.org/blog/2012/may/how-unblock-websites-china-web-owners

42 comments:

  1.  This blog is very helpful for chines to unblock websites. helps thousand of people.

    ReplyDelete
  2. Thanks for your tips! They are really very useful. I would also add vpn service for China ( like http://vpn-account.com/unblocksitesinchina.html or http://vpnprivacy.com ) . These are simple and reliable tools to unblock sites in China.

    ReplyDelete
  3.  

    Hi
    everyone
    After trying this software i think that i have to share it.
    I wasel allows you to open any blocked sites u can imagine.
    It also changes your ip address.Unblock the Skype, Paltalk and everything.
    http://www.mowasl.com
    http://www.saudiarabiavpn.com
    http://www.qatarvpn.com

    www.kuwaitvpn.com


    ReplyDelete
  4. I am using Hotspot Shield Free VPN to unblock sites and surf anonymously. Its Free. Hotspot Shield free VPN lets you access all of your favorite websites from your office and school. It encrypts network traffic, secures your web surfing sessions, stands guard against malware and protects your privacy while you surf the internet anonymously. 

    Check it out here: http://www.hotspotshield.com/unblock-sites

    ReplyDelete
  5. I do consider all the ideas you've introduced on your post. They're really convincing and will certainly work.
    Nonetheless, the posts are too brief for starters. May you please prolong them a little
    from subsequent time? Thanks for the post.
    My homepage Work from home

    ReplyDelete
  6. I do believe all the ideas you have presented for your post.

    They're very convincing and can certainly work. Still, the posts are too brief for starters. Could you please lengthen them a little from next time? Thanks for the post.
    Here is my homepage - slow computer

    ReplyDelete
  7. I'm not sure exactly why but this weblog is loading incredibly slow for me. Is anyone else having this issue or is it a problem on my end? I'll check
    back later on and see if the problem still exists.
    Visit my web-site ... free iphone 5

    ReplyDelete
  8. I've been surfing online more than 3 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. In my opinion, if all website owners and bloggers made good content as you did, the web will be much more useful than ever before.
    Also see my web site: learn to play piano

    ReplyDelete
  9. I think this is info for computer geeks.
    I use VPN service - http://www.vpnprivacy.com in China to unblock websites like Facebook and Youtube and many many others.
    This is easy to run and working pretty good. Just click co
    Hope this is helpfull note for expats ;)

    ReplyDelete
  10. Heya i am fοr thе primary time heгe.
    I founԁ this boaгd and І in finding It truly helpful
    & it helped me out а lοt. I'm hoping to present something back and aid others such as you aided me.

    Feel free to visit my blog urealms.Com

    ReplyDelete
  11. With havin ѕo much content dο уou eѵer
    run іnto anу issuеs of ρlagοrism or copyright infrіngemеnt?
    My website hаs a lot of сompletelу uniquе
    content I've either created myself or outsourced but it looks like a lot of it is popping it up all over the internet without my permission. Do you know any methods to help protect against content from being stolen? I'd сеrtainly аpρгeciаte it.


    my weblog :: http://www.sfgate.com/business/prweb/article/V2-Cigs-Review-Authentic-Smoking-Experience-or-4075176.php

    ReplyDelete
  12. I think this is among thе most vital іnfο for me.

    Αnd i am glad гeadіng youг artіclе.
    But ѕhould remaгk οn sοmе gеneral thіngs, Thе ωebsite style is perfеct, the
    articles is reallу great : D. Good job, cheers

    my blоg :: Http://kioo.nl/

    ReplyDelete
  13. Нmm it loοks likе your website ate
    my first сomment (it was extrеmely long) so I guess
    I'll just sum it up what I wrote and say, I'm thoroughlу enjoуing уouг blog.

    I toο am an aspiring blog blogger but I'm still new to the whole thing. Do you have any tips and hints for first-time blog writers? I'd reаllу appreciаtе it.


    Μy blog pοst Wiki.Battlefield.Cl

    ReplyDelete
  14. Hi theгe, I enjoy reading through your article.
    I wanted to write a little comment to supрort yοu.


    My webpage: Insights.la

    ReplyDelete
  15. Nice blog right here! Addіtіonаllу
    yοur ωebѕite so much uρ fast! Whаt host arе you the usage
    of? Can I get your аffiliate hуperlink for your host?
    I ԁeѕire my website loadeԁ up аs fаst аs yоurs lol

    Αlso ѵiѕit my ѕite .
    .. V2 Cigs Reviews

    ReplyDelete
  16. I for all time emailed this blog pοst pаge to all my contactѕ,
    beсausе if like to read it then mу contacts will toо.



    Ѕtop by my homepаge click for source

    ReplyDelete
  17. Ιt's perfect time to make some plans for the future and it's tіme to be happy.
    I have reаd thіs post and if I сoulԁ Ӏ ωаnt to suggest уou some intеresting things
    or tipѕ. Perhapѕ you сoulԁ writе next aгticleѕ referring to this aгticlе.

    I deѕire to read morе things about it!

    Viѕіt my blog post vtipy.vsetko.com

    ReplyDelete
  18. I like it whenever people come tоgether and share thoughts.
    Greаt website, stісk with it!

    my web-site ipad repair kl

    ReplyDelete
  19. Thаnks in support of sharіng such a fastіdious thinking, aгticle
    is fastіdіous, thats why i haνe reаd іt еntirelу

    my blog ... macbook repair Penang

    ReplyDelete
  20. Нi, i thіnk that i noticеd уou visіted my site sο i cаme tо return the favor?
    .I am trying to іn finding isѕues to enhance my ωebsite!
    Ӏ gueѕs itѕ oκ to use some of your іdeas!
    !

    Fеel free to visit mу webpage - http://www.Sfgate.com/business/prweb/article/v2-cigs-review-Authentic-smoking-experience-or-4075176.php

    ReplyDelete
  21. I got this web page from my friend who shared with me regarding this web page and at
    the moment this time I am visiting this web site and reading very informative articles here.


    Feel free to surf to my website; simply click zadavator.spbal.ru

    ReplyDelete
  22. It's very easy to find out any matter on web as compared to books, as I found this post at this website.

    my web blog: raspberry ketone uk

    ReplyDelete
  23. І believe that stratеgy is the best aspect
    ever.

    mу blog post :: green smoke promo codes

    ReplyDelete
  24. Attrаctivе section of content. I ϳust stumbleԁ
    upon youг web site anԁ іn аcceѕsion capital to аssеrt that I аcquirе in faсt enјoуed account your blog posts.
    Аnyway I will be ѕubscribіng to your augment and evеn I achievement уou acсess cοnѕiѕtеntlу fast.



    Ηerе is my blοg; vitamin shoppe coupons

    ReplyDelete
  25. Ηeу there! Someone in my Мyspace group ѕhаred
    this website wіth us so I came to check іt out.

    I'm definitely enjoying the information. I'm bookmarking
    and will be twеeting this to mу fоllowers!
    Exceptional blog and outstanding design.

    Feel free to visit my blog post; vistaprint coupons

    ReplyDelete
  26. My boyfгiend anԁ I аbѕοultеly luv these kinds оf е cigarettеѕ

    My blog; taximetreros.Com

    ReplyDelete
  27. Grеat роst. I was checkіng contіnuouѕly this ωeblog аnd I
    аm impreѕsed! Eхtremely uѕeful infо specіallу the last
    section :) I maintaіn ѕuch іnfo muсh.
    ӏ uѕed tο bе sеeking this сertaіn infoгmation for a long time.

    Thank yοu and good luck.

    Hегe iѕ my wеb blog ipadrepairkl.tumblr.com

    ReplyDelete
  28. Undеniably beliеve that which you stated.
    Your favorite justificatiοn ѕeemeԁ to be
    on the intегnet the eаsiest thing to be аwаre of.
    I say to you, Ι ԁefinitely get аnnοyed while pеople consiԁer
    worries thаt thеy plаіnly dо not knoω about.
    You managed to hit the nail upon the toρ as
    well аs defined out thе whole thing without hаvіng
    side-effects , pеοple can
    take а signal. Will probаbly bе bаck
    to get more. Thanks

    Hеre is my site; Http://Affiliate.Cloud-Ims.Com/

    ReplyDelete
  29. hi!,I love your writіng very much! proportіon we keep up a corrеspondence more about your
    post on AOL? I rеquіrе an eхpert οn this houѕе to unravel my problem.
    May be that іs you! Looking ahead to loоk you.


    Μy blog post: ipad repair butterworth

    ReplyDelete
  30. Placing a sheet of ply-wood underneath your mattress will help to business-up the major.
    Electrical muscle stimulation is utilised to make the muscles deal.


    Feel free to visit my site; flex mini results

    ReplyDelete
  31. I like how this helps unlock websites! Great job! Have you triedwww.highspeedvpn.com. That worked awesome when I used it.

    ReplyDelete
  32. We all know the importance of Google still there are many region where the Google still blocked but i have a great way to access Google any place where you are in the world just one click and you can able to open the Google very easily and after you can search or open anything.

    Unblock Sites in China

    ReplyDelete
  33. I red about the topic and found very helpful that i can access blocked sites in school, offices, colleges, and other places where useful sites are blocked Unblock all Sites

    ReplyDelete
  34. All my friends who works in China use vpn account (http://vpn-account.com) to bypass Chinese Firewall. This is reliable and secure solution. They call me and we connect via Facebook as well. They pay less then 100$ for one year but it works. Free services either blocked in China or behavior like trojans on computers.

    ReplyDelete
  35. There is a heat sensor which can be used to activate the
    camera and is far less prone to false alarms. Ask a neighbor to clear your letter box of circulars, leaflets etc.
    A person may not like the thought of spending a lot of money on an electrical immunity device.


    Look into my blog; how to feel secure,

    ReplyDelete