0, Preface
It has been a year since Quanzhou "piloted" the white list. I heard that it has been extended to most parts of the province and some areas covered by China Mobile, but I currently use Fujian Mobile. During the dial-up test, I found that Quanzhou, Fujian could not access my CDN IP, so I conducted some research and made a record.
1. Phenomena
Using IT Dog to test, Quanzhou cannot use unregistered domain names to access IPs that are not in the white list. The following is an example of two domain names and IPs:
Record domain name: 1.com
Unrecorded domain name: 2.com
Whitelist IP: 6.6.6.6
Non-whitelist IP: 8.8.8.8
Dial test result:
(Filing domain name + whitelist IP: all normal)
- HTTP+1.com+6.6.6.6: OK
- ICMP+1.com+6.6.6.6: OK
- TCP+1.com+6.6.6.6: OK
(Unrecorded domain name + whitelist IP: all normal)
- HTTP+2.com+6.6.6.6: OK
- ICMP+2.com+6.6.6.6: OK
- TCP+2.com+6.6.6.6: OK
(Filing domain name + non-whitelist IP: all normal)
- HTTP+1.com+8.8.8.8: OK
- ICMP+1.com+8.8.8.8: OK
- TCP+1.com+8.8.8.8: OK
(Unrecorded domain name + non-whitelist IP: partly normal)
- HTTP + 2.com + 8.8.8.8: block
- ICMP+2.com+8.8.8.8: OK
- TCP+2.com+8.8.8.8: OK
(direct access IP)
- HTTP+ 6.6.6.6: OK
- ICMP+ 6.6.6.6: OK
- TCP+ 6.6.6.6: OK
- HTTP+8.8.8.8: OK
- ICMP+ 8.8.8.8: OK
- TCP+8.8.8.8: OK
Note: Only common TLDs (.com) were used in the test. It is said that some spammy TLDs (.xyz) will be blocked indiscriminately. I haven’t tested it myself yet.
2. Conclusion
According to the results, it can be found that the characteristics of the whitelist are:
- Non-HTTP methods are not affected;
- Access without a domain name will not be affected;
- The unregistered domain name + non-whitelist IP cannot be connected, which is suspected to be SNI blocking.
It is said that the IP segments of overseas servers (such as Hong Kong, the United States, etc.) of major domestic manufacturers (Tencent Cloud, Alibaba Cloud, etc.) have been included in the whitelist, but two Tencent Cloud Hong Kong servers have been measured, and one is in the whitelist. The other one is not in the whitelist.
In addition, it is said that all IP segments of Cloudflare are not in the whitelist ( But what is certain is that there are a lot of IPs in the blacklist before, lol), after testing, it has been found that 2 IP segments can be accessed , you can modify the Hosts file or rewrite DNS to any IP in these two IP ranges to access the website hosted on Cloudflare.
3, the solution
For the blocked website, the solution is to use DNSPod partition resolution, detailed guide reference:
Server Cluster (7) DNSPod Professional Edition Partition Analysis
https://blog.tsinbei.com/archives/667/
According to the official document, add customized analysis line, and fill in the content of the line with the entire IP of Quanzhou (updated on 2023/06/08):
Comment first then view it after your comment is approved. Join QQ Group to display all hidden texts.
Save, if you use the CNAME method to select your own IP to access Cloudflare, it can be resolved to the following IP segment:
Comment first then view it after your comment is approved. Join QQ Group to display all hidden texts.
Notice:
Comment first then view it after your comment is approved. Join QQ Group to display all hidden texts.
Let's Discussing About The "Whitelist" in Quanzhou, Fujian
Comments