Sample ips for dns are as below:
(They are other ranges that are open now, scan and find out )
102.133.160.77
102.133.139.154
102.133.235.79
102.133.128.244
102.22.82.129
102.22.81.212
102.22.82.17
102.22.81.249
102.22.27.125
102.22.82.53
102.22.83.78
102.22.81.20
102.22.81.195
102.22.83.114
102.22.83.149
102.22.83.72
102.22.81.122
102.22.83.102
102.22.195.246
102.22.108.25
102.22.81.37
102.22.80.182
102.22.81.140
102.22.83.155
102.22.82.5
102.22.82.45
102.22.82.94
102.22.82.242
102.23.163.244
102.23.226.71
102.23.226.70
102.37.158.250
102.37.142.149
(They are other ranges that are open now, scan and find out )
102.133.160.77
102.133.139.154
102.133.235.79
102.133.128.244
102.22.82.129
102.22.81.212
102.22.82.17
102.22.81.249
102.22.27.125
102.22.82.53
102.22.83.78
102.22.81.20
102.22.81.195
102.22.83.114
102.22.83.149
102.22.83.72
102.22.81.122
102.22.83.102
102.22.195.246
102.22.108.25
102.22.81.37
102.22.80.182
102.22.81.140
102.22.83.155
102.22.82.5
102.22.82.45
102.22.82.94
102.22.82.242
102.23.163.244
102.23.226.71
102.23.226.70
102.37.158.250
102.37.142.149
16❤249❤🔥29👌10😢8👏6
We pulled gigabytes of data straight from Iran's regime censorship network.
Inside:
Millions of IPs whitelisted during shutdowns (external ones locals use + the ones they allow)
Their plans to hunt down Starlink terminals inside the country
Ways they try to trace who’s still online during blackouts
and plenty more
We’ll drop some parts that can actually help people get to the free internet.
Inside:
Millions of IPs whitelisted during shutdowns (external ones locals use + the ones they allow)
Their plans to hunt down Starlink terminals inside the country
Ways they try to trace who’s still online during blackouts
and plenty more
We’ll drop some parts that can actually help people get to the free internet.
13❤251🔥24👏19🤝1
all-range-dns-UDP.txt
380.7 KB
all dns ips whitelisted in iran (some whitelisted by us! and others they use)
110❤420🔥42👍26🙏19🤩8
Void Verge pinned «We pulled gigabytes of data straight from Iran's regime censorship network. Inside: Millions of IPs whitelisted during shutdowns (external ones locals use + the ones they allow) Their plans to hunt down Starlink terminals inside the country Ways they try…»
Until the data-centers be inaccessible, why dont we just do the below?
We have tested the implementation and saw its benefits 😉
https://telegra.ph/The-Idea-of-dns-multiplexing-03-08
We have tested the implementation and saw its benefits 😉
https://telegra.ph/The-Idea-of-dns-multiplexing-03-08
Telegraph
The Idea of dns multiplexing in other side
During my observation of DNS network traffic passing through a firewall, I noticed an interesting pattern: the firewall initially allows the first packet in DNS tunneling to pass, but eventually, the Deep Packet Inspection (DPI) system detects the unusual…
6🔥134❤25👍6👏4🌚2
We are watching the traffic coming from Iran, and it’s starting to look unusual.
Some techniques that previously worked are now widely used, and they have become visible at the firewall level.
Let me give you some advice.
When you play chess against an opponent who is more experienced, has studied your games, and already controls the center of the board, you don’t rush your queen into the middle. The center is where the board is most contested. If your opponent already controls those squares, placing your most valuable piece there only makes it an easy target.
Instead, strong players develop quietly, protect their pieces, and look for indirect ways to challenge control of the board.
The Thirty-Eight Barrier is close to run !
Some techniques that previously worked are now widely used, and they have become visible at the firewall level.
Let me give you some advice.
When you play chess against an opponent who is more experienced, has studied your games, and already controls the center of the board, you don’t rush your queen into the middle. The center is where the board is most contested. If your opponent already controls those squares, placing your most valuable piece there only makes it an easy target.
Instead, strong players develop quietly, protect their pieces, and look for indirect ways to challenge control of the board.
The Thirty-Eight Barrier is close to run !
7❤180👍32🤔24❤🔥6🙏3
New leak from Iran's regime censorship docs:
They’ve got ways to spot Starlink users and people on VPNs.
Some popular Iranian apps come bundled with hidden networking scripts that run in the background.
These scripts keep sending DNS queries and TCP requests outside your network — even when VPN is active (and in some apps, it doesn't even care if VPN is on).
They do it in 3 main ways:
to public/blocked servers (just to check if they connect)
to regime-controlled endpoints (to figure out how you're connecting)
to special DNS resolvers (to detect your leaks/IP)
Then they collect all this data and either send you threatening messages or pinpoint if you're on Starlink.
Be careful what apps you run. Stay sharp.
we may publish a complete report later , but for now just learn to use app proxing or split tunneling
They’ve got ways to spot Starlink users and people on VPNs.
Some popular Iranian apps come bundled with hidden networking scripts that run in the background.
These scripts keep sending DNS queries and TCP requests outside your network — even when VPN is active (and in some apps, it doesn't even care if VPN is on).
They do it in 3 main ways:
to public/blocked servers (just to check if they connect)
to regime-controlled endpoints (to figure out how you're connecting)
to special DNS resolvers (to detect your leaks/IP)
Then they collect all this data and either send you threatening messages or pinpoint if you're on Starlink.
Be careful what apps you run. Stay sharp.
we may publish a complete report later , but for now just learn to use app proxing or split tunneling
7❤193👍33🤔14🙏6🌚2
We performed a controlled lab test on several messaging apps. Observations are based solely on network traffic; no payload decryption or app reverse engineering was done.
1. DNS behavior
Some apps (e.g., Bale) requested DNS from multiple sources outside the device’s configured servers.
At least three DNS servers were contacted, all located outside the country.
2. Tunnel-flag behavior
When the tunnel flag was toggled on and off (no real network change), some apps behaved unusually.
Eita repeatedly closed otherwise successful server connections when the tunnel was on.
This behavior did not occur when the tunnel was off.
3. DNS resolution inconsistencies
Eita sometimes resolved a domain to an IP (e.g., a.b.c.d) but connected to a different IP (e.g., a.b.c.e), ignoring the resolved IP for extended periods.
4. Reconnection and traffic patterns
Eita repeatedly re-established connections after closing them.
We saw forground netowork activity in app that first thought is for notifications.
We tested with a chat message showed the app did not load the message or notifications.
but meanwhile
Upload traffic volume was much higher than download, which is not typical for getting notification request
5. Comparison with other apps
Rubika: similar to Eita, opening multiple connections to different servers, sending data, and closing connections frequently.
Bale: maintained a single, persistent TCP connection to its server, behaving normally.
These apps exhibit unusual and potentially suspicious network behavior.
Some easy to undrestand info are in the zip below:
1. DNS behavior
Some apps (e.g., Bale) requested DNS from multiple sources outside the device’s configured servers.
At least three DNS servers were contacted, all located outside the country.
2. Tunnel-flag behavior
When the tunnel flag was toggled on and off (no real network change), some apps behaved unusually.
Eita repeatedly closed otherwise successful server connections when the tunnel was on.
This behavior did not occur when the tunnel was off.
3. DNS resolution inconsistencies
Eita sometimes resolved a domain to an IP (e.g., a.b.c.d) but connected to a different IP (e.g., a.b.c.e), ignoring the resolved IP for extended periods.
4. Reconnection and traffic patterns
Eita repeatedly re-established connections after closing them.
We saw forground netowork activity in app that first thought is for notifications.
We tested with a chat message showed the app did not load the message or notifications.
but meanwhile
Upload traffic volume was much higher than download, which is not typical for getting notification request
5. Comparison with other apps
Rubika: similar to Eita, opening multiple connections to different servers, sending data, and closing connections frequently.
Bale: maintained a single, persistent TCP connection to its server, behaving normally.
These apps exhibit unusual and potentially suspicious network behavior.
Some easy to undrestand info are in the zip below:
7👍155❤68🔥14🤔6🤓3
The firewall required a routing update, and several CDN service IPs were added to enable access for certain government‑affiliated individuals and organizations.
We have successfully injected most of the IP ranges from the company’s cloud-based NS (AWS, Akamai, etc.) into the routing table. The changes are currently propagating and are expected to be fully applied by 06:00 AM Iran local time. Connectivity should now be smoother, allowing most users to connect more easily.
For now, focus on the following ranges (eventually, the full subnets will be applied):
2.144.x.x/24
3.160.x.x/20
18.154.x.x/24
23.49.x.x/20
You can also scan the range under 50.x.x.x, which has now been fully applied.
We have successfully injected most of the IP ranges from the company’s cloud-based NS (AWS, Akamai, etc.) into the routing table. The changes are currently propagating and are expected to be fully applied by 06:00 AM Iran local time. Connectivity should now be smoother, allowing most users to connect more easily.
For now, focus on the following ranges (eventually, the full subnets will be applied):
2.144.x.x/24
3.160.x.x/20
18.154.x.x/24
23.49.x.x/20
You can also scan the range under 50.x.x.x, which has now been fully applied.
16❤407👍55👏23🔥14👨💻6
Void Verge
The firewall required a routing update, and several CDN service IPs were added to enable access for certain government‑affiliated individuals and organizations. We have successfully injected most of the IP ranges from the company’s cloud-based NS (AWS, Akamai…
The change is now completely applied and many ranges are open
Scan and find them out
Scan and find them out
2❤234🔥29😁26🙏18👨💻6
Based on the traffic we observed in Iran, it appears that TCI has started implementing domain whitelisting on their DNS servers.
This might be a configuration mistake, but according to our logs, since this morning most domains have been resolving to the internal IP 10.10.34.35.
Some of the most frequently used domains were occasionally corrected, but many services such as bale.ai, zarebin.ir, and several others have still not been fixed.
Updated: every thing got normal in later check.
This might be a configuration mistake, but according to our logs, since this morning most domains have been resolving to the internal IP 10.10.34.35.
Some of the most frequently used domains were occasionally corrected, but many services such as bale.ai, zarebin.ir, and several others have still not been fixed.
Updated: every thing got normal in later check.
9❤136😭58👍25🌚7🎃5
Void Verge
Based on the traffic we observed in Iran, it appears that TCI has started implementing domain whitelisting on their DNS servers. This might be a configuration mistake, but according to our logs, since this morning most domains have been resolving to the internal…
Th changes came back on TCi. Dns request for most of the sites get the same ip and
They also started blocking other dns-servers even local ones.
They also started blocking other dns-servers even local ones.
😭194❤24🥱8👍6😴4
Looks like somone need to pass network+ again...
Below is a list of new dns servers list in TCP(port 53), which hasn't been restricted by firewall yet.
With proper set-up (multiplexing, mtu and dns-size) you can make your dead connections alive again.
We also add new UDP dns servers beside the list we published before that may help.
Below is a list of new dns servers list in TCP(port 53), which hasn't been restricted by firewall yet.
With proper set-up (multiplexing, mtu and dns-size) you can make your dead connections alive again.
We also add new UDP dns servers beside the list we published before that may help.
1❤203👍16🔥11😈11🥱7
After a few days of silence...
We're back with something massive.
Some fresh leaks coming...
We're back with something massive.
Some fresh leaks coming...
22❤277😁47🤔23🔥22🥴12