Indonesian Focus Group discusses filtering mechanisms

[fortuna]

The Ministry of Communication and Information (Kementerian Kominfo) hosted a live stream on December 4, 2023, where they openly discuss the mechanisms to filter content in Indonesia.

The video is in Indonesian, but you can enable closed captions and auto-translate to explore it.

To make it easier to explore, I've extracted the auto-translated subtitles. That way you can search for topics of interest, and find the time in the video.

Among other things, they discuss DNS and IP-based blocking and blocking of third-party DNS resolvers, explicitly calling out Google, Cloudflare and Quad9, and blocking of port 853. They say that they need to block encrypted DNS (DoT, DoH and DoQ) so that the user is forced to fall back to unencrypted DNS.

I did not see any mention of SNI-based blocking.

Below are two relevant moments, and you can find more by searching the transcript.

https://www.youtube.com/live/JY7-KbByjcI?si=p5SJnKdwww48uQD7&t=6634

https://www.youtube.com/live/JY7-KbByjcI?si=W0hC4sDSYiA-BPpp&t=8551

[fortuna]

I'll note that blocking of encrypted DNS has been reported in 2022: #114

[wkrp]

Thanks @fortuna, this is a great thing to find.

This is an archival copy: https://archive.org/details/KominfoFGD20231204

The "Kominfo" of the YouTube channel name is the Indonesian Ministry of Communications and Informatics, "responsible for communications, information affairs, and Internet censorship."

Does anyone speak Indonesian who can pick out some of the important points? (In particular, do you know anything about the "TKPPSE" or "RPZ" acronyms mentioned?) EDIT 2023-12-20: RPZ is Response Policy Zone, TKPPSE is Tata Kelola Pengendalian Penyelenggara Sistem Elektronik "Electronic System Operator Control Governance".

I skimmed through the visuals and noted a few interesting timestamps:

timestamp	comment	screenshot
0:00:52	Site to report content complaints: http://aduankonten.id. Or WhatsApp 0811 922 4545, or email [email protected].
1:17:50	List of regulations relating to content blocking (dasar hukum penanganan konten): Pasal 40 ayat (2), Pasal 96, Pasal 14 ayat (1), Pasal 18, Peraturan K/L Terkait.
1:21:42	Pipeline for website and social media blocking (mekanisme pemblokiran situs dan media sosial).
1:25:19	This slide claims 2,501,070 domains and subdomains were blocked as of 2023-12-01. 1:30:55 shows a breakdown by category: the top two are gambling (perjudian) at 1,247,987 and pornography (pornografi) at 1,213,840). EDIT 2024-10-04: Compare to "2,031,242 lines" at #401 (comment).
1:26:45	Slide shows a "Sistem DNS RPZ Kominfo" with IP addresses 103.154.123.130 and 139.255.196.202.
1:33:00	Slide shows a "TKPPSE system" and marks installation points on a map of Indonesia.
1:37:53	A "Kominfo RPZ basic synchronization and configuration guide" (Panduan sinkronisasi dan konfigurasi dasar RPZ kominfo) with links to a form http://bit.ly/FormKoneksiRPZ → Google Forms (archive) and a private Telegram group https://t.me/c/1526604311/1.
1:40:17	Another mention of the RPZ IP addresses 103.154.123.130 and 139.255.196.202 and what looks like a DNS zone configuration file.
1:46:36	Another mention of "TKPPSE", as a component alongside "DNS filtering" and "IP blocking".
1:52:41	A diagram labeled "BGP blackhole".
1:57:18	A node labeled "DNS Trust+ Master" with the IP addresses 103.154.123.130 (already seen for "RPZ") and 27.54.116.6.
2:40:25	During the Q&A session, one of the speakers says something about RPZ being a real-time system, with some kind of synchronization every 1,000 seconds. There are also QR codes pointing to https://t.me/c/1526604311/1 (the private Telegram group from 1:37:53) and https://me-qr.com/dCuKk8Cc (archive).

[lepz0r]

I did not see any mention of SNI-based blocking.

But some ISPs also do SNI-based blocking here now

[wkrp]

In particular, do you know anything about the "TKPPSE" or "RPZ" acronyms mentioned?

iMAP and OONI have high-quality reports about blocking in Indonesia:

• The State of Internet Censorship in Indonesia (2017)
• iMAP State of Internet Censorship Report 2022 - Indonesia
• iMAP Indonesia 2023 Internet Censorship Report

I did not find the acronyms RPZ and TKPPSE in them, but there are definitions of PSE and Trust+/TrustPositif. PSE is a legal class of online service operators who are obliged to register themselves with the government, comply with takedown requests, etc. TrustPositif is a (DNS?) filtering application, operational since 2010.

https://ooni.org/post/2022-state-of-internet-censorship-indonesia/#private-electronic-system-operators-pse-ministerial-regulation-no-5-of-2020

Private Electronic System Operators (PSE) Ministerial Regulation No 5 of 2020

The law came into effect in November 2020 to replace and consolidate Kominfo Regulations No 19 of 2014 on Handling of Internet Sites Containing Negative Content and No 36 of 2014 on Registration of Electronic System Operators.⁴⁷ The law requires private electronic system operators (penyelenggara sistem elektronik or PSE) to register themselves with Kominfo before providing any service to internet users.

Through the single registration system, a PSE must disclose how their system works and the kinds of user information they collect, store, and process. The law does not only apply to domestic operators but also to foreign private PSEs that have users in Indonesia. Failing registration, Kominfo would block the websites of private PSEs in Indonesia.⁴⁸

https://ooni.org/post/2022-state-of-internet-censorship-indonesia/#trustpositif-by-kominfo

TrustPositif by Kominfo

As of September 2022, the Indonesian Ministry of Information and Communication (Kominfo) has blocked over 1,000,000 websites through TrustPositif,⁵² a filtering application that has been operational since 2010 per Ministerial Regulation No 19 of 2014. The majority of the blocked websites fall under the categories of gambling and pornography. Other categories of blocked websites include online scams, intellectual property violations, and “negative content” recommended by related-sector agencies. There have been reported cases of newly registered domain names being falsely pre-blocked on TrustPositif.⁵³ An official from Kominfo claims that the blocks are based on citizen reports.⁵⁴

The Freedom on the Net 2023 report for Indonesia is also full of a lot of good analysis. I do not find TSPPKE or RPZ in it, but it mentions TrustPositif and another, newer system called DNS Whitelist Nusantara:

https://freedomhouse.org/country/indonesia/freedom-net/2023#A

In July 2022, the Pengelola Nama Domain Internet Indonesi (PANDI) and the APJII proposed the implementation of national Domain Name System (DNS) filtering technology, such as DNS Whitelist Nusantara and TrustPositif. This would enable the government to limit public access to certain types of content.⁴² Critics of the proposal likened it to China’s highly repressive filtering system, known as the Great Firewall.⁴³

[wkrp]

The Freedom on the Net 2023 report for Indonesia is also full of a lot of good analysis. I do not find TSPPKE or RPZ in it, but it mentions TrustPositif and another, newer system called DNS Whitelist Nusantara

Footnote 42 of the Freedom on the Net report links to a PowerPoint presentation (20220729021540.pdf) by Mohamad Shidiq Purnama at the Indonesia Network Operators Group (IDNOG) Workshop and Conference 2022, on the topic of a national DNS system.

DNS Nasional Indonesia (www.dns.id) Mohamad Shidiq Purnama https://s.id/shidiq Indonesia National DNS
Latar Belakang Program Kolaborasi PANDI - APJII Tujuan : Ketahanan Internet Nasional dan Efisiensi Trafik Internet Indonesia Program terkait DNS Bersama DNS Whitelist Nusantara Trust Positif Anycast DNS .id Root Servers Pemanfaatan dan Kontribusi Data, Infrastruktur dan Sistem secara terbuka oleh komunitas dan untuk komunitas Background PANDI - APJII Collaboration Program Objective : National Internet Resilience and Indonesian Internet Traffic Efficiency Related programs Shared DNS DNS Whitelist Nusantara Trust Positif Anycast DNS .id Root Servers Utilization and Contribution of Data, Infrastructure and Systems openly by the community and for the community
Prespektif Geo Politik Penerapan kepatuhan hukum di indonesia lebih mudah karena data digunakan bersama Terdapat pelanggaran hukum dan perbuatan kriminal terjadi di internet. Dengan adanya DNS Nasional, dampak dari hal tersebut dapat dicegah dan ditanggulangi secara lebih efektif. Penerapan terhadap kebijakan baru lebih mudah dilakukan. pengelolaan dan pemanfaatan data secara transparan dan terbuka karena dikelola dan diawasi oleh komunitas secara terbuka Keamanan data lebih terjaga karena penggunaan resource lokal (tidak menggunakan public DNS dari Luar Negeri) Geo-political perspective Implementation of legal compliance in Indonesia is easier because data is shared There are law violations and criminal acts occurring on the internet. With with the National DNS, the impact of this can be prevented and tackled more effectively. more effectively. Implementation of new policies is easier. Transparent and open management and utilization of data because it is managed and managed and overseen by the community in an open manner Data security is better maintained due to the use of local resources (not using public DNS from abroad)
Prespektif Teknis Ketahanan Internet Nasional, ketahanan terhadap akses ke DNS akan lebih bagus karena ditempatkan di seluruh simpul exchange internet Indonesia (IIX) Mengurangi sentralisasi, trafik jaringan yang keluar terutama untuk trafik DNS ke Root DNS akan berkurang. Memiliki kemandirian dalam mengelola dan menentukan whitelist dan blacklist. Mempunyai akses terhadap data trafik. Implementasi Blacklist dan Whitelist Trust+ menjadi terpusat, bukan tersebar menurut mekanisme masing-masing ISP. ISP lebih mudah dan cepat untuk terhubung dengan sumber data DNS. Mengurangi traffic “sampah” dari phishing, spam dll. Menumbuhkan konten lokal di masing-masing daerah. Technical Perspective National Internet Resilience, resilience to access to DNS will be better as it is placed in all Indonesian internet exchange (IIX) nodes. Reduce centralization, outgoing network traffic especially for DNS traffic to Root DNS will be reduced. Have independence in managing and determining whitelist and blacklist. Have access to traffic data. Blacklist and Whitelist Trust+ implementation is centralized, not scattered according to the mechanism of each ISP. ISPs are easier and faster to connect with DNS data sources. Reduce "junk" traffic from phishing, spam etc. Grow local content in each region.
Rencana Pembangunan DNS Nasional ISP mengakses DNS Resolver yang ada di exchange DNS Resolver melakukan pencarian nama domain ke Anycast DNS .id Didalam DNS Resolver terdapat Blacklist dan Whitelist Trust+ dan Database Anti Phishing Jika domain bukan .id, DNS Resolver akan melakukan pencarian nama domain ke Root Servers Data yang ada di Master DNS .id akan disebar ke Anycast DNS .id National DNS Development Plan ISP accesses DNS Resolver that is on the exchange DNS Resolver performs lookup the domain name to .id Anycast DNS Inside the DNS Resolver there are Blacklist and Whitelist Trust+ and Anti Phishing Database If the domain is not .id, DNS Resolver will perform lookup the domain name to Root Servers The data in the Master DNS .id will be propagated to .id Anycast DNS
Custom Landing Page Source IP Lookup if source ip x.x.x.0/24 / ISP "A" > Custom Landing page for ISP "A" if source ip x.x.y.0/24 / ISP "B" > Custom Landing page for ISP "B" if source ip x.x.z.0/24 / ISP "C" > Custom Landing page for ISP "C" Custom Landing page for "blocked" websites
Rencana Pembangunan DNS Nasional Penempatan seluruh komponen DNS Nasional pada seluruh exchange Antar exchange saling terhubung sehingga data tersebar ke beberapa exchange sehingga akan mengurangi ketergantungan untuk akses DNS dari resource yang lain (Google, Cloudflare, dll) National DNS Development Plan Deployment of all National DNS components on all exchanges Exchanges are interconnected so that data spread to several exchanges so that it will reduce dependency for DNS access access from other resources (Google, Cloudflare, etc.)
Mohamad Shidiq Purnama https://s.id/shidiq (passcode: thanks)

[fortuna]

I figured out what RPZ is. From A warm welcome to DNS:

RPZ: Response Policy Zone is a framework for blocking, dropping queries or spoofing responses based on domain names, response IP addresses or nameservers used during resolution. It has long lived as an ISC Technical Note, and failed to become an IETF standard. It is nevertheless very useful, and there is an industry of RPZ providers. Policies are described by zones and are typically transmitted over IXFR.

[merdekaid]

National DNS has actually been implemented since 2015

You can read it here https://www.kominfo.go.id/index.php/content/detail/4991/Kominfo+Finalisasi+DNS+Nasional/0/sorotan_media

So basically the current system is, every ISP must redirect port 53 to their own server, their own server must be synchronized to Kominfo's RPZ server so it can update the blocking efficiently.

Indonesian cannot change their DNS settings without using encrypted DNS, so if we want to use custom filtering service such as NextDNS or ControlD, we usually rely on DoH/DoT

[ThePhoenix576]

Indonesian cannot change their DNS settings without using encrypted DNS, so if we want to use custom filtering service such as NextDNS or ControlD, we usually rely on DoH/DoT

True. And that means that if those protocols get blocked, then we'll have to probably use a VPN to tunnel DNS queries lol

[wkrp]

I figured out what RPZ is.

So basically the current system is, every ISP must redirect port 53 to their own server, their own server must be synchronized to Kominfo's RPZ server so it can update the blocking efficiently.

I see—so RPZ (Response Policy Zone) is a semi-standard way of representing DNS filtering/blocking rules as DNS information itself, such that the rules can be transmitted/synchronized with a zone transfer (AXFR/IXFR).

So we may take as a working hypothesis that the DNS blocklist in Indonesia is centrally managed and stored in Response Policy Zone format. Each individual ISP synchronizes the local blocklists in its own DNS resolvers with a master RPZ server periodically. (Every 1,000 seconds?)

Maybe, then, it's possible to interrogate the RPZ masters, or download the entire blocklist with a zone transfer? I tried port scanning 103.154.123.130, 139.255.196.202, and 27.54.116.6, but did not find udp/53 responsive on any of them.

The Trust+ / TrustPositif label also seems to have to do with DNS filtering. But I'm not sure if it's the same as the RPZ system, or something additional to it. @DarkMProgrammer, @ThePhoenix576, do you know, is Trust+ the name for the RPZ-based rule specification and synchronization system, or is Trust+ a different system? Slide 5 of the IDNOG 2022 slides mentions an "anti phishing" database separate from the Trust+ list, so maybe there is more than one database. One of the slides in the focus group discussion refers to both RPZ and TrustPositif:

Untuk setting konfigurasi dasar bind untuk menjadi slave pada RPZ kominfo berikut tahapan nya:

Untuk mengaktifkan slave RPZ zone maka kita harus mengedit file named.conf atau file yang memuat konfigurasi zone. Tambahkan parameter berikut di file konfigurasi zone:

zone "trustpositifkominfo" {
    type slave;
    file "db.trustpositifkominfo";
    masters {
    	103.154.123.130;
	139.255.196.202;
    };
    allow-query { any; };
};

Note:
Masters IP yang digunakan lebi dari satu.

To set the basic bind configuration to become a slave to the RPZ kominfo, here are the steps:

To enable the RPZ zone slave, we must edit the named.conf file or the file that contains the zone configuration. Add the following parameters in the zone configuration file:

Note:
More than one Masters IP is used.

[wkrp]

@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.

This is one of the slides that mentions TKPPSE (timestamp 1:33:00):

Sistem TKPPSE

TKPPSE Virtual Borderline

• TKPPSE telah dipasang pada 147 site di 27 Provinsi
• TKPPSE dipasang pada jaringan internet Indonesia sebagai metode filtering dan kedaulatan digital Indonesia

TKPPSE System

• TKPPSE has been installed on 147 sites in 27 Provinces
• TKPPSE is installed on Indonesia's internet network as a method of filtering and Indonesia's digital sovereignty

[ThePhoenix576]

The Trust+ / TrustPositif label also seems to have to do with DNS filtering. But I'm not sure if it's the same as the RPZ system, or something additional to it. @DarkMProgrammer, @ThePhoenix576, do you know, is Trust+ the name for the RPZ-based rule specification and synchronization system, or is Trust+ a different system? Slide 5 of the IDNOG 2022 slides mentions an "anti phishing" database separate from the Trust+ list, so maybe there is more than one database. One of the slides in the focus group discussion refers to both RPZ and TrustPositif:

I don't know for sure. I haven't looked into it that much. @DarkMProgrammer might know more about this thing though.

@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.

Tata Kelola Pengendalian Penyelenggara Sistem Elektronik

It seems to refer to their blocking system to "protect" the digital world . or something like that. I don't know if it's specific to one of their blocking systems or something like that though.

[wkrp]

@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.

Tata Kelola Pengendalian Penyelenggara Sistem Elektronik

It seems to refer to their blocking system to "protect" the digital world . or something like that. I don't know if it's specific to one of their blocking systems or something like that though.

I see. So the name is not really specific. I wonder if TKPPSE is something like the TSPU in Russia, government-managed DPI black boxes installed at ISPs.

[ThePhoenix576]

@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.

Tata Kelola Pengendalian Penyelenggara Sistem Elektronik
It seems to refer to their blocking system to "protect" the digital world . or something like that. I don't know if it's specific to one of their blocking systems or something like that though.

I see. So the name is not really specific. I wonder if TKPPSE is something like the TSPU in Russia, government-managed DPI black boxes installed at ISPs.

Yeah, idk for sure. But I'm not liking where this country is going with them wanting to block DoT/H etc lol. Thankfully they drew the line with VPNs. But we all know that they can change their minds in an instant.

[merdekaid]

@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.

This is one of the slides that mentions TKPPSE (timestamp 1:33:00):

Sistem TKPPSE

TKPPSE Virtual Borderline

• TKPPSE telah dipasang pada 147 site di 27 Provinsi
• TKPPSE dipasang pada jaringan internet Indonesia sebagai metode filtering dan kedaulatan digital Indonesia

TKPPSE System

• TKPPSE has been installed on 147 sites in 27 Provinces
• TKPPSE is installed on Indonesia's internet network as a method of filtering and Indonesia's digital sovereignty

It's the DPI middlebox which responsible to send TCP RST (for https) and sending 302 redirection to national blockpage (http://lamanlabuh.aduankonten.id) for http.

If you don't know, every Indonesian DPI mechanism have the same behaviour such as:

• Lamanlabuh blockpage
• They listen to all port from 1 to 65535
• Sending TCP RST packet as their blocking mechanism

Here is for example when we tested port 25565 with the Host header of hypixel.net, a Minecraft server that Indonesian government don't like.

If the DPI is deployed by each ISP, there most likely won't have same mechanism as some ISP here love putting ads lol

[ThePhoenix576]

If the DPI is deployed by each ISP, there most likely won't have same mechanism as some ISP here love putting ads lol

Oh look ! Ads !

But anyways, I really do hope that they won't block DoT/H lol. Public DNS like Google DNS is far more reliable than our ISPs DNS servers lol

[merdekaid]

I figured out what RPZ is.

So basically the current system is, every ISP must redirect port 53 to their own server, their own server must be synchronized to Kominfo's RPZ server so it can update the blocking efficiently.

I see—so RPZ (Response Policy Zone) is a semi-standard way of representing DNS filtering/blocking rules as DNS information itself, such that the rules can be transmitted/synchronized with a zone transfer (AXFR/IXFR).

So we may take as a working hypothesis that the DNS blocklist in Indonesia is centrally managed and stored in Response Policy Zone format. Each individual ISP synchronizes the local blocklists in its own DNS resolvers with a master RPZ server periodically. (Every 1,000 seconds?)

Maybe, then, it's possible to interrogate the RPZ masters, or download the entire blocklist with a zone transfer? I tried port scanning 103.154.123.130, 139.255.196.202, and 27.54.116.6, but did not find udp/53 responsive on any of them.

The Trust+ / TrustPositif label also seems to have to do with DNS filtering. But I'm not sure if it's the same as the RPZ system, or something additional to it. @DarkMProgrammer, @ThePhoenix576, do you know, is Trust+ the name for the RPZ-based rule specification and synchronization system, or is Trust+ a different system? Slide 5 of the IDNOG 2022 slides mentions an "anti phishing" database separate from the Trust+ list, so maybe there is more than one database. One of the slides in the focus group discussion refers to both RPZ and TrustPositif:

Untuk setting konfigurasi dasar bind untuk menjadi slave pada RPZ kominfo berikut tahapan nya:
Untuk mengaktifkan slave RPZ zone maka kita harus mengedit file named.conf atau file yang memuat konfigurasi zone. Tambahkan parameter berikut di file konfigurasi zone:

zone "trustpositifkominfo" {
    type slave;
    file "db.trustpositifkominfo";
    masters {
    	103.154.123.130;
	139.255.196.202;
    };
    allow-query { any; };
};

Note:
Masters IP yang digunakan lebi dari satu.

To set the basic bind configuration to become a slave to the RPZ kominfo, here are the steps:
To enable the RPZ zone slave, we must edit the named.conf file or the file that contains the zone configuration. Add the following parameters in the zone configuration file:
Note:
More than one Masters IP is used.

The DNS Transfer only permitted for ISP DNS here, they have an ACL going to port 53 so outsider can't do AXFR command.

Feel free to contact me on slashy(at)bebasid.com if you want more info

[merdekaid]

If the DPI is deployed by each ISP, there most likely won't have same mechanism as some ISP here love putting ads lol

Oh look ! Ads !

But anyways, I really do hope that they won't block DoT/H lol. Public DNS like Google DNS is far more reliable than our ISPs DNS servers lol

It's not about reliable outside server anymore, it's about freedom of information and human right.

Indonesian are very restricted to customize their network by Kominfo due to National DNS regulation. They can't enjoy custom filtering, ad-blocking DNS, or even host their own DNS because of this.

It's not only international port 53 that got redirected, the local one too because Kominfo/ISP afraid people is hosting DNS on local VPS server and use them at home.

Ironically, National DNS actually against our consitution which guaranteed freedom of expression and human rights

[wkrp]

The DNS Transfer only permitted for ISP DNS here, they have an ACL going to port 53 so outsider can't do AXFR command.

I see. The ACL must be the reason for the Google Form (archive) linked at 1:37:53 in the focus group video. A field on the form asks for the IP addresses that will be used for RPZ zone transfers.

Alamat IP Publik DNS Server (Jika sudah ada)

RPZ sistem kominfo adalah sebuan DNS server yang berisi sebuah zone yang dapat direplikasi (transfer zone). Untuk dapat melakukan transfer zone, ISP harus terlebih dahulu meregister Source IP yang akan melakukan transfer ke sistem RPZ kominfo. Mohon memasukkan IP yang dimaksud ke dalam dform di bawah ini (maksimal 4 IP). Jika informasi ini belum ada, dapat disusulkan melalui Whatsapp Message ke sdr. Riko Rahmada

• IP 1:
• IP 2:
• IP 3:
• IP 4:

DNS Server Public IP Address (If already exist)

Kominfo RPZ system is a DNS server that contains a zone that can be replicated (transfer zone). To be able to transfer zones, ISPs must first register the Source IP that will transfer to the Kominfo RPZ system. Please enter the IP in question into the dform below (maximum 4 IPs). If this information does not exist, it can be proposed via Whatsapp Message to Br. Riko Rahmada

• IP 1:
• IP 2:
• IP 3:
• IP 4:

[merdekaid]

The DNS Transfer only permitted for ISP DNS here, they have an ACL going to port 53 so outsider can't do AXFR command.

I see. The ACL must be the reason for the Google Form (archive) linked at 1:37:53 in the focus group video. A field on the form asks for the IP addresses that will be used for RPZ zone transfers.

Alamat IP Publik DNS Server (Jika sudah ada)

RPZ sistem kominfo adalah sebuan DNS server yang berisi sebuah zone yang dapat direplikasi (transfer zone). Untuk dapat melakukan transfer zone, ISP harus terlebih dahulu meregister Source IP yang akan melakukan transfer ke sistem RPZ kominfo. Mohon memasukkan IP yang dimaksud ke dalam dform di bawah ini (maksimal 4 IP). Jika informasi ini belum ada, dapat disusulkan melalui Whatsapp Message ke sdr. Riko Rahmada

• IP 1:
• IP 2:
• IP 3:
• IP 4:

DNS Server Public IP Address (If already exist)

Kominfo RPZ system is a DNS server that contains a zone that can be replicated (transfer zone). To be able to transfer zones, ISPs must first register the Source IP that will transfer to the Kominfo RPZ system. Please enter the IP in question into the dform below (maximum 4 IPs). If this information does not exist, it can be proposed via Whatsapp Message to Br. Riko Rahmada

• IP 1:
• IP 2:
• IP 3:
• IP 4:

Yep that's right, in order to get access to it, you must register there first

[merdekaid]

@DarkMProgrammer, @ThePhoenix576, do you know what TKPPSE is? PSE is probably penyelenggara sistem elektronik.
This is one of the slides that mentions TKPPSE (timestamp 1:33:00):

Sistem TKPPSE

TKPPSE Virtual Borderline

• TKPPSE telah dipasang pada 147 site di 27 Provinsi
• TKPPSE dipasang pada jaringan internet Indonesia sebagai metode filtering dan kedaulatan digital Indonesia

TKPPSE System

• TKPPSE has been installed on 147 sites in 27 Provinces
• TKPPSE is installed on Indonesia's internet network as a method of filtering and Indonesia's digital sovereignty

It's the DPI middlebox which responsible to send TCP RST (for https) and sending 302 redirection to national blockpage (http://lamanlabuh.aduankonten.id) for http.

If you don't know, every Indonesian DPI mechanism have the same behaviour such as:

• Lamanlabuh blockpage
• They listen to all port from 1 to 65535
• Sending TCP RST packet as their blocking mechanism

Here is for example when we tested port 25565 with the Host header of hypixel.net, a Minecraft server that Indonesian government don't like.

If the DPI is deployed by each ISP, there most likely won't have same mechanism as some ISP here love putting ads lol

I found this leak from some clueless Indonesian NOC on LinkedIn.

TKPPSE is indeed the National DPI implemented by Kominfo, simillar to GFW on China.

[merdekaid]

Every ISP that has connection to outside (Ex: Singapore) have their network tapped first by Kominfo so they can log or monitor the request for "blacklisted" header.

If the header is blacklisted, the National DPI (so called TKPPSE) will send you TCP RST packet and 302 redirection to National Blockpage at (http://lamanlabuh.aduankonten.id)

[merdekaid]

It's indeed sad that my country is heading towards China/Iran :(

I don't care if the government is only blocking pornographic and gambling content. What I care, they love to block random stuff that should not be blocked such as Reddit, Vimeo, Startmail, and recently, Hypixel. This falls under censorship rather than "protection" now especially they forbid their people to change their DNS and now implementing simillar infrastructure to China censorship.

[merdekaid]

Simillar to GFW, TKPPSE has bidirectional blocking so you can check blocked site in Indonesia by curl-ing them against infected ISPs and modify the host header to blocked website

[merdekaid]

I just realised some clever ISP in Indonesia has different routing thus only its client that affected by DPI. Mainly noted PT Jala Lintas Media and PT Cyberindo Aditama so the bidirectional checking won't work

[wkrp]

I found this leak from some clueless Indonesian NOC on LinkedIn.

TKPPSE is indeed the National DPI implemented by Kominfo, simillar to GFW on China.

That same slide appears in this focus group discussion, during Setyo Wibawa's part at 1:49:40. The title of the slide says "TKPSEE", but I would guess that's a typo for TKPPSE.

TKPSEE [sic]

Tata Kelola Pengendalian Penhelenggara Sistem Elektronik

Penempatan Perangkat di NAP

TKPSEE

Electronic System Operator Control Governance

Device Placement in NAP

[wkrp]

Simillar to GFW, TKPPSE has bidirectional blocking so you can check blocked site in Indonesia by curl-ing them against infected ISPs and modify the host header to blocked website

I can reproduce the bidirectional HTTP 302 injection with curl. Great tip. @snourin, this looks like something you'd be interested in.

$ curl -i http://iconnet.id/ -H "Host: hypixel.net"
HTTP/1.0 302 Moved
Content-Length: 0
Location: http://lamanlabuh.aduankonten.id/
Pragma: no-cache
Cache-Control: no-cache

In my quick tests, it looks like the injection is unreliable: sometimes a get the real response from the iconnet.id server. Interestingly, it appears that the GET method but not the HEAD method is affected: curl -i http://iconnet.id/ -H "Host: hypixel.net" sometimes gets injection, but curl -I http://iconnet.id/ -H "Host: hypixel.net" does not.

[merdekaid]

Simillar to GFW, TKPPSE has bidirectional blocking so you can check blocked site in Indonesia by curl-ing them against infected ISPs and modify the host header to blocked website

I can reproduce the bidirectional HTTP 302 injection with curl. Great tip. @snourin, this looks like something you'd be interested in.

$ curl -i http://iconnet.id/ -H "Host: hypixel.net"
HTTP/1.0 302 Moved
Content-Length: 0
Location: http://lamanlabuh.aduankonten.id/
Pragma: no-cache
Cache-Control: no-cache

In my quick tests, it looks like the injection is unreliable: sometimes a get the real response from the iconnet.id server. Interestingly, it appears that the GET method but not the HEAD method is affected: curl -i http://iconnet.id/ -H "Host: hypixel.net" sometimes gets injection, but curl -I http://iconnet.id/ -H "Host: hypixel.net" does not.

Yeah but if you are inside Indonesia, you will get injected 100%

I don't know what's actually happening on the National DPI's side that causing a request from outside Indonesia to have unstable injection.

[merdekaid]

The iForte one has the stable injection to the outside, maybe you can try curling it against iforte.co.id or transjakarta.co.id

Transjakarta public wifi is using iForte as its IP Transit so it's affected by the TKPPSE aka National DPI aka Great Firewall of Indonesia

[merdekaid]

I suspect Iconnet has a loadbalancing stuff on their side, when you aren't affected, sometimes you got routed to one of their backup loadbalancing border router which hasn't been tapped yet by Kominfo

[merdekaid]

Oh yeah if you don't know what NAP is, NAP stands for Network Access Provider.

Kominfo has actually have 2 ISP licensing. one is ISP and one is NAP

ISPs with normal ISP licensing are forbidden to have a direct peer with Tier 1 ISPs (such as HE, Cogent, etc). they are only allowed to peer with NAP before going to T1 ISPs

NAP in the other hand, are the ISPs that is allowed to have direct connection outside, they are forced by Kominfo to have their border router tapped to the National DPI (TKPPSE) for censorship reason like above.

[merdekaid]

Since every port are affected, you can't even connect to a game server that is blocked by Kominfo lol

[merdekaid]

Even some CDN here are blocked , how bad could it be.

The reason of the blockage could be these 2 reasons:

• Either the CDN is not registered to PSE thus it got blocked (but why Cloudflare, Fastly, and the other still free if this the reason)
• Error on Kominfo's server or someone who put it to the blacklist. They just put it on the blacklist without knowing its a CDN

[fortuna]

I also get inconsistent measurements when running the measurement from outside Indonesia. I get 3 different results:

• Valid page
• Block page
• TCP Reset

I believe the blocking is inconsistent, and the interference mechanisms race each other.

See this traffic capture triggered with curl -i http://iconnet.id/ -H "Host: hypixel.net":

I received, in order:

1. TCP Reset
2. Block Page ("HTTP/1.0 302 Moved")
3. Legit Page (marked as "[TCP Out-of-order]")

In this case, curl returned a connection reset error, even though pages were eventually received. Sometimes the Block page arrives before the TCP reset.

The filter packets can be identified by the IP ID 0x00f2. My machine sends a reset to the server because the TCP state is already reset on the client side when it received the legit page.

I also noticed a smaller TTL on the legit response, which suggests it's farther away than the middlebox.

Here is another example, where the block page is received before the TCP reset and legit page:

When the fetch succeeds, I get neither the block page, nor the TCP reset:

[fortuna]

Is it possible to set up a firewall to drop a specific IP ID? Perhaps combined with a sequence number or direction to minimize false positives?

That could potentially bypass censorship.

[merdekaid]

Is it possible to set up a firewall to drop a specific IP ID? Perhaps combined with a sequence number or direction to minimize false positives?

That could potentially bypass censorship.

We should try this, we have several mechanism to bypass the National DPI (TKPPSE) on MikroTik by dropping certain packet on the firewall (I won't tell you how since there might be a Kominfo spy here lurking around) but feel free to drop me an email or talk with me on Slack as usual haha.

I and my team on BEBASID would love to try to experiment with this

[merdekaid]

Oh yeah, the request might still be logged on Kominfo's TKPPSE infrastructure so while you can bypass the censorship by dropping certain packet that the National DPI sent, they still know what you are visiting thus its not good for your privacy

[merdekaid]

Some Indonesian ISPs now are experimenting with blocking DoH/DoT such as PT Netciti Persada with Cloudflare, Google, and other popular server and PT Mora Telematika Indonesia for Quad9. Same like before with TKPPSE during the end of 2021 with XL Axiata network.

[fortuna]

It looks like nftables support IP IDs in rules: https://wiki.gentoo.org/wiki/Nftables#Rules. I'm not super familiar with nftables, but I think the rule would look something like this:

ip id 0x00f2 drop;

Is it possible to set up a firewall to drop a specific IP ID? Perhaps combined with a sequence number or direction to minimize false positives?

[merdekaid]

It looks like nftables support IP IDs in rules: https://wiki.gentoo.org/wiki/Nftables#Rules. I'm not super familiar with nftables, but I think the rule would look something like this:

ip id 0x00f2 drop;

Is it possible to set up a firewall to drop a specific IP ID? Perhaps combined with a sequence number or direction to minimize false positives?

That's interesting, since I'm currently super busy right now (sorry), I'll have my colleague test it for us

[merdekaid]

They got Object "id" is unknown, try "ip help". error while trying on nftables hmm

[merdekaid]

I found an old screenshot from my hard drive.

During the post implementation of TKPPSE, Cloudflare CGK Datacenter got affected by the National DPI

Resulting blocked site that is using Cloudflare cannot be accessed as its either redirected to national block page or returning SSL Handshake Error

Google Translate proxy also got affected too.

Luckily its safe now. Probably Google and Cloudflare ditched the provider who did this and rerouted it directly to SG without help of local provider.

[merdekaid]

Oh yeah, this is the original National DNS document which makes Indonesian don't have freedom to customize their network

[Lanius-collaris]

They got Object "id" is unknown, try "ip help". error while trying on nftables hmm

@DarkMProgrammer
ip id 0x00f2 is an expression used to match packets, not a command, drop is operation.
https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Rules
Have you tested TCP fragmentation?

[merdekaid]

They got Object "id" is unknown, try "ip help". error while trying on nftables hmm

@DarkMProgrammer ip id 0x00f2 is an expression used to match packets, not a command, drop is operation. https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Rules Have you tested TCP fragmentation?

I never done it manually with nfttables, but GoodbyeDPI/Zapret did work to bypass TKPPSE

[merdekaid]

It's happening guys

On December 30th 2023, some ISPs have blocked access to DoH/DoT domain

Our DNS service is also affected

Aside PT Netciti Persada, PT Jaringan Sarana Nusantara (JSN) also started to blackholling DoH from their DNS, it seems Kominfo started to roll this to every ISPs

[merdekaid]

Thanks to National DNS regulation, changing plain DNS won't work so you are stuck with ISP DNS that is blocking access to DoH/DoT domain as you can see the result of nslookuping to Google DNS is hijacked to each ISP's DNS.

If you want to use DoH/DoT, writting the domain on host file will work

[wkrp]

On December 30th 2023, some ISPs have blocked access to DoH/DoT domain

Thank you for the news. Since this thread is about the focus group video, let's talk about DoH/DoT blocking in a new thread.

• Secure DNS (DoH/DoT) blocking in Indonesia 2023-12-30 #319

[merdekaid]

AS4800 - PT Aplikanusa Lintasarta started to redirect port 53 again on IP Transit level if they know that their customer is an ISP serving to end user in Indonesia.

They done this back in 2022, dismantled it for temporary and reimplementing again now.

I think this is unethical for an ISP to do this as it can break some of their customer's network and such. What do you think of this?

[chandr1000]

Mau heran tapi komingfod 🥱🥱

Kalo seandainya DoT bisa pake custom port selain 853, gw pasangin DoT di port 22 biar ketar ketir tuh si tua bangka

Want to be surprised but komingfod 🥱🥱

If DoT could use custom ports other than 853, I'd put DoT on port 22 to make the old guy nervous.

[merdekaid]

Mau heran tapi komingfod 🥱🥱

Kalo seandainya DoT bisa pake custom port selain 853, gw pasangin DoT di port 22 biar ketar ketir tuh si tua bangka

Want to be surprised but komingfod 🥱🥱

If DoT could use custom ports other than 853, I'd put DoT on port 22 to make the old guy nervous.

It's still on their planning, I heard it from my ISPs friend that every DoH/DoT IP will be added to their national RTBH filtering.

If you don't know what RTBH filtering is, it's like an RPZ but for IP Address. You put it on BGP

So the RTBH BGP will announce blocked IP to its client to drop it.

FYI: Some Cloudflare IP is added to their RTBH so some Cloudflare IP aren't reachable from Indonesia. For example, the IP address of sflix.to which is currently added to Trust+ list