0、前言

泉州“试点”白名单到现在已经一年了,听说已经推广到了全省大部分地区以及中国移动覆盖部分地区,但是我目前使用福建移动无感。在拨测时发现福建泉州无法访问我的 CDN IP,于是进行了一番调查研究并做个记录。

1、现象

使用IT Dog拨测,泉州无法使用未备案域名访问白名单以外的IP。下面以 2 个域名和 IP 举例现象:

备案域名:1.com
未备案域名:2.com

白名单 IP:6.6.6.6
非白名单 IP:8.8.8.8

拨测结果:

(备案域名 + 白名单 IP:全部正常)

  • HTTP + 1.com + 6.6.6.6:正常
  • ICMP + 1.com + 6.6.6.6:正常
  • TCP + 1.com + 6.6.6.6:正常

(未备案域名 + 白名单 IP:全部正常)

  • HTTP + 2.com + 6.6.6.6:正常
  • ICMP + 2.com + 6.6.6.6:正常
  • TCP + 2.com + 6.6.6.6:正常

(备案域名 + 非白名单 IP:全部正常)

  • HTTP + 1.com + 8.8.8.8:正常
  • ICMP + 1.com + 8.8.8.8:正常
  • TCP + 1.com + 8.8.8.8:正常

(未备案域名 + 非白名单 IP:部分正常)

  • HTTP + 2.com + 8.8.8.8:阻断
  • ICMP + 2.com + 8.8.8.8:正常
  • TCP + 2.com + 8.8.8.8:正常

(直接访问 IP)

  • HTTP + 6.6.6.6:正常
  • ICMP + 6.6.6.6:正常
  • TCP + 6.6.6.6:正常
  • HTTP + 8.8.8.8:正常
  • ICMP + 8.8.8.8:正常
  • TCP + 8.8.8.8:正常

注意:测试仅使用了常见 TLD(.com),据说对于部分垃圾内容泛滥的 TLD(.xyz)会进行无差别阻断,目前尚未亲自进行测试。

2、结论

根据结果,可以发现白名单的特征是:

  1. 非 HTTP 方式不受影响;
  2. 不带域名访问不受影响;
  3. 未备案域名 + 非白名单 IP 无法连接,疑似是 SNI 阻断。

据说国内大厂(腾讯云、阿里云等)的境外服务器 IP 段(例如中国香港、美国等地区)都已被列入白名单,但是实测两台腾讯云香港服务器,一台在白名单中,另一台不在白名单中。

此外,据说 Cloudflare 的所有 IP 段都不在白名单中(不过可以确定的是,此前就有非常多 IP 在黑名单里了,笑),经过测试目前已发现 2 个 IP 段可以访问,可以修改 Hosts 文件或重写 DNS 至这两个 IP 段中的任意 IP,以访问托管在 Cloudflare 上的网站。

3、解决方法

针对网站被阻断,解决方法是使用 DNSPod 分区解析,详细指南参考:

服务器集群(七)DNSPod专业版分区解析
https://blog.tsinbei.com/archives/667/

按照官方文档添加自定义解析线路,线路内容填入泉州全段 IP(更新时间 2023/06/08):

 

Text

1
 
27.148.169.0-27.148.169.255;27.148.221.0-27.148.221.255;27.148.227.0-27.148.227.255;27.148.237.0-27.148.237.255;27.148.244.0-27.148.244.255;27.151.128.0-27.152.63.255;27.152.180.0-27.153.127.255;36.192.178.0-36.192.179.255;36.192.182.0-36.192.182.255;36.248.8.0-36.248.8.255;36.249.0.0-36.249.127.255;36.250.80.0-36.250.95.255;36.250.227.0-36.250.227.255;36.250.229.0-36.250.229.255;36.250.240.0-36.250.255.255;36.251.128.0-36.251.191.255;36.251.224.0-36.251.247.255;43.236.160.0-43.236.163.255;58.23.64.0-58.23.95.255;58.23.144.0-58.23.159.255;58.23.192.0-58.23.223.255;59.56.192.0-59.57.127.255;59.60.14.0-59.60.63.255;59.61.192.0-59.61.255.255;59.77.168.0-59.77.171.255;59.79.194.0-59.79.194.255;61.131.46.0-61.131.63.255;61.131.104.0-61.131.115.255;61.154.92.0-61.154.127.255;61.154.166.0-61.154.175.255;61.232.90.0-61.232.90.255;61.232.97.0-61.232.98.255;61.234.214.0-61.234.218.255;103.32.160.0-103.32.163.255;103.66.40.0-103.66.43.255;103.240.84.0-103.240.87.255;106.122.8.0-106.122.11.255;110.81.0.0-110.81.255.255;110.84.64.0-110.84.127.255;110.85.0.0-110.85.31.255;110.88.157.0-110.88.157.255;110.88.168.0-110.88.223.255;110.89.160.0-110.89.191.255;110.124.184.0-110.124.191.255;111.128.112.0-111.128.127.255;111.128.148.0-111.128.151.255;111.142.48.0-111.142.71.255;111.142.80.0-111.142.95.255;111.142.160.0-111.142.167.255;111.142.184.0-111.142.255.255;111.143.78.0-111.143.79.255;111.143.128.0-111.143.159.255;111.144.28.0-111.144.31.255;111.144.128.0-111.144.167.255;111.144.212.0-111.144.215.255;111.145.48.0-111.145.59.255;111.145.80.0-111.145.127.255;111.145.160.0-111.145.183.255;111.145.192.0-111.145.195.255;111.146.64.0-111.146.127.255;111.147.52.0-111.147.56.255;111.147.58.0-111.147.61.255;111.147.96.0-111.147.111.255;111.147.224.0-111.147.231.255;112.5.16.0-112.5.63.255;112.47.0.0-112.47.255.255;112.109.192.0-112.109.223.255;117.24.0.0-117.24.255.255;117.26.0.0-117.26.63.255;117.28.0.0-117.28.63.255;117.28.240.0-117.28.247.255;117.136.11.0-117.136.11.255;120.33.0.0-120.33.191.255;120.37.0.0-120.37.191.255;120.39.253.0-120.39.253.255;120.42.128.0-120.42.255.255;120.43.160.0-120.43.255.255;121.205.0.0-121.205.127.255;121.207.0.0-121.207.127.255;122.90.22.0-122.90.22.255;122.91.16.0-122.91.43.255;122.91.48.0-122.91.111.255;122.91.120.0-122.91.127.255;123.82.192.0-123.82.192.255;123.82.197.0-123.82.199.255;123.82.214.0-123.82.215.255;123.82.240.0-123.82.240.255;124.72.96.0-124.72.207.255;125.77.128.0-125.77.177.255;125.78.0.0-125.78.191.255;140.224.0.0-140.224.63.255;140.243.34.0-140.243.34.255;140.243.38.0-140.243.38.255;140.243.104.0-140.243.104.255;140.243.106.0-140.243.107.255;140.243.116.0-140.243.116.255;140.243.170.0-140.243.170.255;140.243.173.0-140.243.173.255;140.243.186.0-140.243.186.255;140.243.228.0-140.243.228.255;175.43.0.0-175.43.191.255;183.250.32.0-183.250.39.255;183.250.128.0-183.250.135.255;183.250.216.0-183.250.255.255;183.251.60.0-183.251.60.255;183.251.63.0-183.251.63.255;183.252.8.0-183.252.11.255;183.253.128.0-183.253.159.255;202.101.107.0-202.101.109.255;202.101.122.0-202.101.123.255;202.101.144.0-202.101.147.255;202.109.208.0-202.109.213.255;210.13.216.0-210.13.219.255;210.15.26.0-210.15.26.255;210.15.63.0-210.15.63.255;210.34.120.0-210.34.127.255;210.34.240.0-210.34.255.255;211.80.248.0-211.80.255.255;211.97.143.0-211.97.143.255;211.138.142.0-211.138.142.255;211.138.157.0-211.138.157.255;211.143.164.0-211.143.164.255;211.143.166.0-211.143.169.255;211.143.190.0-211.143.190.255;211.143.200.0-211.143.203.255;211.143.209.0-211.143.210.255;211.165.133.0-211.165.133.255;218.5.100.0-218.5.179.255;218.6.80.0-218.6.89.255;218.66.158.0-218.66.221.255;218.85.158.0-218.85.241.255;218.104.240.0-218.104.255.255;218.105.16.0-218.105.31.255;218.105.34.0-218.105.71.255;218.105.74.0-218.105.127.255;218.105.129.0-218.105.253.255;218.105.255.0-218.105.255.255;218.193.80.0-218.193.95.255;218.207.127.0-218.207.129.255;218.207.131.0-218.207.131.255;218.207.148.0-218.207.149.255;218.207.160.0-218.207.167.255;218.207.184.0-218.207.187.255;218.207.198.0-218.207.199.255;219.220.112.0-219.220.127.255;219.229.64.0-219.229.79.255;220.162.0.0-220.162.99.255;222.47.34.0-222.47.34.255;222.47.53.0-222.47.53.255;222.47.81.0-222.47.81.255;222.47.83.0-222.47.83.255;222.47.85.0-222.47.89.255;222.47.92.0-222.47.95.255;222.77.0.0-222.77.127.255;222.79.128.0-222.79.255.255;223.104.45.0-223.104.45.255

 

保存,如果使用 CNAME 方式自选 IP 接入 Cloudflare,可解析至如下 IP 段:

 

Text

1
2
 
1.0.0.0/24
1.1.1.1/24

 

注意:

1.1.1.1 由于很多地方的设备将其作为内网 IP,因此 Traceroute 可能会发现发送的包在途中莫名其妙的地方失踪,而目前来看私自使用1.0.0.01.0.0.1的设备较少,但是全国也存在无法连通的情况,根据测试泉州可以访问这两个 IP,因此推荐使用1.0.0.0/24

探讨福建泉州白名单网络原理及应对方法

https://blog.tsinbei.com/archives/1293/

文章作者

Hsukqi Lee

发布于

2023-06-09

修改于

2023-06-22

许可协议

CC BY-NC-ND 4.0