How do I surf the Internet

You guys know what I mean.

Quite a few friends of mine asked me about this sort of thing. After a few days of study… I realized that it is not a trivial question. So I share some techniques I use. But first of all, I’d like to make it clear that the Intranet works the way it works for a quite good reason and I don’t mean to break some kind of limitation. I just want a perfectly working Internet. Also, basic understanding of modern internet is required.

First thing we need to deal with is DNS. Sometimes it is not working properly, returning false addresses. Reason is that DNS uses UDP by default, and UDP is connection-less, unreliable and vulnerable to interference. Thus two kinds of solutions are possible. One is to use TCP instead of UDP, and the other is to relay DNS UDP packets through unreliable network.

To use TCP instead of UDP, the simplest way is to use pdnsd and set the option “tcp_only”. Also, use a reliable upstream server such as Google’s public DNS. Note that this solution will make the resolution quite slow because of the connection-oriented nature of TCP. To deal with that, dnsmasq could be used to forward DNS request to pdnsd only if it is prone to pollution. To implement this, add “server” options to dnsmasq like “server=/www.google.com/::1#5353”, if pdnsd is listening on IPv6 localhost port 5353. Multiple “server” options are accepted.

To relay DNS packets reliably through unreliable network, encryption techniques are involved. A common way is to use shadowsocks. The libev version contains an ss-tunnel module and it is pretty handy. And it supports IPv6 relaying. If encryption is not a must, 6in4 tunneling and relaying on a non-common port are also potential solutions.

Sometimes “hosts” is considered a solution to DNS problems, but I don’t agree. Hosts can only provide a very small subset of DNS’s functions, which is quite limited.

Suppose now we have a working DNS. We need to be able to access the other part of the Internet, usually through a reliable agent. Usually we call such kind of application “proxy”. Common types include HTTP and SOCKS. HTTP proxy runs mainly in the 7th layer of OSI model and is somewhat slow and limited. SOCKS proxy performs on layer 5, which makes it much faster and more flexible.

Goagent and its variant wallproxy are two opensource projects implementing HTTP proxy on Google App Engine. Each of them contains a server end and a client end, and the server end needs to be uploaded to GAE. They both provide uploaders. Last time I checked, wallproxy offers public accounts, which means personal GAE accounts registration is not required, and they could share one server end program. That’s early 2014, when they were still hosted on Google Code, and I have no idea what happened since then.

Shadowsocks is another powerful tool of proxy. It implements a local SOCKS5 server, which forwards the traffic to its server, encrypted. It has quite a number of versions, both the server end and the local end. I prefer the libev version, for its better performance and less resource consumption. What’s more important, it provides a “ss-redir” module, allowing transparent redirection of both IPv4 and IPv6 traffic. That is my favorite. I am now forwarding most IPv4 traffic with shadowsocks through IPv6 to my VPS, avoiding IPv4 charges by the university (IPv6 is free:) ). However, my VPS has to deal with doubled traffic, incoming and outgoing.

Last but not least, tor, the onion router. It is provides anonymity with its servers all over the world. I believe, in the era of the Internet nobody has privacy. But still, maintaining a certain level of anonymity is still something we want. Although, I don’t use it myself because it doesn’t provide reliable IPv6 connectivity and IPv4 charges a lot of money. I may enable it when I finish college.

Oh, VPN is not mentioned yet. Reason is that although called virtual private network, most of them is not private at all. VPN is more about encapsulation, not encryption. The common VPN protocols such as pptp are old and out of update, prone to be decrypted easily. However, there is an opensource project, OpenVPN, implementing a much more strongly encrypted VPN. I’ve tried it once, it works good but I found it not as convenient as shadowsocks. Plus the management is complicated, I gave it up. VPN is a black magic. I’ve been using tinc on major network nodes such as servers and routers, formatting a full-mesh private network. OpenVPN is used to penetrate firewall by using UDP 53 port on mobile devices. Now it works like a charm. I also read about another extremely powerful VPN software called SoftEther. However, I didn’t have time exploring its beauty. VPN would implement a Layer 3 reliable network instead of Layer 4, which is more complicated but also more powerful.

So basically, with reliable DNS and stable TCP connection, the Internet will work fine. Actually, only HTTP and HTTPS connections are enough for most applications. In general, by manipulating the way the network works, the Internet will reveal itself step by step. Happy Internetworking:)