Hacking Creating a custom DNS server for Nintendo Switch

szymon170

szymon170

Pr0FessiuNal HelPeR wiTh HaxXX
OP
Member
Level 4
Joined
Jan 2, 2016
Messages
381
Trophies
0
Age
29
Location
Where I live
XP
537
Country
Poland
Since you can specify the DNS server in your internet connection settings, would a DNS server that redirects facebook.com/twitter.com to a custom IP address work on the Switch? Im asking this because currently only WifiWebAuthApplet supports video playback, but it has a whitelist. Will it work if I would redirect facebook.com to youtube.com? Or is there some kind of a security layer that prevents this (for example, another DNS server)? If that won't work, could I just host a website myself that has all the videos I need?
 
reds

reds

Member
Newcomer
Level 1
Joined
Jan 4, 2018
Messages
17
Trophies
0
Age
22
Website
sakamoto.pl
XP
63
Country
Poland
It *would*, and theoretically you can do a redir from *.facebook.com to *, i.e. youtube.com.facebook.com would redir to youtube.com. Though I can't check if it would work as I'm on 2.3.0.
 
D

Deleted-442439

Guest
szymon170 said:
Since you can specify the DNS server in your internet connection settings, would a DNS server that redirects facebook.com/twitter.com to a custom IP address work on the Switch? Im asking this because currently only WifiWebAuthApplet supports video playback, but it has a whitelist. Will it work if I would redirect facebook.com to youtube.com? Or is there some kind of a security layer that prevents this (for example, another DNS server)? If that won't work, could I just host a website myself that has all the videos I need?
Click to expand...

The answer is no. The social login web applet has a whitelist of pages that are supported (most sites on twitter, facebook and google domains) thus you can't use pages outside those domains. Youtube is not in the whitelist.

The reason we can use DNS on the web login applet is because it obviously can't have a predefined whitelist.
 
D

Deleted-442439

Guest
Mnecraft368 said:
Im suprised Nintendo didnt put a blacklist in though.
The popular switchbru DNS could be taken down by blacklisting http://switch.cloud.vgmoose.com (the site that switchbru DNS takes you to)
Click to expand...

As @Uumas pointed out, it would be easy to bypass a blacklist, and it could cause other usability issues too if they stop certain domains from loading as it could break real login sites, that use 3rd party tools to function. I doubt they would want to risk that. If it created more problems that solutions Nintendo will not touch it.
 
D

Deleted-442439

Guest
jjbredesen said:
As @Uumas pointed out, it would be easy to bypass a blacklist, and it could cause other usability issues too if they stop certain domains from loading as it could break real login sites, that use 3rd party tools to function. I doubt they would want to risk that. If it created more problems that solutions Nintendo will not touch it.
Click to expand...

What you could however do is:

Have a DNS server redirect a webpage to another website, but maintain the original whitelisted URL.

So it would work like this:

Browser asks the DNS server for the IP of the server for www.facebook.com

DNS server goes to Youtube.com, retrieves the HTML of Youtube and sends it to the browser saying "This is from Facebook.com". That could bypass the whitelist.
 
softwareengineer

softwareengineer

Well-Known Member
Newcomer
Level 2
Joined
Apr 17, 2018
Messages
75
Trophies
0
Age
39
XP
217
Country
United States
@OP I created something that could likely be used for this kind of purpose. Find "YourFriendlyDNS" release thread in this hacking and homebrew section!

@jjbredesen A dns server just returns IPs for domains though so it can't return the html... I think your idea has to have a webserver in the middle of there (or does it?).

Where it might be more something like this:
1. Browser asks YourFriendlyDNS server for the ip of facebook
2. DNS server returns the IP of a local special webserver you are running (ex. you're running it on port 80 of ip 10.0.0.5 on your local network, same the switch is connected to)
3. The special webserver retrieves the html and content of the website you actually want and returns it AS IF it's actually located there (at the local webserver at 10.0.0.5 in this example)
4. When you navigate to other pages from that page, that special webserver also retreives that html and content and returns it as well, so it can keep going)

It should also insert html for a url field at the top of every 'proxied' page it shows you in case you want to go somewhere else and properly handle getting that html and content as well and inserting the url field again.


Or can it just be more simply:
1. Browser asks YourFriendlyDNS server for the ip of facebook
2. DNS server returns IP of youtube instead

Ideas are flowing here people! How can we do this in a way that's awesome? Let's figure this out :)

To test this with YourFriendlyDNS instead of just doing a regular whitelist or blacklist add, add the domain that's allowed to be visited with a custom mapped IP (this is where that IP field comes in) of the domain you actually want to go to... (For example: Hostname to add to list: facebook (include the actual accepted domain or with wildcards on both sides like *facebook* [I can't post urls/links yet]) IP: (Leave blank unless mapping custom IPs) -> THE IP of for example youtube or the place you actually want to go)

If that doesn't work, then remove that entry and do the same except instead of custom mapping the IP of youtube to facebook instead use the IP of your special local webserver that has been developed to get the html and content you want and return it

The first one seems like it might not work, the second option has some major potential I think! But does a webserver that does that already exist or does it have to be developed?
 
D

Deleted-442439

Guest
softwareengineer said:
@OP I created something that could likely be used for this kind of purpose. Find "YourFriendlyDNS" release thread in this hacking and homebrew section!

@jjbredesen A dns server just returns IPs for domains though so it can't return the html... I think your idea has to have a webserver in the middle of there (or does it?).

Where it might be more something like this:
1. Browser asks YourFriendlyDNS server for the ip of facebook
2. DNS server returns the IP of a local special webserver you are running (ex. you're running it on port 80 of ip 10.0.0.5 on your local network, same the switch is connected to)
3. The special webserver retrieves the html and content of the website you actually want and returns it AS IF it's actually located there (at the local webserver at 10.0.0.5 in this example)
4. When you navigate to other pages from that page, that special webserver also retreives that html and content and returns it as well, so it can keep going)

It should also insert html for a url field at the top of every 'proxied' page it shows you in case you want to go somewhere else and properly handle getting that html and content as well and inserting the url field again.


Or can it just be more simply:
1. Browser asks YourFriendlyDNS server for the ip of facebook
2. DNS server returns IP of youtube instead

Ideas are flowing here people! How can we do this in a way that's awesome? Let's figure this out :)

To test this with YourFriendlyDNS instead of just doing a regular whitelist or blacklist add, add the domain that's allowed to be visited with a custom mapped IP (this is where that IP field comes in) of the domain you actually want to go to... (For example: Hostname to add to list: facebook (include the actual accepted domain or with wildcards on both sides like *facebook* [I can't post urls/links yet]) IP: (Leave blank unless mapping custom IPs) -> THE IP of for example youtube or the place you actually want to go)

If that doesn't work, then remove that entry and do the same except instead of custom mapping the IP of youtube to facebook instead use the IP of your special local webserver that has been developed to get the html and content you want and return it

The first one seems like it might not work, the second option has some major potential I think! But does a webserver that does that already exist or does it have to be developed?
Click to expand...

You have a point! I am interested in trying to get a setup like that working, to check out webkit applets with higher privileges than the ones in Horizon. Rocket League has a applet with a whitelist restricted to the rocket league website and psyonix website, but it can play video / audio and seems to have more memory allocation than the others. Since it is running in a signed game I am certain it is a good place to poke around in (don't exactly think psyonix update that applet with security patches like Nintendo)
 
TheyKilledKenny

TheyKilledKenny

Well-Known Member
Member
Level 6
Joined
Dec 5, 2015
Messages
115
Trophies
0
XP
814
Country
Italy
softwareengineer said:
@OP
Where it might be more something like this:
1. Browser asks YourFriendlyDNS server for the ip of facebook
2. DNS server returns the IP of a local special webserver you are running (ex. you're running it on port 80 of ip 10.0.0.5 on your local network, same the switch is connected to)
3. The special webserver retrieves the html and content of the website you actually want and returns it AS IF it's actually located there (at the local webserver at 10.0.0.5 in this example)
(...)
The first one seems like it might not work, the second option has some major potential I think! But does a webserver that does that already exist or does it have to be developed?
Click to expand...
The "Special Server" functionality can be achieved with nginx, is a Web, reverse proxy and redirect etc. Check nginx dot org.
On the Web there are a lot of info about different configurations in nginx.conf text file (check google), it is very good in redirecting traffic and flows, renaming, removing and modifyng the headers if you need.
If I can found some minutes this weekend I'll give it a try, but sorry I don't have a so high hope in finding time.

Sorry for bad English.

Bye.
 
Last edited by TheyKilledKenny,
  • Like
Reactions: Deleted-442439
TheyKilledKenny

TheyKilledKenny

Well-Known Member
Member
Level 6
Joined
Dec 5, 2015
Messages
115
Trophies
0
XP
814
Country
Italy
TheyKilledKenny said:
If I can found some minutes this weekend I'll give it a try, but sorry I don't have a so high hope in finding time.
Click to expand...
I have found a little time to test something, but I understande I need the base Knowledge about how to let switch pop up the auth applet.
I need more time to read something.
Used YourFriendlyDNS Windows x64 precompiled version on my laptop.
On the same laptop nginx listening http 80 and 443 with a fixed redirect to youtube.
the whole thing works as expected BUT I have 2 issues:
1 - I do not know how to ask for the auth that let you load something on switch
2- maybe problem with ssl certificate in case of youtube redirect, no certificate issues on plain html.
but the network traffic is correctly redirected with dns to my laptop and nginx proxy the request to youtube site, with correct return.
Obviously If I ask for facebook site and the answer is an ssl certificate of youtube, the browser is not so happy, but if I ask for google site the youtube certificate is ok.
If I find some more time I'll going to read how to let switch ask for authentication for internet connection, because is an argument that I never had to work with.
If someone can give me the right hint, save me more time for test.

Bye.
 
  • Like
Reactions: softwareengineer and Deleted-442439
D

Deleted-442439

Guest
TheyKilledKenny said:
I have found a little time to test something, but I understande I need the base Knowledge about how to let switch pop up the auth applet.
I need more time to read something.
Used YourFriendlyDNS Windows x64 precompiled version on my laptop.
On the same laptop nginx listening http 80 and 443 with a fixed redirect to youtube.
the whole thing works as expected BUT I have 2 issues:
1 - I do not know how to ask for the auth that let you load something on switch
2- maybe problem with ssl certificate in case of youtube redirect, no certificate issues on plain html.
but the network traffic is correctly redirected with dns to my laptop and nginx proxy the request to youtube site, with correct return.
Obviously If I ask for facebook site and the answer is an ssl certificate of youtube, the browser is not so happy, but if I ask for google site the youtube certificate is ok.
If I find some more time I'll going to read how to let switch ask for authentication for internet connection, because is an argument that I never had to work with.
If someone can give me the right hint, save me more time for test.

Bye.
Click to expand...

You don't want the WifiWebAuthApplet, video playback is blocked. You need to use the LoginApplet , it is the only one that supports video. (Go to user settings and link a social media account to call it) that applet also accepts google certificates.

@vgmoose , @Ep8Script and @pwsincd know this stuff better than me, I am sure they can give you some more info, and hopefully we can get this working in SwitchbruDNS?
 
softwareengineer

softwareengineer

Well-Known Member
Newcomer
Level 2
Joined
Apr 17, 2018
Messages
75
Trophies
0
Age
39
XP
217
Country
United States
TheyKilledKenny said:
I have found a little time to test something, but I understande I need the base Knowledge about how to let switch pop up the auth applet.
I need more time to read something.
Used YourFriendlyDNS Windows x64 precompiled version on my laptop.
On the same laptop nginx listening http 80 and 443 with a fixed redirect to youtube.
the whole thing works as expected BUT I have 2 issues:
1 - I do not know how to ask for the auth that let you load something on switch
2- maybe problem with ssl certificate in case of youtube redirect, no certificate issues on plain html.
but the network traffic is correctly redirected with dns to my laptop and nginx proxy the request to youtube site, with correct return.
Obviously If I ask for facebook site and the answer is an ssl certificate of youtube, the browser is not so happy, but if I ask for google site the youtube certificate is ok.
If I find some more time I'll going to read how to let switch ask for authentication for internet connection, because is an argument that I never had to work with.
If someone can give me the right hint, save me more time for test.

Bye.
Click to expand...

Ok I've just released a new version! version 1.1.2 It includes it's own built in http server now, and it's supposed to be an out of the box captive portal capturer with the default setup. This isn't with the webauth applet though (at least I think it's not). It's with the connection test. Thanks for the nginx tips but its a bit overkill here, they haven't forced us to go that far yet.

Here's a theoretical test for how it can work in the 1.1.2 version of YourFriendlyDNS:
1. Have it running and working and on the same network as the switch and note it's IP, and make sure autoinject is enabled in the settings, and 'Capture captive portals' in settings if you need to add them. (those things should be done automatically by default but alas:)
2. Use that local server IP for the switches dns, making sure that it's nintendo captive portal links are blacklisted or not whitelisted.
3. When the connection test fails you'll be taken to the 'captive portal' which will be a landing page that you customize called 'index'html' in the settings! (I think you can embed or load javascript and other things, one page is powerful you can do a lot with one page! My simple http server just gives you one page!

:D
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Hacking Misc Tutorial  Eiyuden Chronicle Hundred Heroes save editing

Hacking  Weird findings from that DQ trilogy switch port

Migswitch backups without certificate files

Help a noob with if I need to update CFW to 18.0 or not

Emulation Misc  Is a totk memory editor possible? If so why has no one made one yet?

General chit-chat
Help Users
  • Veho @ Veho:
    It's not a Nintendo / iQue official product, it's a 3rd party custom.
     +1
  • Veho @ Veho:
    Nothing special about it other than it's more comfortable than the Lite
    for people with beefy hands.
     +1
  • Jayro @ Jayro:
    I have yaoi anime hands, very lorge but slender.
  • Jayro @ Jayro:
    I'm Slenderman.
  • Veho @ Veho:
    I have hands.
  • Veho @ Veho:
    king-shark-hand.gif
    +1
  • BakerMan @ BakerMan:
    imagine not having hands, cringe
     +1
  • AncientBoi @ AncientBoi:
    ESPECIALLY for things I do to myself :sad:.. :tpi::rofl2: Or others :shy::blush::evil:
     +1
  • The Real Jdbye @ The Real Jdbye:
    @SylverReZ if you could find a v5 DS ML you would have the best of both worlds since the v5 units had the same backlight brightness levels as the DS Lite unlockable with flashme
  • The Real Jdbye @ The Real Jdbye:
    but that's a long shot
  • The Real Jdbye @ The Real Jdbye:
    i think only the red mario kart edition phat was v5
  • BigOnYa @ BigOnYa:
    A woman with no arms and no legs was sitting on a beach. A man comes along and the woman says, "I've never been hugged before." So the man feels bad and hugs her. She says "Well i've also never been kissed before." So he gives her a kiss on the cheek. She says "Well I've also never been fucked before." So the man picks her up, and throws her in the ocean and says "Now you're fucked."
     +2
  • AncientBoi @ AncientBoi:
    :O:ohnoes::lol::rofl::rofl2:
  • BakerMan @ BakerMan:
    lmao
  • BakerMan @ BakerMan:
    anyways, we need to re-normalize physical media

    if i didn't want my games to be permanent, then i'd rent them
     +1
  • BigOnYa @ BigOnYa:
    Agreed, that why I try to buy all my games on disc, Xbox anyways. Switch games (which I pirate tbh) don't matter much, I stay offline 24/7 anyways.
  • AncientBoi @ AncientBoi:
    I don't pirate them, I Use Them :mellow:. Like I do @BigOnYa 's couch :tpi::evil::rofl2:
     +1
  • cearp @ cearp:
    @BakerMan - you can still "own" digital media, arguably easier and better than physical since you can make copies and backups, as much as you like.

    The issue is DRM
  • cearp @ cearp:
    You can buy drm free games / music / ebooks, and if you keep backups of your data (like documents and family photos etc), then you shouldn't lose the game. but with a disk, your toddler could put it in the toaster and there goes your $60

    :rofl2:
  • cearp @ cearp:
    still, I agree physical media is nice to have. just pointing out the issue is drm
  • rqkaiju2 @ rqkaiju2:
    i like physical media because it actually feels like you own it. thats why i plan on burning music to cds
  • cearp @ cearp:
    It's nice to not have to have a lot of physical things though, saves space
     +1
  • AncientBoi @ AncientBoi:
    Nor clothes 🤮 . Saves on time, soap, water and money having to wash them. :D
  • SylverReZ @ SylverReZ:
    @rqkaiju2, Physical media is a great source for archiving your data, none of that cloud storage shiz.
     +1
  • AncientBoi @ AncientBoi:
    [squeezes @SylverReZ onto a physical media, then archives you in my old stuff box] :tpi::rofl2::tpi:
     +1
    AncientBoi @ AncientBoi: [squeezes @SylverReZ onto a physical media, then archives you in my old stuff box]... +1