Hacking Creating a custom DNS server for Nintendo Switch

[szymon170]

Since you can specify the DNS server in your internet connection settings, would a DNS server that redirects facebook.com/twitter.com to a custom IP address work on the Switch? Im asking this because currently only WifiWebAuthApplet supports video playback, but it has a whitelist. Will it work if I would redirect facebook.com to youtube.com? Or is there some kind of a security layer that prevents this (for example, another DNS server)? If that won't work, could I just host a website myself that has all the videos I need?

 

[reds]

It *would*, and theoretically you can do a redir from *.facebook.com to *, i.e. youtube.com.facebook.com would redir to youtube.com. Though I can't check if it would work as I'm on 2.3.0.

 

[Deleted-442439]

Since you can specify the DNS server in your internet connection settings, would a DNS server that redirects facebook.com/twitter.com to a custom IP address work on the Switch? Im asking this because currently only WifiWebAuthApplet supports video playback, but it has a whitelist. Will it work if I would redirect facebook.com to youtube.com? Or is there some kind of a security layer that prevents this (for example, another DNS server)? If that won't work, could I just host a website myself that has all the videos I need?

The answer is no. The social login web applet has a whitelist of pages that are supported (most sites on twitter, facebook and google domains) thus you can't use pages outside those domains. Youtube is not in the whitelist.

The reason we can use DNS on the web login applet is because it obviously can't have a predefined whitelist.

 

[Mnecraft368]

The reason we can use DNS on the web login applet is because it obviously can't have a predefined whitelist.

Im suprised Nintendo didnt put a blacklist in though.
The popular switchbru DNS could be taken down by blacklisting http://switch.cloud.vgmoose.com (the site that switchbru DNS takes you to)

 

[Uumas]

Im suprised Nintendo didnt put a blacklist in though.
The popular switchbru DNS could be taken down by blacklisting http://switch.cloud.vgmoose.com (the site that switchbru DNS takes you to)

But its domain could be changed so it would just be cat and mouse and they can only blacklist new domains every new firmware, so...

 

[Deleted-442439]

Im suprised Nintendo didnt put a blacklist in though.
The popular switchbru DNS could be taken down by blacklisting http://switch.cloud.vgmoose.com (the site that switchbru DNS takes you to)

As @Uumas pointed out, it would be easy to bypass a blacklist, and it could cause other usability issues too if they stop certain domains from loading as it could break real login sites, that use 3rd party tools to function. I doubt they would want to risk that. If it created more problems that solutions Nintendo will not touch it.

 

[Deleted-442439]

As @Uumas pointed out, it would be easy to bypass a blacklist, and it could cause other usability issues too if they stop certain domains from loading as it could break real login sites, that use 3rd party tools to function. I doubt they would want to risk that. If it created more problems that solutions Nintendo will not touch it.

What you could however do is:

Have a DNS server redirect a webpage to another website, but maintain the original whitelisted URL.

So it would work like this:

Browser asks the DNS server for the IP of the server for www.facebook.com

DNS server goes to Youtube.com, retrieves the HTML of Youtube and sends it to the browser saying "This is from Facebook.com". That could bypass the whitelist.

 

[softwareengineer]

@OP I created something that could likely be used for this kind of purpose. Find "YourFriendlyDNS" release thread in this hacking and homebrew section!

@jjbredesen A dns server just returns IPs for domains though so it can't return the html... I think your idea has to have a webserver in the middle of there (or does it?).

Where it might be more something like this:
1. Browser asks YourFriendlyDNS server for the ip of facebook
2. DNS server returns the IP of a local special webserver you are running (ex. you're running it on port 80 of ip 10.0.0.5 on your local network, same the switch is connected to)
3. The special webserver retrieves the html and content of the website you actually want and returns it AS IF it's actually located there (at the local webserver at 10.0.0.5 in this example)
4. When you navigate to other pages from that page, that special webserver also retreives that html and content and returns it as well, so it can keep going)

It should also insert html for a url field at the top of every 'proxied' page it shows you in case you want to go somewhere else and properly handle getting that html and content as well and inserting the url field again.


Or can it just be more simply:
1. Browser asks YourFriendlyDNS server for the ip of facebook
2. DNS server returns IP of youtube instead

Ideas are flowing here people! How can we do this in a way that's awesome? Let's figure this out

To test this with YourFriendlyDNS instead of just doing a regular whitelist or blacklist add, add the domain that's allowed to be visited with a custom mapped IP (this is where that IP field comes in) of the domain you actually want to go to... (For example: Hostname to add to list: facebook (include the actual accepted domain or with wildcards on both sides like *facebook* [I can't post urls/links yet]) IP: (Leave blank unless mapping custom IPs) -> THE IP of for example youtube or the place you actually want to go)

If that doesn't work, then remove that entry and do the same except instead of custom mapping the IP of youtube to facebook instead use the IP of your special local webserver that has been developed to get the html and content you want and return it

The first one seems like it might not work, the second option has some major potential I think! But does a webserver that does that already exist or does it have to be developed?

 

[Deleted-442439]

@OP I created something that could likely be used for this kind of purpose. Find "YourFriendlyDNS" release thread in this hacking and homebrew section!

@jjbredesen A dns server just returns IPs for domains though so it can't return the html... I think your idea has to have a webserver in the middle of there (or does it?).

Where it might be more something like this:
1. Browser asks YourFriendlyDNS server for the ip of facebook
2. DNS server returns the IP of a local special webserver you are running (ex. you're running it on port 80 of ip 10.0.0.5 on your local network, same the switch is connected to)
3. The special webserver retrieves the html and content of the website you actually want and returns it AS IF it's actually located there (at the local webserver at 10.0.0.5 in this example)
4. When you navigate to other pages from that page, that special webserver also retreives that html and content and returns it as well, so it can keep going)

It should also insert html for a url field at the top of every 'proxied' page it shows you in case you want to go somewhere else and properly handle getting that html and content as well and inserting the url field again.


Or can it just be more simply:
1. Browser asks YourFriendlyDNS server for the ip of facebook
2. DNS server returns IP of youtube instead

Ideas are flowing here people! How can we do this in a way that's awesome? Let's figure this out

To test this with YourFriendlyDNS instead of just doing a regular whitelist or blacklist add, add the domain that's allowed to be visited with a custom mapped IP (this is where that IP field comes in) of the domain you actually want to go to... (For example: Hostname to add to list: facebook (include the actual accepted domain or with wildcards on both sides like *facebook* [I can't post urls/links yet]) IP: (Leave blank unless mapping custom IPs) -> THE IP of for example youtube or the place you actually want to go)

If that doesn't work, then remove that entry and do the same except instead of custom mapping the IP of youtube to facebook instead use the IP of your special local webserver that has been developed to get the html and content you want and return it

The first one seems like it might not work, the second option has some major potential I think! But does a webserver that does that already exist or does it have to be developed?

You have a point! I am interested in trying to get a setup like that working, to check out webkit applets with higher privileges than the ones in Horizon. Rocket League has a applet with a whitelist restricted to the rocket league website and psyonix website, but it can play video / audio and seems to have more memory allocation than the others. Since it is running in a signed game I am certain it is a good place to poke around in (don't exactly think psyonix update that applet with security patches like Nintendo)

 

[TheyKilledKenny]

@OP
Where it might be more something like this:
1. Browser asks YourFriendlyDNS server for the ip of facebook
2. DNS server returns the IP of a local special webserver you are running (ex. you're running it on port 80 of ip 10.0.0.5 on your local network, same the switch is connected to)
3. The special webserver retrieves the html and content of the website you actually want and returns it AS IF it's actually located there (at the local webserver at 10.0.0.5 in this example)
(...)
The first one seems like it might not work, the second option has some major potential I think! But does a webserver that does that already exist or does it have to be developed?

The "Special Server" functionality can be achieved with nginx, is a Web, reverse proxy and redirect etc. Check nginx dot org.
On the Web there are a lot of info about different configurations in nginx.conf text file (check google), it is very good in redirecting traffic and flows, renaming, removing and modifyng the headers if you need.
If I can found some minutes this weekend I'll give it a try, but sorry I don't have a so high hope in finding time.

Sorry for bad English.

Bye.

 

[TheyKilledKenny]

If I can found some minutes this weekend I'll give it a try, but sorry I don't have a so high hope in finding time.

I have found a little time to test something, but I understande I need the base Knowledge about how to let switch pop up the auth applet.
I need more time to read something.
Used YourFriendlyDNS Windows x64 precompiled version on my laptop.
On the same laptop nginx listening http 80 and 443 with a fixed redirect to youtube.
the whole thing works as expected BUT I have 2 issues:
1 - I do not know how to ask for the auth that let you load something on switch
2- maybe problem with ssl certificate in case of youtube redirect, no certificate issues on plain html.
but the network traffic is correctly redirected with dns to my laptop and nginx proxy the request to youtube site, with correct return.
Obviously If I ask for facebook site and the answer is an ssl certificate of youtube, the browser is not so happy, but if I ask for google site the youtube certificate is ok.
If I find some more time I'll going to read how to let switch ask for authentication for internet connection, because is an argument that I never had to work with.
If someone can give me the right hint, save me more time for test.

Bye.

 

[Deleted-442439]

I have found a little time to test something, but I understande I need the base Knowledge about how to let switch pop up the auth applet.
I need more time to read something.
Used YourFriendlyDNS Windows x64 precompiled version on my laptop.
On the same laptop nginx listening http 80 and 443 with a fixed redirect to youtube.
the whole thing works as expected BUT I have 2 issues:
1 - I do not know how to ask for the auth that let you load something on switch
2- maybe problem with ssl certificate in case of youtube redirect, no certificate issues on plain html.
but the network traffic is correctly redirected with dns to my laptop and nginx proxy the request to youtube site, with correct return.
Obviously If I ask for facebook site and the answer is an ssl certificate of youtube, the browser is not so happy, but if I ask for google site the youtube certificate is ok.
If I find some more time I'll going to read how to let switch ask for authentication for internet connection, because is an argument that I never had to work with.
If someone can give me the right hint, save me more time for test.

Bye.

You don't want the WifiWebAuthApplet, video playback is blocked. You need to use the LoginApplet , it is the only one that supports video. (Go to user settings and link a social media account to call it) that applet also accepts google certificates.

@vgmoose , @Ep8Script and @pwsincd know this stuff better than me, I am sure they can give you some more info, and hopefully we can get this working in SwitchbruDNS?

 

[softwareengineer]

I have found a little time to test something, but I understande I need the base Knowledge about how to let switch pop up the auth applet.
I need more time to read something.
Used YourFriendlyDNS Windows x64 precompiled version on my laptop.
On the same laptop nginx listening http 80 and 443 with a fixed redirect to youtube.
the whole thing works as expected BUT I have 2 issues:
1 - I do not know how to ask for the auth that let you load something on switch
2- maybe problem with ssl certificate in case of youtube redirect, no certificate issues on plain html.
but the network traffic is correctly redirected with dns to my laptop and nginx proxy the request to youtube site, with correct return.
Obviously If I ask for facebook site and the answer is an ssl certificate of youtube, the browser is not so happy, but if I ask for google site the youtube certificate is ok.
If I find some more time I'll going to read how to let switch ask for authentication for internet connection, because is an argument that I never had to work with.
If someone can give me the right hint, save me more time for test.

Bye.

Ok I've just released a new version! version 1.1.2 It includes it's own built in http server now, and it's supposed to be an out of the box captive portal capturer with the default setup. This isn't with the webauth applet though (at least I think it's not). It's with the connection test. Thanks for the nginx tips but its a bit overkill here, they haven't forced us to go that far yet.

Here's a theoretical test for how it can work in the 1.1.2 version of YourFriendlyDNS:
1. Have it running and working and on the same network as the switch and note it's IP, and make sure autoinject is enabled in the settings, and 'Capture captive portals' in settings if you need to add them. (those things should be done automatically by default but alas
2. Use that local server IP for the switches dns, making sure that it's nintendo captive portal links are blacklisted or not whitelisted.
3. When the connection test fails you'll be taken to the 'captive portal' which will be a landing page that you customize called 'index'html' in the settings! (I think you can embed or load javascript and other things, one page is powerful you can do a lot with one page! My simple http server just gives you one page!