Hi folks! As I’m sure you know, we don’t have any control over what is blocked by the Great Firewall. However, most of the testing tools out there don’t do a good job of testing “is your Netlify website unloadable in China”, but instead do something like this:
do an outside-of-China DNS lookup of your site. All DNS lookups come from one location, so one answer is received by the tool from “outside the firewall”.
If you have dns configured optimally (see this article for more details on the topic), a DNS lookup for your site will return different IP addresses from different locations, based on their geographic nearness to our various data centers. Immediate problem: a lookup in the US or South America or Australia would basically NEVER match a result from Asia. So, there is that initial confounding factor to this methodology.
Further complicating factor: we have several CDN nodes in most locations, and so even from e.g. Singapore, you could get one of several IP addresses for even lookups performed at the same time, as our DNS intentionally returns first one and then a different IP for the same lookup to help distribute load.
There may be checking tools that do something more sophisticated, but last time I spent (several hours) looking into this for a customer, I could not find one that wasn’t a DNS-based test, and the conclusion we came to was that their site was generally available in China which was only determinable via testing from within China.
If you have some specific reports from within China of site unreachable, it would be great to know two things to help us debug:
what nslookup your.customdoma.in returns from a computer that experiences the problem AT THE TIME IT EXPERIENCES THE PROBLEM, so we can see if that IP is one of our nodes or not.
a HAR file of the loading experience, in case it is “site loads poorly” rather than “site doesn’t load at all”. This is the place to instruct folks about how to grab a HAR file: HAR Analyzer
Once we’ve seen that data, we would be happy to investigate and speak to what is actually happening (accepting of course that if China blocks your website, we can’t really stop them from doing so), but at a high level, most of the tools I could find were not a good test based on how our CDN handles routing.
I’m within China I just used the tool to double-check, but thanks for the clarification about your CDN nodes. Anyway, interesting thing it would seem they block sites by default until crawled by their search engine, as soon as I went through the process the site was working normally.
Hope that Netlify DNS could update a new feature which allows us to enable different routes for visitors in China. Just like DNSPod, visitors from different regions can visit the same domain from different servers, not just different CDN nodes.
@flinhong: not sure what that service does? Certainly we have the ability to route to any CDN node from any geolocation ; that’s how our CDN works. Could you elaborate a bit more on what that solution might look like, and particularly my next point? I think it doesn’t matter what CDN node we route to if the firewall wants to block our content, but obviously, this is largely a guess since I don’t know everything about how it is implemented.
@Njegos: Can you give us more details about what is blocked from where (I assume you are testing from within China?), using the guidelines I mentioned above?
If you have some specific reports from within China of site unreachable, it would be great to know two things to help us debug:
what nslookup your.customdoma.in returns from a computer that experiences the problem AT THE TIME IT EXPERIENCES THE PROBLEM, so we can see if that IP is one of our nodes or not.
a HAR file of the loading experience, in case it is “site loads poorly” rather than “site doesn’t load at all”. This is the place to instruct folks about how to grab a HAR file: HAR Analyzer
That will hopefully help us quantify a bit what the failure is
Our DNS functionality does not work in that way and we don’t have any plans to extend it. Namely: we don’t have any “other” DNS servers to point folks to. You’d need to use external DNS hosting, that has that functionality if you’d like it.
I am in China, I can sure both netlify.com and netlify.app are accessible in China, but not stable, it has some packets lost sometime, so sometime I get reported my site is broken, but when I test, it still live.
Sorry to hear it! What happens when you ping other addresses that are publicly available, such as 8.8.8.8 (google DNS server) or 1.1.1.1 (cloudflare DNS server)? I’m looking to understand if you have slow/flakey network access to everywhere outside of China, or if it is somehow specific to one or more of our IP’s. That one you quote is a CDN node in singapore which is a pretty reasonable place for your traffic to end up, at least!
But in the end, pings don’t matter as much as web traffic since we aren’t trying to make pings work - if you (or anyone) gets slow loads and can send us the x-nf-request-id of the slow request, we can usually determine if we sent slowly, or if the network was to blame. This article talks about how to find that:
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=17.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=16.9 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=116 time=17.0 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=116 time=16.9 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=116 time=17.2 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=116 time=17.1 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=116 time=16.9 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=116 time=17.1 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=116 time=16.9 ms
^C
--- 8.8.8.8 ping statistics ---
11 packets transmitted, 9 received, 18.1818% packet loss, time 10050ms
rtt min/avg/max/mdev = 16.876/16.992/17.181/0.105 ms
$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=55 time=169 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=55 time=168 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=55 time=168 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=55 time=168 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=55 time=168 ms
64 bytes from 1.1.1.1: icmp_seq=6 ttl=55 time=168 ms
64 bytes from 1.1.1.1: icmp_seq=7 ttl=55 time=168 ms
64 bytes from 1.1.1.1: icmp_seq=9 ttl=55 time=169 ms
64 bytes from 1.1.1.1: icmp_seq=10 ttl=55 time=168 ms
^C
--- 1.1.1.1 ping statistics ---
10 packets transmitted, 9 received, 10% packet loss, time 9055ms
rtt min/avg/max/mdev = 167.841/168.350/168.688/0.222 ms
So sorry I missed your followups, @muzuiget! I know it’s been some time since you posted, but still happy to work on this if you are still struggling.
However, it seems like you could access the site since you got x-nf-request-id response headers - those come from our CDN nodes, so if you were blocked, you would not have received them. Could you help us quantify the number of reports vs the number of visitors your site has had, (which seems to me to be a bit north of 4000 unique IP’s in the past 25 days of history I have access to) so I can better understand the impact to you?
I would try some Chinese local PaaS solutions like Aliyun https://www.aliyun.com/ or 21YunBox https://www.21yunbox.com (similar to Netlify) because these providers help you get ICP beian (a permit to host your website in China). If you don’t have a ICP, you website will likely to be blocked one day by the Chinese gov.
thanks for sharing.
