I can ask the Application Filter team. Otherwise I think Gateway Management may be able to block it, but, even then, perhaps only in the Business version. You'd need to try the Community version and see.

Nick Howitt wrote:

I can ask the Application Filter team. Otherwise I think Gateway Management may be able to block it, but, even then, perhaps only in the Business version. You'd need to try the Community version and see.

Thank you sir Nick i already block the IP's of telegram using the Block Incoming Connection in ClearOS, IP's from Netify.ai. My last question there is possible way to block in specific IP or Computer?

I would not expect blocking in the Incoming Firewall to do anything. The Incoming Firewall (INPUT chain in iptables) is only for traffic destined for ClearOS and not the LAN behind, It **may** work for the LAN behind if the traffic passes through the proxy (so http traffic if you're running in transparent mode or any traffic in non-transparent mode). To block traffic directly between a PC and the internet, use the Egress firewall with IP addresses. This puts blocks into the FORWARD chain in iptables. To block specific LAN IPs will require custom firewall rules.

What Telegram IPs are you blocking?

Nick Howitt wrote:

I would not expect blocking in the Incoming Firewall to do anything. The Incoming Firewall (INPUT chain in iptables) is only for traffic destined for ClearOS and not the LAN behind, It **may** work for the LAN behind if the traffic passes through the proxy (so http traffic if you're running in transparent mode or any traffic in non-transparent mode). To block traffic directly between a PC and the internet, use the Egress firewall with IP addresses. This puts blocks into the FORWARD chain in iptables. To block specific LAN IPs will require custom firewall rules.

What Telegram IPs are you blocking?

Thank you for the information sir.
This are the IP's i block sir Nick
91.108.4.0/22
91.108.8.0/21
91.108.16.0/21
91.108.56.0/22
95.161.64.0/20

I tried researching it a few days ago. In 2018 Russia tried blocking Telegram and had to block 16M addresses but there was a lot of collateral damage with lots of other sites not working as well. Even then the block was not that effective. If what you have done has worked then you are doing better than Russia. They gave up in the end.

Nick Howitt wrote:

I tried researching it a few days ago. In 2018 Russia tried blocking Telegram and had to block 16M addresses but there was a lot of collateral damage with lots of other sites not working as well. Even then the block was not that effective. If what you have done has worked then you are doing better than Russia. They gave up in the end.

Hi Sir nick when i tried to block all those IP's there is something happen in my network.

We have 10 computers remoted via teamviewer in other country. When i block all those IP,'s
After a minutes teamviewer in other country disconnected, But our internet in office is stable and all website we access are accesible. For now its not clear to me if the issue of disconnection in our side or in other side (other country), so i decide to unblock and block the website only.

Nick Howitt wrote:

It won't happen immediately but the developers have offered to add in another 40 or so filters including Telegram. I have no idea what their timescales are.

Are there any other filters you think would be worthwhile?

I think the popular Mobile Games like (ML, COD, WILDRIFT), utorrent also only the bitorrent in filter. And also in Application filters hope there an option for specific device to block thru ip or mac address.

Hi everyone,

Telegram is definitely an outlier when it comes to detection. It uses a custom protocol (usually over port 443 but other ports are also used) and will typically (always?) bypass DNS. The app definitely used to be more evasive back in the day, but Telegram seems to stick to their assigned IP address ranges these days. Perhaps due to political pressure? Wild guess.

By the way, here's the full list of networks for Telegram (just updated today).

91.105.192.0/23

91.108.4.0/22

91.108.8.0/21

91.108.16.0/21

91.108.56.0/22

95.161.64.0/20

149.154.160.0/20

185.76.151.0/24

2001:67c:4e8::/48

2001:b28:f23c::/47

2001:b28:f23f::/48

2a0a:f280:203::/48

Peter B wrote:

Hi everyone,

Telegram is definitely an outlier when it comes to detection. It uses a custom protocol (usually over port 443 but other ports are also used) and will typically (always?) bypass DNS. The app definitely used to be more evasive back in the day, but Telegram seems to stick to their assigned IP address ranges these days. Perhaps due to political pressure? Wild guess.

By the way, here's the full list of networks for Telegram (just updated today).

91.105.192.0/23

91.108.4.0/22

91.108.8.0/21

91.108.16.0/21

91.108.56.0/22

95.161.64.0/20

149.154.160.0/20

185.76.151.0/24

2001:67c:4e8::/48

2001:b28:f23c::/47

2001:b28:f23f::/48

2a0a:f280:203::/48

Thank you for the information sir Peter telegram also use IPv6.

I installed the Telegram app on a test mobile, registered, and then joined a Telegram group. A screenshot of the traffic is attached. A typical app will have DNS requests followed by HTTPS (or other protocol) requests. As you can see in the screenshot, there's no associated DNS traffic - just the HTTPS traffic (and it's non-standard HTTPS traffic to boot)!

The Gateway Management "Don’t Talk To Strangers (DTTS)" feature will block this kind of traffic. The Telegram domain list won't be very useful for blocking traffic.

Hi Peter, could Telegram be leveraging DNS over HTTPS (DoH). More and more apps seem to be doing this and GM with DTTS seems to be the only way of blocking it. I know with Firefox there is a magic domain, use-application-dns.net, which, if it returns NXDOMAIN disables DoH and there are some techniques for other apps. DTTS will block it anyway. AVG has a secure DNS option and I think iOS uses one as well.

Nick Howitt wrote:

Hi Peter, could Telegram be leveraging DNS over HTTPS (DoH).

Nope I was looking at all the connections coming from the mobile - no DoH/DoT traffic. In fact, all the other connections in the 5-minute time frame that I reviewed were identified through SSL/SNI detection or DNS. Oh, and some internal IPv6 chatter too.