An investigation was conducted into the inability to access Telegram services over a residential ISP connection. The investigation identified clear evidence of DNS-level redirection of telegram.org to a Jio-owned IP address, alongside an inability to establish direct TCP connectivity to Telegram’s actual infrastructure.
Immediate restoration of connectivity was achieved through a VPN tunnel, bypassing the active Jio-owned endpoint (49.44.79.236) which exhibits characteristics inconsistent with a normal public web or DNS service. The collected evidence strongly suggests the presence of both DNS-level and network-level controls affecting Telegram connectivity.
Environment
- Client Device: Apple MacBook Air M3 (macOS)
- Terminal utilities used:
dig,curl,traceroute,nmap,openssl,nc(netcat),whois - VPN: Proton VPN (Amsterdam exit node)
Phase 1: Initial DNS Investigation
We began by querying the domain name system for Telegram's main domain name.
dig telegram.org +short
# Output:
# 49.44.79.236
The expected Telegram IP address is 149.154.167.99. The returned IP clearly does not belong to Telegram infrastructure.
To verify ownership of the returned IP, we queried Cymru WHOIS:
whois -h whois.cymru.com " -v 49.44.79.236"
# Output:
# AS55836 | RELIANCEJIO-IN | Reliance Jio Infocomm Limited
Additional APNIC RDAP verification confirmed that 49.44.79.236 belongs to Reliance Jio Infocomm Limited. Conclusion: telegram.org was being resolved to an IP address owned by Jio rather than Telegram.
Phase 2: DNS Bypass Testing
DNS settings were manually updated to Cloudflare's public DNS resolvers:
# Changed to:
# 1.1.1.1, 1.0.0.1
scutil --dns
We then re-tested the resolution:
dig telegram.org +short
# Output: 149.154.167.99
dig @1.1.1.1 telegram.org +short
# Output: 149.154.167.99
dig @8.8.8.8 telegram.org +short
# Output: 149.154.167.99
Conclusion: DNS redirection was successfully bypassed, and Telegram resolved correctly after switching resolvers.
Phase 3: Direct Telegram Connectivity Testing
Next, we attempted to initiate an HTTPS handshake directly to the verified Telegram infrastructure.
curl -I https://telegram.org
# Result: Connection timeout
curl --connect-to telegram.org:443:149.154.167.99:443 -I https://telegram.org
# Result: Connection timeout
Conclusion: Even when DNS resolution is completely bypassed, the HTTPS connection continues to time out. The issue is not limited to DNS manipulation.
Phase 4: TCP Reachability Testing
We performed TCP connection tests to see if we could reach the network socket of Telegram's IPs directly.
nc -vz -w 5 149.154.167.99 443
# Result: Operation timed out
nc -vz -w 5 149.154.175.50 443
# Result: Operation timed out
Conclusion: TCP SYN packets did not receive responses. Direct connectivity to Telegram infrastructure was entirely unavailable at the transport layer.
Phase 5: Routing Analysis
A traceroute was performed to see where the packets were dropped.
traceroute 149.154.167.99
# Path:
# 1 192.168.29.1
# 2 10.197.120.1
# 3 172.31.x.x
# 4 172.28.x.x
# 5 172.26.x.x
# 6 * * *
# 7 * * *
Conclusion: Traffic successfully progressed through internal ISP routing hops but terminated entirely before ever reaching the edge of Telegram's AS network.
Phase 6: VPN Verification
We connected to Proton VPN (Amsterdam exit node) and ran the exact same diagnostics:
nc -vz -w 5 149.154.167.99 443
# Result: Connection succeeded
curl -I https://telegram.org
# Result: HTTP/2 200
Conclusion: When tunnelled, Telegram's endpoints responded immediately. This isolates the failure condition purely to the direct ISP routing path.
Phase 7: Investigation of Jio's IP (49.44.79.236)
To analyze the behavior of the destination Jio redirected us to, we investigated 49.44.79.236:
traceroute 49.44.79.236
# Path entered Reliance Jio's network via Telia/Arelion and died at 49.44.220.242.
nmap -Pn -p 53,80,443,8080 49.44.79.236
# Result:
# 53/tcp open
# 80/tcp open
# 443/tcp open
# 8080/tcp open
The host is active and listening on these ports. However, its HTTP and HTTPS behaviors are highly irregular:
- HTTP behavior:
curl -v http://49.44.79.236establishes a TCP connection and transmits the request, but never receives any response. - HTTPS behavior:
curl -vk https://49.44.79.236sends a ClientHello, but no ServerHello is ever returned. The TLS handshake never completes. - OpenSSL test:
openssl s_client -connect 49.44.79.236:443connects, but no certificate is presented, and no TLS negotiation occurs. - Host Header response: Sending
curl -v -H "Host: telegram.org" http://49.44.79.236immediately returns aConnection reset by peer. - DNS Port 53:
nc -vz 49.44.79.236 53succeeds, but any actual DNS query to the IP (e.g.dig @49.44.79.236 google.com) times out.
Technical Assessment
The endpoint at 49.44.79.236 demonstrates several unusual characteristics. It is owned by Reliance Jio, is returned as a DNS response for telegram.org, and accepts TCP connections, but fails to respond as a normal web or DNS server. Most notably, it alters its behavior (terminating with a RST packet) when telegram.org is explicitly supplied in the Host header.
These observations are highly consistent with specialized policy enforcement or filtering infrastructure—likely serving as a DNS sinkhole target or traffic interception gateway.
Conclusions & Confidence Ratings
| Finding | Confidence Level |
|---|---|
| DNS Redirection of telegram.org to 49.44.79.236 | 99% |
| 49.44.79.236 is Jio-owned infrastructure | 100% |
| Direct ISP-path filtering of Telegram traffic | 95% |
| VPN bypass functionality | 100% |