hello,
TLDR: just enable DoH
Today, my friend and I were talking about SNI and deep packet analysis shit done by the government. I insisted that since they do this kind of shit they can block access to certain sites like TPB and other freedom websites. he suggested that I just enable DoH in firefox and see the magic happen. I didn’t believe him until I enabled DoH and magic. I can access every censored website.
so just saying that sometimes the bypass is much simpler than we think!
also I am thinking that even if the DNS request is encrypted cant they see the TLS client hello message and block it? or is it impossible?
Yes, everyone should set up DoH (DNS-over-HTTPS) or DoT (DNS-over-TLS). You can do this at the browser level, like you just did in Firefox, or at the OS level.
You can also block ads this way, by cutting off connections to known ad domains before they even start. Mullvad runs a free ad-blocking DoH server anyone can use. See https://mullvad.net/en/help/dns-over-https-and-dns-over-tls for instructions on how to set that up on your OS.
Firefox has also just announced a built-in VPN, which could help get around other types of ISP-level censorship. That’s probably the only free VPN I’d trust, personally. Mullvad and Proton are well-regarded paid VPNs if you want to go that route.
Proton also has a free tier on their VPN
Ad blocking with DNS only works some time.
Right. It only works for dedicated ad domains. In practice, that’s a LOT of ads.
On Android, it’ll block most ads, including full-screen ads, within apps.
In will NOT, however, work with sites like Netflix or Youtube, because those use the same domains for ads as for the actual videos.
I guess they could theoretically block the DoH server(s) by IP. The problem is overblocking. They cannot tell if you’re accessing a webpage or a DoH server. They are basically the same thing.
Of course in terms of privacy the DoH provider can tell what domains you requested. But that is true with every DNS service.
To your last question there’s a technology called encrypted client hello intended to solve that problem.
Another poster said there’s lots of ways to get past doh/dot and they’re right. The goal is to run your ech packet safely to your dns server. To that end, make your vpn server connection first then ask for ech from your trusted doh/dot server.
If you’re dealing with dpi you gotta fuck up your packets a bunch to get them through. It makes things slow.
A good way to avoid dpi is to just not deal with it. Often dpi systems are at border crossing points so if you connect to your trusted vpn endpoint inside the borders of the place you’re trying to obfuscate from you can make it out to a dot or doh.
both xray and amneziawg selfhosted solutions are great enough to provide needed layer against new censorship mechanisms, i think you from russia, i have vpn for friends in this region, someone livee under white lists every day for 2 years, so we found a method to even resist “white lists” the trun proxy is great but still vulnerable to privacy, but work realy great, let’s kill their network together)
Just an fyi, dnscrypt-proxy allows you to run a local DoH server you can use with Firefox, so you don’t have to trust some public server.
that local server still has to get the data from somewhere.
