WingNews logo WingNews
top | item 44217003

(no title)

dabacaba | 8 months ago

DoH does wonders against ISPs which filter DNS traffic (including traffic to third-party DNS servers). This happens more often than many people realize. My ISP blocks traffic to a couple of random websites (perfectly safe and legal) just because their security system doesn't like them, and they can't do anything about that. I only wish for more websites to deploy ECH, because they are using SNI filtering as well.

discuss

order

atahanacar|8 months ago

>they are using SNI filtering as well

This is surprisingly easy to beat using very funny methods, like splitting the request in the middle of SNI, or sending a request with a low TTL to an unblocked website first which gets dropped then repeating it to the correct SNI.

There are more methods all of which I find very funny for some reason. You can use GoodbyeDPI on Windows and zapret on Linux.

dabacaba|8 months ago

The disadvantage of those methods is that they require installing custom software, and they don't work on mobile devices unless you put them behind a router with custom firmware. In contrast, DoH works out of the box on most operating systems, and hopefully ECH will work as well.

bornfreddy|8 months ago

I guess it depends on the situation then. My ISP doesn't pull such stunts and if they did, I would switch them in a moment. Fortunately others around here don't suck either. Cloudflare (or Google, or whoever) OTOH gets waaaay too much data from everybody. For my taste at least.

josephcsible|8 months ago

I'm glad your ISP doesn't do that, but there are a lot of people not as lucky as you, and we shouldn't deny them all a major increase in privacy just to avoid having you to change one browser setting.

LtWorf|8 months ago

My ISP does, because the government tells them to. Yes western nation so it's not government censorship.

jsiepkes|8 months ago

Same goes for if you have an IoT device behind a corporate firewall and you are being forced to use a enterprise DNS server running on some Cisco or Juniper device which doesn't respect TTL's, filters TXT records, etc.

unethical_ban|8 months ago

A decent corporate policy will block or decrypt DoH, same as it blocks direct outbound DNS.