[hales]

This will not work if ISPs redirect DNS queries. Only the methods CAP_NET_ADMIN mentioned will work.

[Joel_Mckay]

DoH APIs at these endpoints:

https://dns.google/dns-query – RFC 8484 (GET and POST)

https://dns.google/resolve? – JSON API (GET)

And tunneling obfuscated traffic is easy... =3

[kijin]

An easy solution would be for Google to host their DoH endpoints on the same domain(s) as their regular service, so that governments can't block DoH without blocking all of Google or YouTube. Using a dedicated domain like that, they're just begging to be blocked.

I wonder if DoH requests can be easily proxied? So if I set up https://www.mydomain.com/dns-query on a U.S.-based cloud server and proxy_pass all requests to Google or Cloudflare, and point my browser at my server, will it work?

[Joel_Mckay]

Iodine will obfuscate the traffic using the redirected DNS hijack servers themselves.

Perhaps someone will put a configured wifi router image together over Christmas holidays for demonstration purposes... because it is fun to ignore tcp drop DoS too.

Tunneling well-obfuscated traffic is easier than most imagine... and IDS technology will fail to detect such things without an OS OSI layer snitch. =3

[kelnos]

> An easy solution would be for Google to host their DoH endpoints on the same domain(s) as their regular service

That's not how that works. DoH resolvers need an IP address, not a domain name. Sure, Google could host DoH on www.google.com, www.youtube.com, etc. but most users are not going to be savvy enough to find those IPs and use them.

Then again, perhaps users savvy enough to try to use DoH to bypass these blocks would also be fine with this.

[kijin]

> most users are not going to be savvy enough to find those IPs and use them.

Very few people configure DoH on their own. It's up to the DoH-enabled client software (mostly browsers) to obtain lists of resolver IPs and keep them up to date.

If Cloudflare, for example, really wanted to make their DoH traffic indistinguishable from other HTTPS traffic, they could literally host DoH on any domain or IP under their control and rotate the list every now and then.

[stingraycharles]

These are being redirected by the Malaysian government as well.

[Joel_Mckay]

You do know what happens when people try to MiM SSL traffic correct?

Even the UK/China firewall can be tunneled over, but the ramifications for those that do so can be dire. =3

[kelnos]

Yes, the connections fail, and most clients will fall back to regular ol' DNS on port 53, which then gets redirected to the government's DNS servers.

So far clients have chosen availability instead of fighting this fight.

[Joel_Mckay]

Unless your local router tunnels the DNS traffic via other means. The clients may see slightly higher latency, but for <16 host hotspots it would be negligible.

It is quite easy for example, to bonce traffic through a reverse proxy on a Tor tunnel, and start ignoring spoofed drop-connection packets (hence these bypass local DNS, tunnel to a proxy IP to obfuscate Tor traffic detection, and exit someplace new every minute or so.) This is a common method to escape the cellular LTE/G5 network sandbox.

Ever played chase the Kl0wN? Some folks are difficult to find for various reasons.

Have a nice day, =3