Malaysia started mandating ISPs to redirect DNS queries to local servers

That’s how it _always_ starts out, the “its for your own good, trust me” excuse.

That would be cool?

You’re kidding but I’ve already toyed with using AI models to analyze browsers’ screenshots and determining if it’s likely phishing or not and it works very well.

Assuming the AI is comparing screenshots of real versus phishing, it can only figure it out for poorly done phishing websites.

As phishing scams get more sophisticated with scam websites that look exactly like the real ones, the only things that truly matter are protocols (i.e., HTTP versus HTTPS), domains, URL’s, certificates, etc.

  Microsoft has invested in a startup that uses facial recognition to surveil Palestinians throughout the West Bank, in spite of the tech giant’s public pledge to avoid using the technology if it encroaches on democratic freedoms.

  AnyVision, which is headquartered in Israel but has offices in the United States, the United Kingdom and Singapore, sells an “advanced tactical surveillance” software system, Better Tomorrow. It lets customers identify individuals and objects in any live camera feed, such as a security camera or a smartphone, and then track targets as they move between different feeds.

https://www.nbcnews.com/news/all/why-did-microsoft-fund-isra…

Somebody installs it for him/her-self. Sure, power to you!

Neibhour in non-muslim state installs it for their children: their right, but feels fishy regarding child right to truth.

I’m not sure what’s fishy about it. Parents have always controlled what their children should have access to and consume. The entire concept of “parental controls” exists for this reason—we’ve always understood a parent’s rights over their children and none of that was at all controversial until like 5 minutes ago.

This is a digression anyway, so I’ll just stop there…

I’m sorry that everyone in the world doesn’t think the way you’d like them to.

I know lots of Muslims, both male and female, and they’re perfectly normal to me. In fact, some of them are some of the most wholesome folks I know: Humble and hardworking humans who build and love their families, and of course, believe in something much greater than themselves. I see nothing “backwards” about that.

There’s an argument that Google should not cater to our preferences, but I don’t think I buy it.

You want privacy? It stamps out any attempts at fingerprinting by attempting to be the most common browser (and config) out there, it spoofs any and all identifying data, it redraws pages without paywalls, without cookie notices and puts all pages in simple text output mode removing all other ads in the process, but keeps pictures for fora that use them.

You want 1984? It won’t let you see anything that is not approved by the party.

Onwards, to our glorious future.

edit:

Valuemaxx edition. Store pages with discounts have bruteforced discounts found and added for maximum value.

It already is crazy. I can’t even begin to imagine it being more crazy.

but remember we have this (widespread from 90s to 2010) to this day in the USA, and they don’t even bother with excuses. just shove advertising and hijack searches right on your face.

google didn’t force httpsdns on your browser for nothing. it was digging in THEIR pockets.

the ideal situation would actually be to implement httpdns on the OS/router level and allow the user/local admin choose the policy. i expect that this is going to happen soon in most linux distributions.

Httpdns is too complex of a solution to the business goal you’re suggesting. There are much simpler / less expensive ways of doing it.

As a user of the public internet, it feels like a bug.

As much hassle as things like DoH can be for securing and enforcing policy on a network, it’s about time it became ubiquitous enough that governments can’t leverage DNS for their own purposes anymore.

A caveat of encrypted DNS is that it has to be bootstrapped via traditional, unencrypted DNS or via a well-known set of IPs. Currently, most clients using DoH/DoT use one of a small handful of providers. Cloudflare, Google, Quad9, etc. A motivated government could block those endpoints pretty easily.

Of course, a client using encrypted DNS could just refuse to work when encryption is blocked, rather than falling back to traditional DNS. But that could mean the client is unusable in the country implementing the block.

This sort of reminds me of when Kazakhstan announced they were going to MITM all TLS sessions within the country, and all citizens would need to manually install a root cert. Google, Apple, and Mozilla chose to completely block their root cert, so it would be unusable even if users chose to go along with it. https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a… Seems like the browser devs won that political standoff, but would they fight the same battle if DoH/DoT was blocked?

You just can’t do it before the request hits the browser, so you can’t pretend to be a vpn inside the browser.

Blocking or redirecting all requests, based on dynamic values, adapting all headers through webrequest and not showing any ads and removing them from the page is still possible with service workers and content scripts.

The only issue is with regards to “static” rules and modifying them before they hit the browser. After that you can still do everything you could before. The only issue is bandwidth, but this should always have been an app to intercept all network requests instead of something inside the browser (like a vpn adblocker)

It’s technically possible to bifurcate an adblocker like that but it’s an ugly setup and you would only do it if a gun was held to your head by an ad monopoly.

That said, it may be a good idea in the current situation.

^ This is really stretching the meaning of ‘VPN’!

The only two things you cannot do is declare them as static rules (well you can but not unlimited), and look and modify every header before it hits the browser.

And yes, you could have an app with a browser extension like Adblock already did for years without issues.

You could also have only a browser extension and have all the user functionality you have now, the only difference being it just slightly slower, and you still having the network load the ads (but not the page you’re on).

A bit annoying? Sure. But it’s hardly the severe problem it’s being made out to be.

not if DNS is hosted on the same servers as eg google search itself. then they would have to block google search in order to block DNS.

I think the weak points are wholly untechnical e.g. Google would often give in to protect the $$$ they make in a region.

Such devices have a pretty simple architecture: the highly performant data plane where DPI is implemented in the hardware (using either ASIC’s or FPGA’s – don’t have enough information), and the control plane. The control plane comes with a SDK of sorts that DPI appliance users can use to tailor the appliance to their environment and that is used to «refine» the data plane behaviour, i.e. sending down / updating DPI pattern matching / processing rules.

At least the companies I’ve been working for have a lot more laptops at coffee shops and weworks, and probably not on a VPN half the time either. DoH has been a way bigger win than a hassle for me.

DoH is a double edged thing, advertisers are a more present and pervasive threat to most than their own government

And bad ISPs⁰.

And a small subset of MitM attacks.

> advertisers are a more present and pervasive threat to most than their own government

That is true for me¹ but I’d not agree with “most” globally. And while stalky corporates and the people who will get hold of my data subsequently due to lax security are my main concern, there are other ways to mitigate them. Less convenient ways, sure, and I loose a security-in-depth step of ashtray using them anyway, but I consider that inconvenience for me² to be less of an issue than the more serious problems DoH might mitigate for others.

—-

(0) some people don’t have a simple “just go elsewhere” option

(1) relatively speaking: I don’t consider my government that trustworthy, and will do so even less in future if the Tories get back in without major changes in their moral core, and I’m sure many Americans feel similarly if they consider the implications of Project2025.

(2) both as an end user wanting to avoid commercial stalking and as someone who sometimes handles infrastructure for a B2B company that uses DNS based measures as part of the security theater we must present to clients when bidding for their patronage

In both instances it turns out that the difference in magnitude of those threats makes the direct comparison misleading.

For TV, use it as a dumb display for some FOSS TV box, running something like libreelec.

As for DRM attestation, that’s not the responsibility of anyone but the DRM vendor, so ask them.

Deep packet inspection hardware appliances have proliferated in their numbers in recent years, they are cheap, the hardware is highly performant, and they are capable of the highly sustained throughput. Redirecting DNS queries in UDP port 53 to any other destination of choice is what they can do without blinking an eye (if they had one). Or dropping / blackholing it.

Only a VPN tunnel can get through, however modern DPI appliances can also scan for VPN and VPN-like signatures in the traffic and drop those, too. The only viable and guaranteed to work solution to resist the tampering with the traffic is a VPN tunnel wrapped into a Shadow Socks tunnel that obfuscates traffic signatures and constantly changes ports it operates on to avoid detection.

Then transparently redirect the DNS request from all your machines at home to your own DNS resolver (so that you’re in control of what gets resolved and what doesn’t, like malware, phishing sites, porn so that kids don’t get to see that, etc.) and have your own DNS resolver use DoH.

But asking for browsers to “make DoH ubiquitous” (they would force DoH and DoH only) is not a good thing. It also probably would clash with corporate policies, so it’d make the browser picking that path unusable in corporate settings (leaving the corporate market to competitor browsers).

If the government can transparently MITM your HTTPS connections with the DoH server, they can just as well MITM your connection to the real antigovernment.com server regardless of what DNS you use. And in fact, if they can’t MITM your connection to the real antigovernment.com, they also can’t trick you to talk to their fake antigovernment.com regardless of intercepting your DNS: you will connect to the attacker IP, the attacker IP will give you a bogus certificate, your browser will refuse to connect.

DoH also does not solve the problem of where the DNS server you use gets its information from: A government can compromise the other side as well.

Do your program language _show_ you the certificate information when you use an http library to connect to an HTTPS service?

Sure the other end of the DNS query may not be encrypted, but I can easily decide which government to trust, and run my DoH server there.

It doesn’t show it, but I expect it would put up an error message if the DoH server’s cert is invalid.

DNSSec can help protect from fraudsters or others that might try to transparently direct you to a different site than the one you wanted to access. But the government here has no intention of serving you a fake porn site, they want to stop you accessing porn and log the fact that you were trying to access it.

There is also nothing wrong with using UDP for DNS. And the latency can be better, and in this context that matters. The real problem is that the UDP DNS protocol isn’t encrypted. But there is no reason it couldn’t be, except that then nobody gets a new source of DNS queries to data mine, which is where the money comes from to push DoH.

For example, accidentally leaked internal network queries from companies are up to grabs. As is market data like what people are querying, how much, when, from where (geographical for example) and to whom, and so on.

The quality of the anonymization of private information are also not guarantied.

You can’t possible make that assertion, because all it takes is one NSL and they will log and share it all.

I’ll trust my ISP over Google or Cloudflare or Microsoft or DuckDuckGo any day.

Some abuse , therefore it is totally justified for us to impose a wholesale replacement of with a solution that we can control centrally. It’s for your own safety!

Never mind all the people that don’t have data-mining ISP’s, and to hell with end-user consent. We don’t need that, we’re working for the good of everyone. My piety trumps all!

With, say, a proxy app on MacOS, I don’t see how they could do this without consent?

Notice that you could do this the other way: Query a value in the existing (local) DNS or DHCP that not only allows you to enable DoH but also specify which server all the local devices should use. Then if the DNS server chosen by the local administrator/user supports DoH, it could respond by saying so and you could use the protocol without changing your DNS server. But that’s not how they did it.

A device on my network that decides to use DoH without my knowledge or consent gets to bypass all that. I can try to block a list of the DoH providers I know of, but I’m not going to get them all. And it’s just regular HTTPS traffic on port 443, with nothing to distinguish it from someone accessing a website.

DoH isn’t “magic”. It’s just a simple, standardised protocol. It’s existence makes it no more or less easy for adversarial actors to do name resolution.

DNS should be an OS level tool which is consistent to all applications, not an application by application setting.

As the device owner I expect dns to be ck distant whether I run Firefox, chromium, zoom, curl, steam, ping, or he dozens of other programs I run.

The reason I force DNS over UDP to my own DNS resolver is not so that chinese-internet-of-shitty-insecure-device (which I don’t own) cannot phone home: I do it so that I’m in control of what the browsers can access over HTTPS (my browsers are all HTTPS-only).

> or not software written by someone else chooses to use the OS networking stack or even respect your desires when it comes to name resolution

Then meet firewalls. The users accounts running browsers on my setup can access HTTPS over port 443 and query UDP to my local DNS resolver. A webapp (i.e. a software written by someone else) is not bypassing that “networking stack” that easily.

Regarding name resolution: except some very rare cases where https shall work directly with IP addresses, a browser using https only will only work for domains that have valid certificates. Which is why blocking hundreds of thousands –or millions– of domains at the DNS level is so effective.

And if there are known fixed https://IP_address addresses with valid certificate that are nefarious, they’re trivial to block with a firewall anyway.

I’m in control of my LAN, my router, and my machines and webapps written by others either respect HTTPS or get the middle finger from my firewall(s). Not https over port 443? No network for you.

Reading all your nitpicking posts you make it sound like firewalls and local DNS intercepting and blocking DNS requests aren’t effective. But in practice it is hugely effective.

The crux of the problem is that the device/application can’t tell if the interference is friend or foe.

All the techniques you can legitimately use on your local network, and that network operators have used in the past, can all be used one hop beyond the network you control.

And, sadly, in 2024, most OS vendors are “in the game” of making sure they can 100% control the link and execution environment between themselves and their servers, without interference from the network operators along the way, OR the device owner.

The knowledge of what ip address correlates to some hostname is just data like any other data. There is nothing magically specially different about it, and no way to differentiate it from any other random data that every single process processes.

It’s a meaninless wish for something that you can’t have, that we all agree would be nice, but is silly to expect.

An app can simply include it’s own hard coded list of ips if it wants, or some totally home grown method for resolving a name to a number from any source. It’s just key=value like all the infinite other data that every app processes. normal dns and doh are nothing but standards and conveniences, they don’t actually control or dictate anything.

You wish apps couldn’t do that? So what? Do you also want a pony?

I’d say the same for this unnecessary ad hominem.

> The knowledge of what ip address correlates to some hostname is just data like any other data. There is nothing magically specially different about it, and no way to differentiate it from any other random data that every single process processes.

This is a basic truth that has no bearing on what I said above.

> It’s a meaninless wish for something that you can’t have, that we all agree would be nice, but is silly to expect.

It’s how it worked for personal computing almost since it became popular in the 90s.

Most apps would use the OS set DNS setting. Apps choosing to ignore that and do their own queries is a much more recent thing.

> An app can simply include it’s own hard coded list of ips if it wants, or some totally home grown method for resolving a name to a number from any source.

Yes. This also has no bearing on my point.

> You wish apps couldn’t do that? So what? Do you also want a pony?

Wishing apps are not hostile to user intentions is not a fantastical or ignorant desire. Just because apps can be hostile to user intentions does not mean we should accept that as normal or advocate for it.

edit: Unless, naturally, I am no longer an admin and any control I have over my hardware is merely an illusion.

It doesn’t matter how much you might want otherwise. It doesn’t matter how important and virtuous the reason you want it is. Even invoking the mighty untouchable power of “my daughter” does not change such a simple fact of life.

The point was that it’s pointless to even think in terms of “apps and devices going around my choke point” because there never was a choke point in the first place.

If you want to prevent an app or device on your network from accessing an IP, you must 1: Ensure the app or device has no wifi or cell or any other possible physical connection of it’s own that could allow it to reach the internet without going through your router. 2: Block the ip, by ip, in your router, and also any other ip that could serve as a proxy or relay.

It is impossible to know what all those IPs are, so what is possible instead is whitelisting instead of blacklisting.

You could do that, but was it useful or interesting to even say? Didn’t you and everyone else already know all that?

Are you suggesting that this conversation is pointless? I don’t see it that way. edit: after all, I am participating in this exchange.

Deploying an application protocol that does neither, such as DNS, directly over UDP is a bad idea. If you were to run DNS over DTLS (TLS over UDP), that would be a different beast, and probably ok.

And to clarify, encryption is important to prevent tampering and preserve users’s privacy. Session management is important to protect agains redirect attacks with spoofed source IP, or session hijacking.

I’m not against the core part of your argument, just against the blaming of a particular choice of transport layer, which is fundamentally irrelevant. Encryption is great. Meanwhile DNS doesn’t really need the concept of a session, does it? At the end of the day it’s just a single lookup which can very well be fire and forget. That we’re encrypting the request (ideally) and also the response (ideally) is no reason to add in loads more complexity.

DoH3 means running DNS over HTTP over QUIC over UDP. Here QUIC does both session management and encryption.

In both cases, we are running a simple application protocol (DNS) over other protocols that handle the Internet-level problems I raised, so all is good.

The problem is with running your application protocol directly and strictly over UDP and nothing else.

And related to sessions, there are two things. For one, in reality today, you typically do a whole host of DNS requests even to load a single site (many common sites have upwards of 20 domains they use, and that’s before loading any ads). So having a persistent session to send all of those requests on would not change much, even if it’s not technically necessary. Secondly, even if you really want to avoid sessions, you then still need some other mechanism to prevent source IP spoofing.

Any protocol which allows a host to send a small request to a server and cause that server to send a large response to the src IP of that request is a major problem for the health of the internet. Requiring a handshake to solve this is one simple way to avoid the problem entirely. DNS implementations have had to find all sorts of other mitigations to address this (I believe they now typically don’t allow responses more than a factor of 1.something larger than the request, or something like that? Which of course brings in all sorts of extra problems and unnecessary traffic)

Yes, and the person you’re replying mentioned that it was perfectly possible to encrypt data over UDP. Presumably they meant DTLS. So what’s your concern?

> We reiterate that Malaysia’s implementation is for the protection of vulnerable groups from harmful online content.

Who could possibly be harmed by pornography or, even more ridiculous, copyright infringement? Feels like a lame excuse.

Internet censorship in my country (Russia) started the same way — “we’re protecting children from suicide and drugs”, but for some reason you couldn’t opt out of the “protection” as an adult. To no one’s surprise, over time, more and more things to non-consensually “protect” people from were added. In the end, unless you stick exclusively with local services, Russian-language content, and government-owned media, the internet is utterly broken without a VPN, packet fragmenter or other anti-censorship solution. Popular VPN protocols are also starting getting blocked, btw. All for your own safety, of course!

In general they’re not going to bother with IP blocking; once they’ve killed DNS, they’re satisfied that most people will not be able to access it.

And for the most part, that’s good enough. There’s perhaps an argument that the US gov’t should be blocking IPs/DNS of things like hacking rings and malware distributors that are hosted elsewhere, on TLDs out of their reach (where ISP blocking would probably be the only or at least best way), but they mainly only care about e.g. sites that threaten the copyright cartels, when it comes to legal takedowns, anyway. And for sites that host illegal content, they seem happy only prosecuting US residents who access them.

Nobody has to worry about breaking Thai laws around defaming the King because Thailand isn’t a superpower with the ability to enforce its will beyond its borders.

Everyone has to be worried about breaking US law.

Not every country has this, so no, not “everyone has to be worried about breaking US law”.

Regarding Thailand specifically, they have a principle of “double criminality”, so people are only extraditable if what they’re accused of is a crime both in Thailand and the country they’re being extradited to. So maybe not the best example.

Besides, other countries have extradition treaties with other countries than the US too, even non-super power ones.

Of course there are still ways around this. Use a good VPN like Proton.

This is still for sure going to be copied by authoritarian regimes worldwide.

This is a notable area where the US is an exception, and is significantly more free than other western countries. No need to worry about art or materials being censored here, at least outside of specific contexts like some states banning books from schools.

While the government may not arrest you, the consequences of expressing your opinions can still be excessive.

Some states are doing that at a state level in limited contexts. Individuals are still free to post or publish whatever they want.

> It’s just that the restrictions the US has are determined by Americans to be the right levels and other restrictions (for example laws against glorifying nazism) are the wrong levels.

No, it’s that in the US this kind of freedom is significantly more protected and culturally important.

> The sad thing is Americans believe the propaganda that they have freedom and nowhere else does and therefore their restrictions on speech aren’t real but others are.

I would say the sad thing is anti-US sentiment can be so high that people won’t debate something like this in good faith and look at the various cases and histories.

Challenge one: Could it be that previous commenter touched certain dogma? (One possible definition from Wikipedia: “Dogma, in its broadest sense, is any belief held definitively and without the possibility of reform”)

Challenge two: please try to stretch the definition of “censorship” a bit till you can say that USA has SOME censorship, maybe in disguise. (One possible definition from Wikipedia: “Censorship is the suppression of speech, public communication, or other information.”)

(No need to report results or reply / just try the exercise for elasticity of the mind)

BTW. A bit related, hopefully interesting, random fact you did not ask for:

“Freedom” is defined quite differently by people in different countries.
While the U.S. often focuses on freedom from government interference, in France, freedom also includes the idea that the government has a role in ensuring social justice and protecting individual rights, and in Baltic countries the freedom usually means freedom from a certain country.

But it is only technically correct, if tyrants regularly agree to cede the power to new tyrant without bloodshed or even a tantrum.

The reason why is that even if you are on the winning side sometimes, a lot of factors ensure that you’ll be on the 49% side every now and then. And then it is in your interest that your rights are defended. This is not some new or particularly deep insight. It is the basis of political liberalism.

Universal suffrage is an ideal entirely reliant on how the denominator is defined. Delineating the polity (i.e., polis) is an institution in democratic exercise–we traditionally punt this question to that of citizenship.

(On the opposite, you have countries where you can vote in local elections even if you do NOT have citizenship.)

Of course we do. Because it’s convention. But not everyone within a border geometry is a citizen. And why a border geometry is what it is usually relies on other questions.

It’s exhausting for the other 7 billion of us who want to talk about literally anything else

For instance, this is probably the worst part about being in the UK while being from the US. It seems rather difficult for people from places very closely tied to US politics (culturally, linguistically, politically, and diplomatically) to not redirect a conversation about any other country to the US especially if someone from the US is present.

I think that ship has sailed. Malaysia certainly isn’t the first to pull this.

> there are democracies in Europe where its fine to jail people for what they write online.

And? You seem to believe that a democracy refers to a bundle of freedoms that you personally believe everyone should have. Democracy means governance by the will of the majority. If the majority want people to be jailed based on their writings or speech, than that’s what happens in a democratic country.

if thats your definition then a lot of countries where the majority tribe is in a form of dictatorial power are also democracies

But is there a possibility there is a distinction between “I can freely share my political opinions about things” versus “I can ask/cheer on people to commit crimes without consequence”?

Seems unlikely, not suprising it got flagged to death, however it’s there for anyone with ShowDead enabled to read.

“The majority decided it. That’s not censorship.”

“The law decided it. That’s not censorship.”

“The users decided it. That’s not censorship.”

“You were just scared your neighbors would kill you, so you didn’t say anything. That’s not censorship.”

I’m having trouble drawing lines.

I’m not opposed to all censorship. I’m just opposed to refusing to acknowledge it for what it is.

If you have your comment flagged by a couple of people, and removed, that is censorship. Plain and simple.

I know you were implying the opposite, but how many suicides are you going to prevent by making Malaysia’s rate (6/100k) similar to the US (14/100k)?

These are generalized rates, of course, but in point of fact, your claim is not substantiated by any real data.

Either you think that the majority of the population in Malaysia or the US identify identify as LGBT+ or you’re really struggling with basic statistics and reasoning.

> prevent by making Malaysia’s rate (6/100k) similar to the US (14/100k)?

Presumably the idea would be to reduce it to some number lower than 6. Or do you believe the majority of people in the US are killing themselves because of “Awareness and acceptance on LGBT matters”?

If the idea is to reduce it below 6 by preventing a few suicides per year (which is not likely), how confident are you that destroying the culture of the nation in the process will not cause the number to rise to 14?

I’ve read about it in depth.

Encouraging people to be LGBT has resulted in massive increases in number of people claiming to be trans, for example. Assuming they have the “best” case scenario of an affirming home, apparently 14% attempt suicide, according to your third link.

Now let me ask you, how many people have we killed by “affirming” these things to the point that it’s actually cool to be trans in most schools?

We’re driving up the denominator on the highest risk category for suicide while pretending that that very thing will reduce suicide.

So I guess pornography is illegal in Malaysia?

I guess this is a great time for Malaysian users to switch to DoH.

Edit: Yes. Wikipedia:

> Pornography is illegal in Malaysia with fines of up to RM10,000 for owning or sharing pornographic materials

It’s sad that democracies are copying the playbook of China. Will definitely be using v2ray/X-ray while here

“Democracy” is a bit of a red herring here. Democracy doesn’t mean the government can’t censor you or restrict what information or media you can consume. Democracy just means that the voters have consented to whatever legal framework is in place, and to whatever their leaders want to do within that framework.

And that’s the thing: in many democracies around the world, if there was a referendum on the law to blocking copyright infringement, online gambling, or pornography at the ISP level, I think many would pass that law.

(Certainly there are “democracies” out there that only pay lip service to the concept, and have fixed elections and repression of dissent or opposition. I’m not talking about those.)

So, DoH should be work fine for now, but they’ll (gov.) terminate HTTPS (or TLS) connection ASAP.

The real issue is always control.

I think you’re underestimating the amount of stuff being blocked everywhere. Even in Spain where I live the list of blocked domains would be pretty big already, and it’s just one country.

OONI gives a good overview: https://explorer.ooni.org/

There are even countries that MITM all HTTPS traffic, and your choices are to install the government MITM root certificates into your trust store, or not use HTTPS.

Are there? When Kazakhstan announced they were going to do this, all the major browser vendors blocked their CA… so they backed down. What other countries do this and get away with it?

Google 8.8.8.8 8.8.4.4

Control D 76.76.2.0 76.76.10.0

Quad9 9.9.9.9 149.112.112.112

OpenDNS Home 208.67.222.222 208.67.220.220

Cloudflare 1.1.1.1 1.0.0.1

AdGuard DNS 94.140.14.14 94.140.15.15

CleanBrowsing 185.228.168.9 185.228.169.9

Alternate DNS 76.76.19.19 76.223.122.150

https://github.com/yarrick/iodine =3

They also block port 853 (so no DoT), and https to well-known dns servers; so you can’t use DoH to google, but others may work.

If you’re on a vpn they never see the traffic, you can also bypass them using a pihole with unbound to proxy dns to a DoH server – as long as they haven’t blocked it.

Ironically the corporate vpn I use also hijacks dns (but locally only), which bypasses all the ISP issues but makes debugging work DNS problems awkward

Since then City Fibre completed their rollout and I’m no longer an existing customer with BT so now I _do_ have a choice.

But bigger picture here: I mentioned my setup on a thread where a country is mandating all of their ISPs do this. Sometimes you don’t have a choice.

i.e. obfuscate the traffic using the hijacking DNS servers themselves.

Just a thought =3

the vpn provider, it’s just a split tunnel thing; since that is a local process, yes they can hijack it. Originally when we switched to our current vpn provider it didn’t even let us use localhost or loopback dns, but we needed that for the way we use docker in development, so now it’s just anything except those being redirected.

This is a feature. That some people choose terrible ISPs is a trivial problem to avoid, far easier than avoiding terrible user agents which are beholden to their advertising masters.

There is also the global satellite uplinks… so its ultimately a pointless game to keep people ignorant, that is unless they plan to follow people around like a hot-air balloon villain from Pokemon Go. lol =3

When a DNS lookup request hits it, where does a UDP packet on 53 goes out to and what happens to it?

So far clients have chosen availability instead of fighting this fight.

Ever played chase the Kl0wN? Some folks are difficult to find for various reasons.

Have a nice day, =3

I wonder if DoH requests can be easily proxied? So if I set up https://www.mydomain.com/dns-query on a U.S.-based cloud server and proxy_pass all requests to Google or Cloudflare, and point my browser at my server, will it work?

That’s not how that works. DoH resolvers need an IP address, not a domain name. Sure, Google could host DoH on www.google.com, www.youtube.com, etc. but most users are not going to be savvy enough to find those IPs and use them.

Then again, perhaps users savvy enough to try to use DoH to bypass these blocks would also be fine with this.

Very few people configure DoH on their own. It’s up to the DoH-enabled client software (mostly browsers) to obtain lists of resolver IPs and keep them up to date.

If Cloudflare, for example, really wanted to make their DoH traffic indistinguishable from other HTTPS traffic, they could literally host DoH on any domain or IP under their control and rotate the list every now and then.

Perhaps someone will put a configured wifi router image together over Christmas holidays for demonstration purposes… because it is fun to ignore tcp drop DoS too.

Tunneling well-obfuscated traffic is easier than most imagine… and IDS technology will fail to detect such things without an OS OSI layer snitch. =3

It sounds like you’re working with a model in which most users are conscious that they’re very offended or inconvenienced by censorship, and want to research technical means of circumventing it. I wish that were true, but I doubt it’s nearly as common as your intuition suggests.

“Any” impact is weird phrasing, though. Only a very small percentage of people will be savvy enough to attempt to circumvent these bans.

> Only a very small percentage of people will be savvy enough to attempt to circumvent these bans.

There are several one-button vpn/proxy+tor apps for unrooted phones already, and they are dodgy on a good day. =3

I’d really be curious if said “protection” is actually real…

Between dynamic domain name generation (ala malware), and (potentially) a lack of public review… this sounds more like smoke and mirrors.

Hopefully there is a way for users to set up a VPN and get access to a better DNS server without triggering the redirect.

AFAIK Chrome has a hardcoded list of DNS servers which offer encrypted DNS. I.E. if your DHCP server tells your PC to use 8.8.8.8, 1.1.1.1, 9.9.9.9, (or the IPv6 equivalents) it will instead connect to the equivalent DNS-over-HTTPS endpoint for that DNS provider. This is a compromise to avoid breaking network-level DNS overrides such as filtering or split-horizon DNS. It’s not limited to public DNS providers either, ISP DNS servers are in there. (I’ve seen it Chrome connect to Comcast’s DNS-over-HTTPS service when Comcast’s DNS was advertised via DHCP.)

Of course, this is pretty limited. Chrome obviously can’t hardcode ever DNS server, and tons of networks use private IPs for DNS even though they don’t do any sort of filtering / split-horizon at all. (My Eero router has a local DNS cache, so even if my ISP’s DNS servers were in Google’s hardcoded list, it wouldn’t use DNS-over-HTTPS, because all Chrome can see is that my DNS server is 192.168.4.1)

It’s bad enough that so many devices and applications already ignore DNS settings or hard-code IPs. I want everything going through my DNS.

Firefox for sure has a “corporate” setting which guarantees that DNS queries are unencrypted, using port 53 (virtually always UDP although technically I take it TCP over port 53 is possible but a firewall only ever allowing UDP over port 53 for a browser works flawlessly).

AFAIK Chrome/Chromium also has such a setting and making sure that setting is on bypasses DoH.

I force all my browsers / wife / kid’s browser to my own DNS resolver over UDP port 53 (my own DNS resolver is on my LAN but it could be on a server if I wanted to).

That DNS resolver can then, if you want, only use DoH.

To me it’s the best of both worlds: “corporate” DNS setting to force UDP port 53 and then DoH from your own DNS resolver.

The benefit compared to directly using DoH from your browser is that you get to resolve to 0.0.0.0 or NX_DOMAIN a shitload of ads/telemetry/malware/porn domains.

You can also, from all your machines (but not from your DNS resolver), blocklist all the known DoH servers IPs.

Shit mostly it exits a country via ground stations in that country or a compatible legal jurisdiction. Its not even magically flying out of the country via satellite. + Discussions about its ability to skirt censorship in this fashion with any significant capacity sort of paint it as a bad move, maybe that starlink 2.0 nonsense.

Malaysia has had a history of religious discrimination from both the state and citizens, despite there being a freedom to practice whatever religion you want. Their notion of religious freedom is also strange, since in order to be considered a Malay you MUST be Muslim. And Malays get all sorts of additional rights and privileges (such as affirmative action). The country also has Sharia law courts – and this is a very real problem for personal freedom, because the Sharia court prevents Muslims from converting to other religions typically, and this forces people to have secret double lives, where privacy is critical.

Restrictions on Internet access or violations of privacy/anonymity are a serious problem for those who may run into trouble due to religious discrimination built into Malaysia’s culture and law. Do not accept official explanations like protecting people from harm or stopping misinformation – control over the internet will be abused.

Strange in the current context that it’s not in the Middle East but not strange when you look at the map and see that it’s a straight shot for a trading ship from the Middle East a thousand years ago.

Even Spain/Iberia had a huge Muslim population, until the Reconquesta Kingdoms committed large scale genocide and deportions of Muslims and Jews.

And speaking of Unexpectedly Muslim, the Golden Hord (AKA Tattars) which existed on the Crimean region as one of the offshoots from Genghis Khan’s conquests, was Muslim. In fact, they allied with the Mamluk kingdom of Egypt against Holugu, leader of another Mongol horde, Ilkhanate.