[Question] Regarding zapret working

[HakaishinShwet]

I have successfully installed and setup zapret in my arch linux with latest kernel and everything and you can confirm from below images too that i have attached. It is running fine and doing its job of packet splitting and using iana.org as SNI as you can see in wireshark image BUT i was testing this with mine ISP default dns "intentionally" to see if it is able to open this website website -> https://tpb.party/ I do know by default this website will be blocked by default dns of ISP and as you can see in below images it did blocked the page as expected. BUT What i was expecting after setting up zapret was to be able to visit this website without any issues but i faced same error as you can see in below images.I had thinking in my mind that if it is modifying the SNI value to iana.org instead of tpb.party and is splitting packets too then it will be able to bypass the restriction which ISP might have set on dns to block the request on particular domain but that didnt happen actually. So i think i had some wrong understandings about this project as i have some knowledge but ofcouse i am not master like you :-)) (btw totally loved your indepth explanation about this project working i did read some things still couldnt process everything tbh in just one day so will take time to understand better with help of gpt maybe) so just wanna clear things like what does this project actually do because it couldnt bypass and make it accessible ?
With different dns like 8.8.8.8 and others i could access the same website without zapret and with zapret so what difference does zapret actually make is what i wanna know in detail because if dns can do the job of bypassing then what is the real job of zapret and how can it be actually helpful and in what cases it will be helpful. (btw do check mine systemctl status image to get idea of what dpi desync command i am running.i thought maybe with different settings it might be able to pass restriction but didnt tested much so can recommend something better too if my dpi desync command should be different)

Thankyou very much again for this great project ;-)

[bol-van]

if your isp blocks domain only by dns then there's no dpi and you dont need dpi bypass software

what you see in wireshark doesn't mean it substitutes sni it generates additional fake packet that should reach dpi but must be ignored by server original sni is still passed but can be split into 2 packets your filter doesnt show that

dpi bypass strategies are not universal and should be checked first

[asaddon]

Compare the IP of the website given between Google DNS and your ISP DNS, if your ISP is altering the tpb.party IP and giving a false/blackhole IP, there's nothing Zapret can do about it.

[HakaishinShwet]

thankyou very much @bol-van for explaining that now i get it why dns method was working. Btw you said that "your filter doesnt show that" so i was wondering if there is any filter i can set in wireshark to see/filter those splited packets which contains original sni? This filter just filter every client hello packet possible in network so it filtered only the iana.org SNI ones so i thought where the hell is original sni packet so please guide like how can i see those with wireshark

[bol-van]

choose any iana.org and follow tcp stream it should be near iana.org. soon after connection establishement

[HakaishinShwet]

@bol-van what i am about ask you i think i shouldn't ask because its subjective and depends on testing on many different websites as different strategies apply on different websites to bypass i know but still i wanna ask because you are the developer of this awesome project and you have worked hard to create and test many things regarding this dpi so what i wanna ask from you is : Do you have any list for working be it aggressive or medium level strategies of nfqws which worked best for you personally in your several testings on different types of websites ? if yes then please share i would like to test them out first before testing other strategies because you know there can be sooo many combos but i wanna reduce that time with your knowledge and experience so please do share it so that i can analyze in wireshark and see some live differences and then i wanna see how much delays they add in website loading and if there are any breakages

[bol-van]

Here in Russia there's no common strategy It all different for all ISPs and locations But have some common patterns because of centralized TSPU censorship system some sort of fake,split2 usually works. with ttls and fooling depending on ISP and on-path devices (such as home router) there's blockcheck to test working strategies

[HakaishinShwet]

Thankyou, now some of my doubts are cleared so closing this for now :-)) will reopen maybe if i get some other doubts because project is quite interesting