Closed MichaelUray closed 5 months ago
It looks the SNI gets sniffed by a DPI firewall which interrupts then the connection, since without TLS 1.3 and Encrypted ClientHello (ECH) enabled the SNI gets send unencrypted to the server. https://www.reddit.com/r/dumbclub/comments/18xjrwq/comment/kg65lho/?utm_source=share&utm_medium=web2x&context=3
My understanding is, that if an IP address instead of a DNS name gets used to connect to the CDN, the domain name/host name gets send to the CDN as SNI/hostname and this does not require a DNS resolution.
For some reason the vless/trojan access via the blocked SNI domain is not working, replacing the domain with another one which is not blocked works fine.
How does the domain block exactly affects the connection to the CDN?