How does the DNS/domain block work if connecting to a CDN via IP address?

net4people / bbs

Forum for discussing Internet censorship circumvention

3.19k stars 75 forks source link

How does the DNS/domain block work if connecting to a CDN via IP address? #321

Closed MichaelUray closed 5 months ago

MichaelUray commented 6 months ago

My understanding is, that if an IP address instead of a DNS name gets used to connect to the CDN, the domain name/host name gets send to the CDN as SNI/hostname and this does not require a DNS resolution. 2024-01-03_13-24-12 For some reason the vless/trojan access via the blocked SNI domain is not working, replacing the domain with another one which is not blocked works fine.

How does the domain block exactly affects the connection to the CDN?

MichaelUray commented 5 months ago

It looks the SNI gets sniffed by a DPI firewall which interrupts then the connection, since without TLS 1.3 and Encrypted ClientHello (ECH) enabled the SNI gets send unencrypted to the server. https://www.reddit.com/r/dumbclub/comments/18xjrwq/comment/kg65lho/?utm_source=share&utm_medium=web2x&context=3