Open wkrp opened 3 years ago
I'd like to confirm that I was having serious problems with DNS. Local DNS53 results are poisoned. Western DNS53 servers (google, quad9...) become blocked for approx 2 minutes when querying banned domains. DoT is outright blocked. DoH servers become blocked for about 5 minutes after any query (tested both public and private servers).
I have since installed dnscrypt-proxy
and use its built in list of public servers. I initially had problems but soon discovered that I could proxy, using a local SOCKS5 and v2ray setup, the queries.
A friend, also in China, is using SmartDNS
built into his router. He hasn't yet experienced any problems.
While I may be experiencing these problems, it's important to note that the GFW is not a single entity. Each province/city/ISP implement their own rules.
I've encountered numerous errors when trying to setup DoH services provided by big techs(Cloudflare, Google, Quad9, OpenDNS and Adguard) last month.
detailed stats can be found at https://en.greatfire.org/https/cloudflare-dns.com
DoHs using well-known /dns-query
path can be probed and blocked. Making your own path can help - or just setup along with nginx and do a simple path rewrite.
One thing is sure: If they are probing, there has to be log. Since I am not a passionate of DoH and has my own network infrastructure to route DNS traffic, it would be great if someone spin up a test server and see what happens before getting blocked.
For some other users maybe strict IP whitelisting can help a little. Also, I wonder if mTLS (Mutual TLS) can be used together with DoH to solve the sender authentication problem (just wild guessing).
I found a forum post that says that for at least one person in China, DNS over TLS (using stubby) stopped working on 2021-03-04. The symptoms are:
DoT is of course easy to block just by forbidding port TCP/853, and DoH is probably easy to active-probe. My guess is that DoH servers are being dynamically detected using active probing, which is something that could be tested.
The user who made the forum post appears to be @twifty on GitHub, who has filed https://github.com/getdnsapi/stubby/issues/279 and https://github.com/m13253/dns-over-https/issues/100. I'll mention them here in case they have anything to add.
https://forum.manjaro.org/t/dns-over-tls-has-stopped-working/56422 (archive)