I'm in the UK; my ISP hijacks dns requests on port 53 so nope, none of that works. They're not alone doing this https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_... For the most part this is not noticeable; but addresses to a bunch of my _work_ stuff don't resolve on whatever hacky dns replacement they offer, if I'm not on the work vpn.

They also block port 853 (so no DoT), and https to well-known dns servers; so you can't use DoH to google, but others may work.

If you're on a vpn they never see the traffic, you can also bypass them using a pihole with unbound to proxy dns to a DoH server - as long as they haven't blocked it.

Ironically the corporate vpn I use also hijacks dns (but locally only), which bypasses all the ISP issues but makes debugging work DNS problems awkward

Comcast/Xfinity does that in the USA, at least if you use the newer modem/routers that they provide. If you use your own router you can still set your own DNS provider. DoH is a workaround for web browsing.

The UK government IPs show up on our ban lists often for illegal theft of service, and CVE scans. Have you tried a Bind9 relay with iodine/vpn tunnels for local transparent network traversal across the hostile sandbox?

i.e. obfuscate the traffic using the hijacking DNS servers themselves.

Just a thought =3

what do you mean they hijack the port 53? this is a local setting on your OS. they cant hijack the DNS call if you set it to something else.

the isp blocks/redirects the traffic outside my network. so if you just try to send normal udp/tcp port 53 externally, it won't get there. This is why I mention a pihole; by setting my dns server to something on my local network and then having that use DoH I can get past the block. I can't configure every device to use eg DoT or DoH directly, but I usually can configure their port 53 nameserver, directly or via DHCP

the vpn provider, it's just a split tunnel thing; since that is a local process, yes they can hijack it. Originally when we switched to our current vpn provider it didn't even let us use localhost or loopback dns, but we needed that for the way we use docker in development, so now it's just anything except those being redirected.

port 53 requests are not limited to external requests. thats what I was implying in my comment.

I configure my router to divert all UDP/53 to my pi hole. The advertising industry hates this type of behaviour, but it means ever an IoT device using hard coded dns (rather than what I tell them from my dhcp or nd settings)

This is a feature. That some people choose terrible ISPs is a trivial problem to avoid, far easier than avoiding terrible user agents which are beholden to their advertising masters.

They absolutely can and some do. The destination UDP port number of a UDP packet traversing the core network of an ISP can be inspected and acted upon as one pleases.

Unless it is tunneled over an binary obfuscation layer, and wrapped in a purposely weakened cryptography to booby-trap their parser.

There is also the global satellite uplinks... so its ultimately a pointless game to keep people ignorant, that is unless they plan to follow people around like a hot-air balloon villain from Pokemon Go. lol =3

my point is you can point a call to 53 on a machine on your own network and you isp cant do shit about that

Very well. You have pointed your DNS resolver to a host on your local network for the DNS name resolution.

When a DNS lookup request hits it, where does a UDP packet on 53 goes out to and what happens to it?

They can do anything unless constrained by cryptography. I assume it just means redirecting all port 53 traffic which 99% of time will be DNS regardless of IP.

I had just switched to this one when I discovered the problem, so was under contract for the next couple of years, and it's not like they advertise this as a feature where you'd have made that choice beforehand. Also, I didn't just need "an ISP" I needed a high speed connection and at the time my previous provider said they didn't offer that to existing customers, while the handful of others appeared to only offer 1/10 of the speed I wanted or only offered it bundled with tv/sport packages (I don't watch tv)

Since then City Fibre completed their rollout and I'm no longer an existing customer with BT so now I _do_ have a choice.

But bigger picture here: I mentioned my setup on a thread where a country is mandating all of their ISPs do this. Sometimes you don't have a choice.

If you need decent speed, than could also try this:

https://www.stunnel.org/downloads.html

with the optional:

https://github.com/bfix/Tor-DNS.git

or go with the more modern:

https://github.com/erebe/wstunnel

Best regards, =3

Out of interest, which ISP do you use?

Virgin Media. At the time I switched I needed more bandwidth for work - dealing with multi-gigabyte blobs all day; I was with BT, but BT wouldn't let me upgrade to a gigabit fibre connection, and the City Fibre network which is now everywhere wasn't yet in my street.

You can go to VM dashboard to disable the adult content filtering. It will then not block DoT and DoH.

Many ISP will also auto-redirect un-allocated domain names to their own websites. Others will ban most inbound connections with a port under 1000 to prevent self-hosting/video-surveillance users.

Annoying if you are trying to bring up a remote domain server, and thinking WTF while checking things out in dig. lol =)

This will not work if ISPs redirect DNS queries. Only the methods CAP_NET_ADMIN mentioned will work.

DoH APIs at these endpoints:

https://dns.google/dns-query – RFC 8484 (GET and POST)

https://dns.google/resolve? – JSON API (GET)

And tunneling obfuscated traffic is easy... =3

An easy solution would be for Google to host their DoH endpoints on the same domain(s) as their regular service, so that governments can't block DoH without blocking all of Google or YouTube. Using a dedicated domain like that, they're just begging to be blocked.

I wonder if DoH requests can be easily proxied? So if I set up https://www.mydomain.com/dns-query on a U.S.-based cloud server and proxy_pass all requests to Google or Cloudflare, and point my browser at my server, will it work?

Iodine will obfuscate the traffic using the redirected DNS hijack servers themselves.

Perhaps someone will put a configured wifi router image together over Christmas holidays for demonstration purposes... because it is fun to ignore tcp drop DoS too.

Tunneling well-obfuscated traffic is easier than most imagine... and IDS technology will fail to detect such things without an OS OSI layer snitch. =3

> An easy solution would be for Google to host their DoH endpoints on the same domain(s) as their regular service

That's not how that works. DoH resolvers need an IP address, not a domain name. Sure, Google could host DoH on www.google.com, www.youtube.com, etc. but most users are not going to be savvy enough to find those IPs and use them.

Then again, perhaps users savvy enough to try to use DoH to bypass these blocks would also be fine with this.

> most users are not going to be savvy enough to find those IPs and use them.

Very few people configure DoH on their own. It's up to the DoH-enabled client software (mostly browsers) to obtain lists of resolver IPs and keep them up to date.

If Cloudflare, for example, really wanted to make their DoH traffic indistinguishable from other HTTPS traffic, they could literally host DoH on any domain or IP under their control and rotate the list every now and then.

These are being redirected by the Malaysian government as well.

Yes, the connections fail, and most clients will fall back to regular ol' DNS on port 53, which then gets redirected to the government's DNS servers.

So far clients have chosen availability instead of fighting this fight.

Unless your local router tunnels the DNS traffic via other means. The clients may see slightly higher latency, but for <16 host hotspots it would be negligible.

It is quite easy for example, to bonce traffic through a reverse proxy on a Tor tunnel, and start ignoring spoofed drop-connection packets (hence these bypass local DNS, tunnel to a proxy IP to obfuscate Tor traffic detection, and exit someplace new every minute or so.) This is a common method to escape the cellular LTE/G5 network sandbox.

Ever played chase the Kl0wN? Some folks are difficult to find for various reasons.

Have a nice day, =3

thats exactly what the redirection is trying to fight…

They are going to have to ban around 3000 proxies as well to make any impact on users. =3

"Any" impact on users?

It sounds like you're working with a model in which most users are conscious that they're very offended or inconvenienced by censorship, and want to research technical means of circumventing it. I wish that were true, but I doubt it's nearly as common as your intuition suggests.

3000 proxies seems like no big deal for the government to ban.

"Any" impact is weird phrasing, though. Only a very small percentage of people will be savvy enough to attempt to circumvent these bans.

Except the lists often change every minute, and some types of proxies are just a compromised script/page sitting on commercial, private, and government servers.

> Only a very small percentage of people will be savvy enough to attempt to circumvent these bans.

There are several one-button vpn/proxy+tor apps for unrooted phones already, and they are dodgy on a good day. =3

Why do you keep signing your comments with '=3'?

That's rookie number for China's firewall.

Chinese government couldn't have cared less about that "impact" -- even if only less than 1% of Wikipedia content mentions Chinese government at all, they are going to block the Wikipedia website.