Various improvements to servers I use #971
Conversation
1.0.0.1 existed twice in the list
The removed IP addresses were intended to be used only by the cloudflare warp client. It's better to use the "stable" well-known cloudflare IP addresses instead.
Hostname obtained from the server certificate, it's more suitable than using the IP address directly, even if the certificate has a valid entry for the IP address. Additionally, dns.cloudflare.com was no longer a valid hostname in the server certificate for the documented DoH servers.
The correct name for the service is Google Public DNS, and not just Google DNS. Also make it clear that it is a DoH server and not DNSCrypt server.
Switch from a sandbox server to regular server. Also add an additional IPv6 server.
This pointed at a regular server, not family shield server. Also add an additional IPv6 address.
This uses the IP addresses that are documented by Cisco.
a1346054
force-pushed
the
fixes
branch
2 times, most recently
from
f1cc322 to
a9b06b6
Compare
|
Thanks! I think host names in SNIs were changed to IP addresses in order to help bypass filters. As long as they work, reverting this would not be an improvement. |
|
I was not sure about that, because many other DoH servers in the list do use the hostname in addition to the IP address. I'll have a look at how common filtering according to SNI is, but I'd imagine any filtering would know about the IP addresses by now too. |
|
The host name is required when other services are hosted on the same IP address, or when it changes the filtering behavior. |
|
I am aware how hostnames are used in DoH, both for SNI so that the correct service is reached when multiple exist on the same IP address, and to provide a hint what to check the TLS certificate against in case the certificate does not contain an IP address field (in general, most certificates do not have an IP field). I have access to a few networks that specifically try to block DoH (and DoT, and redirect traditional DNS too) so I'll test if there's any difference in behavior if the hostname is part of the stamp or if it just has the IP address. |
That's why DNS relays exist. |
Also use documented IP addresses, correct hostname, and mark them as supporting DNSSEC.
Use the IP addresses that are documented by Cisco, and also mark them as supporting DNSSEC.
|
I checked connecting to DoH servers that used hostname vs IP address in the SNI, and it made no difference in terms of getting through intentional DoH traffic blocking. All the DoH servers are publicly known and their IP addresses are on the many blocklists floating around on the internet. If one is behind a restrictive firewall, it's better to attempt connection through tor or relays. Using IP addresses in SNI comes at the cost of clarity, and deviates from how web browsers and other tools use DoH. I went over all the changes once again and removed the one failing server. |
This is just a string meant to be copied and pasted, or with tools like dnscrypt-proxy, it doesn't even need to be entered. What really matters is in practice, what advantages do IP addresses have over host names. If one option works more often than another, even just a little bit, it's a better option. @demarcush made these changes specifically to help avoiding SNI inspection. But I don't know if it really helps or not in practice. |
|
@jedisct1: I can assure that it bypasses SNI perfectly in Iran or Russia, especially v6 ones. Bastards are too preoccupied with plundering that they didn't put the IP addresses in blocklist, or making so would mess with their own infrastructure. |
Commit messages contain further info.