undefined | Better HN

0 pointshales1y ago0 comments

This will not work if ISPs redirect DNS queries. Only the methods CAP_NET_ADMIN mentioned will work.

0 comments

Joel_Mckay1y ago

DoH APIs at these endpoints:

https://dns.google/dns-query – RFC 8484 (GET and POST)

https://dns.google/resolve? – JSON API (GET)

And tunneling obfuscated traffic is easy... =3

kijin1y ago

An easy solution would be for Google to host their DoH endpoints on the same domain(s) as their regular service, so that governments can't block DoH without blocking all of Google or YouTube. Using a dedicated domain like that, they're just begging to be blocked.

I wonder if DoH requests can be easily proxied? So if I set up https://www.mydomain.com/dns-query on a U.S.-based cloud server and proxy_pass all requests to Google or Cloudflare, and point my browser at my server, will it work?

Joel_Mckay1y ago

Iodine will obfuscate the traffic using the redirected DNS hijack servers themselves.

Perhaps someone will put a configured wifi router image together over Christmas holidays for demonstration purposes... because it is fun to ignore tcp drop DoS too.

Tunneling well-obfuscated traffic is easier than most imagine... and IDS technology will fail to detect such things without an OS OSI layer snitch. =3

kelnos1y ago

> An easy solution would be for Google to host their DoH endpoints on the same domain(s) as their regular service

That's not how that works. DoH resolvers need an IP address, not a domain name. Sure, Google could host DoH on www.google.com, www.youtube.com, etc. but most users are not going to be savvy enough to find those IPs and use them.

Then again, perhaps users savvy enough to try to use DoH to bypass these blocks would also be fine with this.

1 more reply

stingraycharles1y ago

These are being redirected by the Malaysian government as well.

Joel_Mckay1y ago

You do know what happens when people try to MiM SSL traffic correct?

Even the UK/China firewall can be tunneled over, but the ramifications for those that do so can be dire. =3

1 more reply

j / k navigate · click thread line to collapse

0 comments

Joel_Mckay1y ago

DoH APIs at these endpoints:

https://dns.google/dns-query – RFC 8484 (GET and POST)

https://dns.google/resolve? – JSON API (GET)

And tunneling obfuscated traffic is easy... =3

kijin1y ago

Joel_Mckay1y ago

Iodine will obfuscate the traffic using the redirected DNS hijack servers themselves.

Perhaps someone will put a configured wifi router image together over Christmas holidays for demonstration purposes... because it is fun to ignore tcp drop DoS too.

Tunneling well-obfuscated traffic is easier than most imagine... and IDS technology will fail to detect such things without an OS OSI layer snitch. =3

kelnos1y ago

> An easy solution would be for Google to host their DoH endpoints on the same domain(s) as their regular service

Then again, perhaps users savvy enough to try to use DoH to bypass these blocks would also be fine with this.

1 more reply

stingraycharles1y ago

These are being redirected by the Malaysian government as well.

Joel_Mckay1y ago

You do know what happens when people try to MiM SSL traffic correct?

Even the UK/China firewall can be tunneled over, but the ramifications for those that do so can be dire. =3

1 more reply

j / k navigate · click thread line to collapse