Dynamic blocking of DNS over HTTPS in China?

[wkrp]

I found a forum post that says that for at least one person in China, DNS over TLS (using stubby) stopped working on 2021-03-04. The symptoms are:

• Plaintext DNS on UDP/53 is poisoned.
• DNS over TLS is blocked instantly.
• DNS over HTTPS servers are blocked for 5 minutes after being queried.
• The IP addresses of the DoT and DoH servers are not blocked, as they still respond to pings.

DoT is of course easy to block just by forbidding port TCP/853, and DoH is probably easy to active-probe. My guess is that DoH servers are being dynamically detected using active probing, which is something that could be tested.

The user who made the forum post appears to be @twifty on GitHub, who has filed getdnsapi/stubby#279 and m13253/dns-over-https#100. I'll mention them here in case they have anything to add.

https://forum.manjaro.org/t/dns-over-tls-has-stopped-working/56422 (archive)

Yesterday afternoon, stubby which I’ve been using for about 2 years, all of a sudden stopped working. It reports “Conn closed: TLS - Failure” for every upstream. Thinking it was a system problem, I restored to a point from last week, but the issue remains.

I have a sneaky feeling my ISP is blocking these requests.

Right now, I’m not sure of what exactly is being blocked. I’ve read that TLS1.3 in combination with ESNI are causing the problems, but at the same time I think the IP/port of the DoH servers are blocked (I can still ping). There’s some deep packet sniffing going on for sure.

I’ve actually found that DoT is completely blocked, DNS53 returns wrong results and DoH servers get blocked for 5 minutes after each query.

[twifty]

I'd like to confirm that I was having serious problems with DNS. Local DNS53 results are poisoned. Western DNS53 servers (google, quad9...) become blocked for approx 2 minutes when querying banned domains. DoT is outright blocked. DoH servers become blocked for about 5 minutes after any query (tested both public and private servers).

I have since installed dnscrypt-proxy and use its built in list of public servers. I initially had problems but soon discovered that I could proxy, using a local SOCKS5 and v2ray setup, the queries.

A friend, also in China, is using SmartDNS built into his router. He hasn't yet experienced any problems.

While I may be experiencing these problems, it's important to note that the GFW is not a single entity. Each province/city/ISP implement their own rules.

[Mr-Sheep]

I've encountered numerous errors when trying to setup DoH services provided by big techs(Cloudflare, Google, Quad9, OpenDNS and Adguard) last month.

detailed stats can be found at https://en.greatfire.org/https/cloudflare-dns.com

[DuckSoft]

DoHs using well-known /dns-query path can be probed and blocked. Making your own path can help - or just setup along with nginx and do a simple path rewrite.

One thing is sure: If they are probing, there has to be log. Since I am not a passionate of DoH and has my own network infrastructure to route DNS traffic, it would be great if someone spin up a test server and see what happens before getting blocked.

For some other users maybe strict IP whitelisting can help a little. Also, I wonder if mTLS (Mutual TLS) can be used together with DoH to solve the sender authentication problem (just wild guessing).