🎼aku tak percaya lagi akan apa menteri fahmi janji, 🎶
- silap-on-se7en

still going to proceed with my own DNS resolver

Berbayar as in i still need VPS somewhere.
Version A1 of completed solution requires root access to install software and related config.

Gonna spend some coding time tonight to come up with version B1, to eliminate need for root access.

I'm avoiding need for VPN and Bind9-or-similar, as I want it to be universal solution that can run without configuring inside router, and on mobile.

dia akui diri sendiri bukan pakar IT, tetapi sibuk nak beri komen akan hal yang dia tak ada kelayakan.

dia ingat keperluan DNS tak bertapis ni hanya jika hendak buat jenayah.

hey, your parents might blacklist your lover, and your parents might intercept your love letters and hid them from even reaching you altogether.

.... but your parents will not write love letters and later claim it to be from your lover.

pffffttt.

dey MCMCM, if you are really true to your self-declared pure-hearted intent, start with blocking Facebook.

That alone should take care very very very large percentage of scam advertisements.

Either TM don't know what does "transparent proxy" means, OR, MCMC does not know what "hijacking" means.

Potato. Potahto.

Regardless, this heartbreaking state of going-ons is only evident of a serious lack of understanding in the concept of networking and security, which both entities are supposed to grasp.

transparent proxy means you do it without people noticing.
this is traight up hijacking.

so it means TM went beyond when MCMC say it wants "transparent proxy",
or MCMC bodoh don't know difference between "transparent" and straight -up hijacking.

bboth bodo.

win a battle.

lose the war.

and here i am, signed up VPC for heart bypass.

luckily it's just <$1/mth

hmmmm are you TM staff?

unifi, perhaps? 😂

This post has been edited by Oltromen Ripot: Sep 9 2024, 02:00 PM

urrrghhh.... just realised that Android is using DoT, so it will be vulnerable to TM's hijacking.

iOS is using DoH GET, so it's working.

read that earlier. i would imagine it already grown since 2022.

each Ethernet frame have protocol header.
each IP frame have protocol header.
each application packet have protocol header.
those will take some space in addition to your actual user data payload.

unless your router AND LAN card are both capable of 2.5Gbps, at most you can get is 940Mbps.
if using Wifi, still have to check whether both sides are capable of communicating at higher capacity.

anyone knows if Unifi Plus Box can be repurposed with mainstream linux distros? don't want those restrictive distros with limited OS packages.

eager to use it for mapping unsecured DNS from dhcp LAN to secure DNS, through IPsec tunnel..

i don't think Play store have app capable of performing the above intent upon every reboot (after power restore).

baaah, i don't have capacity or patience if having to pry open and pin here and there.
no time and no conducive working@home enviroment that can support such enthusiastic endeavour.

but it is such a waste that i have 2 more V1 and V2 lying idle in store room.
would have been good if there's app that can do the pony tricks i want, but it will be tricky if needing to relaunch apps again and again, especially when i am away.

(i have a 2nd V2 being used for Android gaming purpose in kids' bedroom.)

is BiliBili tv app working?

No change at all to my router config. But this is 1st time i launched since TM fooled around with DNS.

got too involved as i am working/worked on DNS proxying the past few nights.
an endeavour which itself involved research purposes, with the achieved outcome is obviously meant to facilitate future research purposes.

so far i have DoH working in iphone, ipad, windows, and linux.
android unfortunately requires DoT, which i am avoiding because its default port tcp/853 can be detected and thus subject to blocking - and worst, hijacking.

--

i'm ignoring cost of creating and cost of deciphering DNS wire payload, which is applicable to each below.

DNS
no udp/53 protocol penalty

DNS-over-TLS
tcp/853; cost of establishing TCP session, cost of negotiating secure TLS session, cost of tearing TCP session

DNS-over-HTTP/1, DNS-over-HTTP/1.1, DNS-over-HTTP/2
tcp/443; cost of establishing TCP session, cost of negotiating secure TLS session, cost of parsing HTTP request and response, cost of tearing down TCP session

DNS-over-HTTP/3, which runs over QUIC
udp/443; cost of negotiating QUIC session, cost of parsing HTTP request and response

https://www.f5.com/glossary/quic-http3



--

instead of using DoH-proxy reinvented by people out there, i decided to use nginx as my DNS-over-HTTPS forwarder. no need to reinvent the wheel.
immediately can support all HTTP/1 to HTTP/3, tcp and quic protocols.
and specifically choosing nginx; because i can hide my DNS-over-HTTPS entry point behind normal web hosting.
Unless one knows the exact https://what-is-my-exact-name/, you shouldn't be able to identify it nor use it. Hiding in plain sight.

--

(oh, yes. i'm bragging.)

This post has been edited by Oltromen Ripot: Sep 11 2024, 12:48 PM

i don't want to use app lah.
just want built-in support.
that's why i am going the extra mile to set up my own.

if use app or vpn, battery will masuk drain faster...

Official document:
only Google and Cloudflare can DoH as secure DNS in Android - for the padt 2 years still no progress!(?)

i have not found solution to this dilemma of wanting to use own DoH in Android.
so still using official adguard-dns.com in my Android.
iOS can already use DoH system-wide; hepi.

i selfishly refuse to accept app-based or vpn-based solution whether in Android or iOS.
not that desperate yet since MCMC is paused at the moment.

1. i already read of those 2 as early as yesterday morning

2. ... and somebody pointed it out to me again yesterday afternoon

3. ... which i mentioned again in today afternoon

4. ... which you again invariably mentioned again through another article.

so lets laugh at google for such mediocre effort.

--

those cloudflare and google addresses are capable of both DoT and DoH.
so when we use them as Android's Secure DNS target; how can we be sure whether it's really using DoH? and not DoT?
i know that my own DoH didn't even log any https request.