Strange to think that TM going this far with the inclusion of DoT and DoH blocking is their own doing. But at the same time I can see a situation where TM is more subjected to Gov mandate than the other ISPs with their large market share.

If so, might be time to switch over.

Thanks for enlightening me. Did not know that.

However from what I've heard Maxis got more restrictions with torrenting and issues with some other stuff like stability. So no ISP is perfect, I guess.

This post has been edited by blackbox14: Sep 4 2024, 10:33 PM

I saw on the /k topic that TM even blocked Cloudflare WARP, which is a VPN. Now that's serious.

They are going way further than Maxis and TIME on this.

Is this better or equivalent to your already posted AWS method?

I had a relative of mine try that AWS method (it still needs CC/debit info and I did not dare to try myself yet) but apparently he was still seeing a KL server + one Woodynet KL server on dnscheck tools when setting Quad9 as origin. If using Quad9 directly, it would show a bunch of Woodynet servers in other countries. Not sure what went wrong.

If this other method is easier then maybe I can just tell him to cancel that AWS account and use this instead?

This post has been edited by blackbox14: Sep 5 2024, 12:26 AM

Is it fine to show the resolver IP addresses? Or should I censor those?

EDIT: In the meantime, looking at the screenshot sent to me, the first resolver is Global Transit Communications in KL while the second one is WoodyNet located in KL as well.

This post has been edited by blackbox14: Sep 5 2024, 12:49 AM

After some consideration I will take your word for it.

The events today with TM blocking Q9 and Cloudflare WARP makes me think they are actively monitoring LYF as one of their sources for things to block, so I'm wary of putting up anything they can use to block more methods.

Also the person did say that the DNS functioned as intended, which is the most important part. It's just that the resolvers are different when going through AWS.

Makes me think it's also a regional thing as some people already affected are reporting certain DNS providers working, DoH/DoT still working, while others are saying none of those work. The other thing is that it is hard to tell what is really functioning and what isn't because there are so many different configs that people use.

Interestingly, if the Maxis business page is true (and not just meant to reassure businesses), then the DoH and DoT blocking may not actually be part of MCMC guidelines, or just a special thing for TM Unifi as they are the biggest guy around.

This post has been edited by blackbox14: Sep 5 2024, 02:26 AM

Hope he can confirm if it's working or not for him today, then. If it still doesn't work for him but it works for you then I dunno what is going on already.

Actually I've read that even Maxis Home users got DoH blocked, so maybe they only give exception for businesses to use DoH and DoT since it might be important for them.

Companies tend to firewall illegal websites anyway to prevent employees from browsing that stuff at work, so MCMC might trust them not to abuse it.

If you do change, try to verify whether Maxis does actually leave DoT and DoH alone or not for Home users. I don't think they will answer you, but I've read around socmed that Maxis Home customers are also DoT and DoH blocked.

This article and the Maxis page really might be addressing business entities only.

This post has been edited by blackbox14: Sep 5 2024, 03:28 PM

Wish I could have that kind of optimism, lol. Realistically though situations like this always get worse before getting better...if it actually does get better.

TM being more strict is probably because they have a bigger user base.

Still, right now the only confirmed way you can get a service that doesn't tamper with DoH and DoT is to get Maxis Business. Maxis Home also not safe.

Yeah it might be time to start gatekeeping workarounds and alternate DNS unfortunately. This is not MCMC or ISPs from last decade, so they know which places to look at to find new addresses to block.

Also wonder what Quad9 can do about it. Probably not much since we are a small country just acting like a big one.

According to some who have experienced it, it's being done by hijacking the DNS IP addresses directly or just blocking them outright, which is something even DoH can't get through.

Maybe someday we will get insider info on this and what metric MCMC instructed them to use to measure how effective the blocking is.

Right now my best guess is that they will have to achieve some number of blocked/redirected queries per month for the sites on the MCMC's banlist. If it's too low, they start blocking more DNS providers until the number is met. This may explain why TM is going as far as to block DoT and DoH for all account types since they have a much larger number to meet.

The worst thing right now is the feeling of uncertainty surrounding this. When BN blocked those first few websites back in the late 00s, they just blocked and left it. But for this they are doing it in phases and we don't know when it's going to end, if at all.

Their readiness level is probably on the level of Indonesia judging by the DoT and DoH block stuff so they can keep adding thousands of DNS addresses to ban as long as they can find them online.

I wouldn't count on them letting up on enforcement at least for the next year or so. With the upcoming social media licensing, kill switch and potentially needing to ban big socmed platforms that don't comply. They can't have people trivializing that by just using different DNS providers.

This whole thing with doing it region by region is also probably to catch alternatives and close the hole as much as possible.

'Tutup mata sebelah' style Malaysian internet is basically dead unless September 30th and beyond proves otherwise.

Given everything we know so far and the Maxis Business FAQ - it's probably a numbers game set by MCMC. Something like:

"You as ISP have this number of users. You must successfully redirect/block at least this percentage of users from being able to access the sites on our blocked list."

TM crunched the numbers and realized that if they left DoH and DoT alone, then they can't meet those numbers that MCMC wants them to. Many TM users probably already know about DoH and DoT and already using those. This might be why they are implementing the block by region. They want to make sure of it.

Maxis, on the other hand, have less subscribers and maybe they are confident they can meet the MCMC's numbers without having to affect their Business clients.

The obvious dangerous point here if this guess of mine is true (and if that particular minister is THAT persistent), is that the ISPs have to do this each month. So as more people learn which bypasses work, the ISPs also have to find ways to block those new bypass methods.

-

VPN however, is a different story. I'm not sure how they would find out what websites people are even visiting once connected to a VPN. Based on this there is a chance no action will be taken on VPNs since it already is a huge inconvenience to have to pay for another service and they can't prove that you visited any 'bad' websites unless you expose yourself.

Or, they could just mow down as many popular VPN providers' sites as possible to try to reduce the number even if they can't prove anything.

All of this is just speculation, so do take with a spoonful of salt.

This post has been edited by blackbox14: Sep 5 2024, 11:34 PM

It's been enlightening to learn more basic networking stuff since the early implementation of this last month with Maxis and TIME.
Not going to lie though: I miss not having to worry about my internet access when checking on socmed and this forum. Now I'm always anxious to see if TM expanded their blocklist for DNS providers and/or if they increased the affected regions.

Truly feels like the end of an era.

This post has been edited by blackbox14: Sep 6 2024, 12:03 AM

Funny as this is, we won't know which method will stick and how many public DNS servers they are willing to block until at least several months have passed.

Worst scenario is if we end up like adblocker addons vs Youtube where it is just a never-ending back and forth of being blocked and unblocking.

Best scenario is if this whole 'internet security' thing the comm ministry is trying to do dies down due to some other pressing matter, or there's enough backlash that MCMC U-turns on DNS redirect. But I doubt this.

Which VPNs got hit besides Nord?

Simple answer is yes.

Socmed issue snowballed into this because they realized how powerful the internet is these days.

So safe to say TM was monitoring here to see all the proposed alternative DNS? So far it seems all got hit?

What about this? Anything else got hit?