Using the method I described, all endpoint will be dead, including root server. It is the same method China used.

443 is harder to whack but since all open resolver has port 53, 443 and 853 on the same IP, they just need to whack 53 and 853. 443 will be whacked indirectly because the whole IP is in the DNS blocklist.

Of course you can bypass this by putting a CDN in front of your favorite DoH. Since CDN do not have 53 and 853 open, and they are on shared IP, it is not possible to block them. Using CDN also means you have a unique domain name and they cannot whack you solely based on SNI filtering.

If you use HTTP3 (QUIC), the SNI is "encrypted" with a key sent together in the Hello packet too. The censor will then have to do the extra work of extracting the key to decrypt the SNI. At least to my knowledge China and India all drop QUIC packet as a workaround.

The only trouble is you need a working resolver to bootstrap your domain-fronted DoH. You can ride on the ISP resolver for this one.

This post has been edited by kwss: Aug 7 2024, 12:36 AM

asus router can do that support DNS over TLS. This will apply to all devices

Cool, just installed and switched over to dns-crypt proxy

Btw is 1.1.1.1/help the only way to verify DOH?

True, but if they want to, DoT can be very easily blocked with just one click, blocking port 853

For those who uses AsusWRT-Merlin supported routers, there are probably 3rd party.packages that can help

Otherwise, a raspberry pi with like Adguard Home can do it, or stuff like Cloudflared, DNSCrypt-proxy

I don't think there's much ways to check, since it's basically requesting DNS like it is a webpage

Nextdns does have their one at http://test.nextdns.io/

But both of these only check for themselves

This will bypass the sinar project block?
Can we reuse Google/Cloudflare DNS afterwards?

Yes DoT will prevent the DNS interception by the ISP/regulators. ASUS router for example will let you to use any DNS server that support DoT.

I believe most if not all major public DNS providers support DoT these days.

However, there's a minor performance hit on DNS resolving performance once DoT is enabled. It's mostly unnoticeable on a high-end ASUS router (BCM4908 and above).

More info about this on ASUS router: https://www.asus.com/my/support/faq/1051428/

Thanks for the explanation. Just to clarify further, I have my self-hosted Adguard Home DoH server with my own domain e.g. https://xyz.mydomain.com/dns-query, and in the backend I use Unbound DNS which queries root servers instead of cloudflare/google DNS or any public resolvers.

If I understand correctly, my DoH server might not be banned since only myself is using it and it's not an open resolver. But will Unbound still continue to work?

Your setup is robust and it will continue to work especially if you use Cloudflare Proxied DNS, Cloudflare Tunnel, AWS CloudFront or Akamai. Try not to use DNS.mydomain.com because it seems obvious during bootstrap.

Just make sure you perform certificate validation so the censor cannot MITM you to discover /dns-query.

EDIT:
You can further protect against active probe from the censor by using signed URL.
At least on AWS CloudFront it can be done:
https://docs.aws.amazon.com/AmazonCloudFron...igned-urls.html

This post has been edited by kwss: Aug 7 2024, 12:44 PM

actually no, i remember sometime in may and june TM did a testing
basically they just block port 853 and dot was not working anymore

dot over port 443 is still working but only only a few test server

Thanks for your guide, I've lodged the complaint to MCMC just now.
Just wait for the response from both MCMC and TM about this issue.

Please ensure that your ticket remains open until you have received the promised speed upgrade. If they (Telekom Malaysia) attempt to mark your case as resolved prematurely, utilize the appeal function to keep the ticket active.

Keeping the ticket open for an extended period will eventually attract the attention of personnel from the MCMC. At this stage, TM will make every effort to resolve the issue appropriately.

You may refer to the example below, where an MCMC personnel responded directly to my ticket.
https://forum.lowyat.net/topic/5424552/+4179

This post has been edited by sHawTY: Aug 9 2024, 03:11 PM

They can implement a blanket block on both DoT and DoH for public DNS if they want. But for now, DoT works.

If they enforce a strict block, just get a cloud instance in SG for $5 a month and VPN everything there.

Finally received modify order free upgrade to 1Gbps

Once the upgrade is completed, you might consider submitting a request for termination to potentially secure the RM159 SWU price.

However, it's advisable to wait at least one to two months before doing so.

If request to port out will have this offer as well ?

A lot of people seem to have managed that.

I made the mistake of adding a smart device to my account before trying it, so I missed out on the lower price.

Luckily this upgrade no renew contract and maxis currently have better offer. Will try see after 1 - 2 month time

wah, lucky you, mine already getting called on 16 july for FSU service aggrement, but getting ghosted until now, no order number and no appointment,

meaning will be subject to 24mth contract?