Doesn't really matter, both also can.

If dig @8.8.8.8, it's going to query the legit 8.8.8.8 or TM's 8.8.8.8 if you're affected by TM's shenanigans.

If just dig, it will use whatever you have already setup, DoH or not, whether it's on your PC, router or your DNS server like Adguard Home or Pihole.

Kuching w/ CF DoH
Active AC name: ibse01.kch

Here's a porn site: www.porno hammer.com (remove space, don't click, for research purposes only)

• that is blocked by the legit Cleanbrowsing-Adult (185.228.168.11)
• but enabled by TM's hijacked Cleanbrowsing-Adult (185.228.168.10).

So if you're using Cleanbrowsing-adult, TM just gave your kids a free porn site.

*Now to explain to my wife why I'm browsing porn sites in the middle of the night.

dig doesn't care what or how you configure your DNS

To use DoT with dig, just "+tls"
eg:
dig @9.9.9.9 +tls pornhub.com

To use DoH with dig, just "+https=xxx"
eg 1:
dig @9.9.9.9 +https="/dns-query" pornhub.com

eg 2:
dig @freedns.controld.com +https="/p2" pornhub.com

Note that dig don't verify certificate.

The day this method stop working is when AWS pack up and leave Malaysia. It cannot be blocked.

Or, they learn from AWS China where you must show Amazon your ICP license before you can use CloudFront. Not gonna happen here. If it does happen, just move your account elsewhere. My AWS account is not under Malaysia so won't affect me either way.

Just to add, for my usage, it is USD $0.01 per month. Your mileage may vary but I don't see how anyone should ever exceed USD $0.60 per month

This post has been edited by kwss: Sep 4 2024, 12:53 AM

So that method works with any public DNS provider including quad9, right? Are there any limitations besides the 1TB data transfer and 10mil requests that I should know about?

I'm guessing I shouldn't be using it on OS level since I watch a lot of streams and Steam games need to patch sometimes.

Kuching looks OK

There is no limitation. AWS is not like Cloudflare where there is different tier. Every account is full featured account.

I use it for the whole house (in Mikrotik) and my mobile phone with the Intra app.
I also use it on my laptop in browser and with dnscrypt-proxy system wide.

Still USD $0.01 per month.

You don't have to worry about stream and patching. They just query DNS once and load data. Your OS also has its own DNS cache.

10 million request per month is a lot!

Yes it works with any DoH provider

This post has been edited by kwss: Sep 4 2024, 01:00 AM

What would be the best way to verify that it is working properly after I've set it up? Other than trying to load blocked sites, of course.

loads for now

pj klang valley

You can view your telemetry in the CloudFront dashboard. It should show your URL and how many requests are made.
You can also use DNS checker to see if your configured DoH provider is used.

Am on SWU 3.0, using Fiberhome modem (not combo).
Public IP. Checked DNS leak test and working as expected. Went to https://one.one.one.one/help/ and tested to see DoT and DNS working
DoT on ASUS router via Cloudflare and Google DNS working fine, checked those restricted websites and also seems to be working fine so far.

Seremban, Negeri Sembilan

This post has been edited by HayateAyakasi8: Sep 4 2024, 01:12 AM

Thanks for answering. It's very helpful. I'll consider trying it out if they start targeting other DNS providers as well.

PJ ok, Seremban OK.

So far only me & raynman in Kajang kena. Maybe because TM need to demo to Anwar at his house in Sg Long.

Kajang ❌❌
Kuching ✅
Penang ✅
PJ ✅✅✅
Seremban ✅

I have checked DNS Tunnel (iodine) to 1.9.1.9 seem get filtered.

Any random subdomain (playload) didn't reached to iodined for TXT base64 results.

before with Parallel DNS Tunnel can give around 5mbps of speed, I guess TM also filtering it...

I just thought to make silly DNS query via DNS Tunnel 🤣

cannot access https://dns.google but nslookup seems to be showing the correct ip for ml.iherb.com. How do I know whether my DNS queries are not hijacked?

Penang user reporting. So far i am using Time & Unifi with DoH and i am not affected

I thought those settings were enabled by default? But i did enabled it anyway, thanks

This post has been edited by BladeRider88: Sep 4 2024, 03:50 AM

You can check the querying DNS server using any of the tools:
https://www.dnscheck.tools/
https://browserleaks.com/dns

Thanks! Configured dnscrypt-proxy to use dnscrypt and doh servers. TM's server doesn't appear in the list

With Cloudflare WARP deactivated, cannot access torrent site https://eztv.tf









With Cloudflare WARP activated

Correct. DNS-over-HTTPS (DoH) on Chrome and Edge doesn't work anymore.

I am using Cloudflare's WARP to circumvent Unifi's transparent DNS proxy.

But other VPNs (like ProtonVPN) works too