Just want to ask. Isn't this illegal or against the ToS of these cloud service providers? I've heard of domain fronting before and I thought it was mostly restricted. Or is that a different thing altogether?

I still think the risk that you can get banned for domain fronting should be highlighted in the guide since you need to input credit card info, real name/address, etc. to register for AWS.

Thanks for clarifying. Wanted to be sure since it sounded very similar to that, but I didn't know the technical differences.

For those more knowledgeable about these things: is there a way they can block DoH without just IP blocking the DNS provider (Google, Cloudflare, quad9, etc.)?

I understand DoT can be blocked by blocking port 853.

The posters above answered that the only way to block DoH is by blocking the Domain and IP of the public DNS provider so no one can make queries. I understand if they blocked DoT by blocking the associated port, but how is it possible that they are blocking DoH AND DoT but only for specific users?

Transparent Proxy should only apply if you are using neither DoT nor DoH, to my understanding.

That's what I'm trying to make sense of. Maybe this is done through a setting in the ONU/modem that they remote accessed into and changed, assuming your idea of SWU users being affected. Or maybe it only affects certain TM IP ranges.

One of the people you quoted also has some DNS providers blocked according to nmap, but can still access blocked sites. It is very unusual.

Yeah the ONU given to new SWU contractees is definitely suspect as some have said. Other factors could be the region (which state) and the IP address range.

Hopefully more people experiencing this come forward and we can start seeing what they have in common.

This post has been edited by blackbox14: Sep 3 2024, 06:51 PM

Are you also under Stay With Unifi and got upgraded recently? Did you recently get a new ONU/modem and router with the upgrade?

Several users here have reported this but trying to confirm what there is in common.

Interesting. So far some of those affected have been SWU upgraded also but you don't have any new equipment. So that rules out the ONU as how they implement the block.

If your DNS is set on router level and if the rest of the internet is working besides the blocked sites, try setting DoH on your browser and see if that works.

This post has been edited by blackbox14: Sep 3 2024, 07:34 PM

DoH or DNS over HTTPS setting on browser depends on which browser you use. For example on Firefox it's under Settings -> Privacy and Security -> scroll all the way down. Set it to Max Protection and use Cloudflare or nextDNS.

If your internet is still working besides those sites you tried to visit then the block that they applied to you is a bit different. The others here couldn't use their internet connections at all unless they set the DNS setting on router back to the default.

I may be wrong but they can't block the port for DoH, so they must be blocking the IP/domain/hostname or whatever you call it. DoT has a dedicated port so yeah, that can be blocked.

Are you seeing posts about this on socmed or are you now affected as well?

The way the block is implemented doesnt seem to be consistent either. The others from earlier said DoH quad9 doesnt work for them, and wai57 above said some of the sites you can go to just fine are blocked for him.

Probably rolling out these blocks in stages as soonwai said. Keep an eye on it if you suddenly lose access.

So given what they are doing blocks even DoH, will that Amazon AWS wall climbing method still work even when using cloudflare-dns.com or dns.google as the origin?

So that method works with any public DNS provider including quad9, right? Are there any limitations besides the 1TB data transfer and 10mil requests that I should know about?

I'm guessing I shouldn't be using it on OS level since I watch a lot of streams and Steam games need to patch sometimes.

What would be the best way to verify that it is working properly after I've set it up? Other than trying to load blocked sites, of course.

Thanks for answering. It's very helpful. I'll consider trying it out if they start targeting other DNS providers as well.

Yeah for Unifi it is looking more and more like they are testing in stages before rolling out to everyone. Last time they did short tests late at night and right now they are doing random regions as samples.

Because they didn't just target the naked DNS like Maxis and TIME, but also want to block DoT and DoH, there is slightly more upkeep for them. So they are probably checking to see how effective it is and maybe expose how people choose to bypass it.

I would actually avoid using any subscription-based, paid DNS solution as an alternative for the time being.

Since this isn't the final version of the DNS block wall that will be rolled out to everyone, they may decide to block those paid DNS services as well. TM may be checking based on how many connections to haram websites are blocked by their poisoning, how many are bypassed and the methods used to bypass. My guess is that they must have some kind of number that they have to meet for the new restrictions to be deemed 'sufficient' by MCMC/Fahmi/whoever is in charge, otherwise this would have been released nationwide already.

IMO better to wait and see just how many DNS services will be blocked when everyone gets blocked, then start to find alternatives. For all you know, by then only VPNs will work.

To be fair Quad9 was being intercepted for some people even before that, and it is one of the more popular DNS available.

But yes, this is no longer 2008 or 2010s. They might be checking places like this so they can get as many blocks as possible. I think it might be best to limit discussion of workarounds to DMs or private forums.

That's for business customers right? Not Maxis home users.