I've set Prevent Client auto DoH to NO. Thanks.

Did you miss anything and caused the dns leak? maybe check the firewall rules.
https://youtu.be/w4erB0VzyIE

Nope, it is how Mikrotik works.
You can read about the solution here:
https://forum.mikrotik.com/viewtopic.php?f=...=160243#p787643

I continue to have problem where I cannot import Amazon Root CA for my DoH. I have since turned off Mikrotik DNS resolver and stick to tried and true systemd-resolved for my laptop and stubby for my home server.

I use DoH exclusively for browser due to it being a requirement for ECH to work.

My point being, I don't know if any of those router aka IoT device do security properly. To the user they are doing DoT / DoH but behind the scene they might fall apart from actual attack.

UPDATE:
I give it another go but this time I download the certificates from
https://www.amazontrust.com/repository/

It works!
Not sure why the download from browser view certificate didn't works.

This post has been edited by kwss: Aug 10 2024, 12:47 AM

I play a bit with Celcom's implementation. Basically they catch all UDP port 53 on IPv4 and IPv6

Test with fc00:: which is a non-routable local address


Test with 10.10.10.10 which is also non-routable:


Using non-routable IPv6 address but with TCP:



Using non-routable IPv4 address but with TCP:


This means that using TCP should work, even if it is plain text. Yes it does!


However, I found that they block by IP address too for pornhub.com and xvideos.com. murrayhunter.substack.com didn't have their IP blocked so it is not quite consistent.
Reason is murrayhunter.substack.com uses Cloudflare CDN. They cannot block the CDN without blocking everyone else.

This post has been edited by kwss: Aug 10 2024, 02:44 AM

so few people discuss about this...am i being paranoid over this matter or they just don't care?

Btw, i already onboard with DoT/DoH, now all my devices are protected

Most Malaysians don’t care about privacy or security. With the Google Pixel 9 being announced for Malaysia, I visited all the Pixel related threads in the Mobile Phone and Kopitiam sections on this forum and entered “GrapheneOS” in the search box. Not a single hit.

celcom axiata mobile long time already block xxx website
canot bypass with dns
Dont visit xxx so not a problem

duh...

Guess, we are the "paranoid" one.

Cloudflare WARP work?

It should. Cloudflare warp is doh. Cloudflare warp+ is vpn+doh.

thx. how about Cloudflare WARP Windows Software 1.1.1.1 DNS Protocol HTTPS and TLS, 1.1.1.1 with WARP DNS Protocol HTTPS and TLS and WARP, all of these work? unifi fibre keep getting website facebook reddit etc loading or half loading issues since around weeks ago. and strange that Google Chrome incognito Mode doesnt have website loading or half loading issues.

UPDATE: Such issues doesnt happen again since 14 August 2024

This post has been edited by Alpha_Tay: Aug 14 2024, 10:50 PM

do we need to install extra program for windows or android in order to use encrypted dns? or just simply change 1.1.1.1 to those with encrypted dns will be enough, or how do we check the dns we are using is encrypted?


sorry I am rookie.... TQ

This post has been edited by alpha: Aug 13 2024, 08:37 AM

There are several ways to do it.

1. Firefox & Chrome web browsers
https://imap.sinarproject.org/news/internet...lic-dns-servers

2. Windows 11
https://www.howtogeek.com/765940/how-to-ena...-on-windows-11/

3. Android
https://blog.cloudflare.com/enable-private-...-android-9-pie/

To test if you're using Cloudflare secure dns (DoH or DoT):
https://one.one.one.one/help/
https://www.cloudflare.com/ssl/encrypted-sni/

Calling help for collecting data to test for Transparent DNS Proxies.
https://imap.sinarproject.org/news/guide-on...ent-dns-proxies

If you're not using Linux, you can create a Linux bootable USB drive and run the commands. You can use USB tethering or wifi hotspot from mobile phone to connect to internet and test your mobile network.

Interesting that Celcom(Digi) is now hijacking all DNS53. What about things like Quad9dns? If Quad9dns blocks a malicious domain, and Celcom(Digi) is now hijacking all DNS53 packets to them, will Celcom(Digi) resolve the domain blocked by Quad9dns?

What should i worry about, as a normal user, if i don't use DoT/DoH?

For normal users, you will more likely be concerned with censorship from the government. e.g. if one day government decides to block a certain news portal, all ISPs will be instructed to hijack DNS requests for that site making user unable to access it.

For those using Quad9, Quad9 has provided a few ways to check what protocol you're using and check for hijacks

https://docs.quad9.net/FAQs/

From my testing with Celcom (AS10030), all DNS is hijacked, including microsoft.com, lowyat.net, etc. They all resolved via some non-routable IP address.

Maybe like one day when Ergodan is unhappy Meta removed his post, he went and block Instagram nationwide.