used to using cisco-opendns and try abit of quad9.

now i custom my own DoH/DoT by hosting adguard on my VPS but still using quad9 as the upstream DNS

This post has been edited by eds2: Aug 14 2024, 11:53 PM

Firstly, thanks to kwss and ChenKaiWen for their inputs

This is what I was afraid off. People who are using alternative DNS providers like Quad9 for protection, their DNS53 queries are being hijacked. Stuff that Quad9 are DNS blackholing will be resolved by the MCMC DNS server hijacking DNS53 packets.

Sure can say that people should move to DoT/DoH, but for who use Quad9 DNS as a first layer of protection on their family members home router, this is terrible.


Interesting that TIME (AS9930) is not hijacking all DNS53 packets at least?

Given that it is a AUTHORITY: 0 reply, suggests that it is blocked by Quad9, instead of non-existent domain, with the NXDOMAIN response: https://docs.quad9.net/FAQs/

Thus it looks like DNS53 packets to Quad9 DNS are still being untampered with (for now?)

https://forum.lowyat.net/index.php?showtopi...ost&p=110240779

It has always bugged me that AS4788 would rather send AS42 bound packets to Singapore/international transit rather than use it on MyIX. At least now I have a explanation, but man it goes back to the "good old days" when packets between ISP's/ASN's would go around the world because AS4788 refused to peer with, well, anyone.

For your reference, the answer was shared by them here
https://www.reddit.com/r/Quad9/comments/13e...comment/jjpx60w

Yes, I linked to the Reddit thread response in the other thread

From what I observed over the years
TIME's DNS Hijacking appears to be on the router side

The old WiFi 5 combo ONT, HG8145V5 has DNS settings greyed out in the router, and hijacks port 53
I've heard you can get TIME CS to remotely change to a DNS provider of your choosing but don't quote me on that

The rest of their devices, don't seem to hijack in my experience

maxis router also same thing.

it is why it is in the dustbin

That's why people have the option to use their own/buy their own router. ISP's locking down routers is not limited to Malaysian ISP's: plenty of cases in other countries if Reddit posts are any indication.

What is problematic is hijacking DNS53 at the network level. Ie. What Celcom(Digi) seems to be doing. (And what Indonesia is doing) Using own router (notwithstanding DoT/DoH) for alternate DNS providers will fail when the ISP hijacks DNS53 at their network level/side.

The MSC Bill of Guarantees died with the Najib administration.

got youtube guide for each method?

But you see, the ISPs are moving to "all in one" ont routers

TM with their (not great) D-Link or Skyworth or FiberHome all in ones
Maxis with their Huawei all in ones (a bit rare, I think maybe on their own infra only, the usual TP-Link/Kaon is more common)
TIME has fully commited to Huawei all in ones for a long time

All it takes is for then to pull a Indonesia and say "no bridging" and then we're in trouble

Still manageble, I wasnt able to find the PPPOE username and pwd from my Huawei HG8145X6
Cant contact CS to switch into bridge mode because my landlord is pathetic and stingy (He want us to pay RM700 for a pair of Deco M4, go figure)
Ended up downloading the backup config file from it and toss into a Unifi ONU
Managed to grab the username and pwd that way, using TIME with Unifi's ONU+Asus AX58u

I understand, but we didn't vote Najib in on reformation

Right now I am planning on getting a firewalla and just use my surfshark account to wireguard the whole connection

Yup..i agree..
So my DoT setup i am still using CF for stability

Question; visiting https://www.ssllabs.com/ssltest/index.html and inputting dns.adguard-dns.com as an example, which one of the two SHA256 lines I’ve pointed at with the red arrow in this screenshot would be the equivalent of the SPKI fingerprint needed in order to do certificate pinning?

This post has been edited by dev/numb: Aug 15 2024, 06:05 PM

BF+fS5RPhZQggn38wZ6lqii8lxPNWQPzU2VVVqbLhqM=
It is actually public key pinning. The certificate can renew as long as the public key is the same.
I checked and it is same for both DoH and DoT.

This post has been edited by kwss: Aug 15 2024, 06:18 PM

all this just temporary bypass, if government wanted do enforce their rules even you are using DOH or DOT also will blocked access.

No lol. While dot is trivial to block since it uses the port 853 that literally only it use, doh use port 443. Might aswell block the entire net by blocking port 443. They can still block the endpoint, blocking the popular doh server endpoint from resolving but then ppl will just spawn their own private endpoint with own custom domain. I've been selfhosting my own private endpoint via adguardhome for a few years already.

This post has been edited by axxer: Aug 16 2024, 05:37 AM

Until they decide to (BGP) blackhole entire swaths of platforms.

That's what (some ISP's in) Indonesia does. Eg. Reddit is blocked in Indonesia. Even if you can resolve the correct IP address for Reddit, they will block all connection attempts to Reddit's IP addresses.

Sure you can say VPN. But it isn't too long when the next step is China, where they will block most commercial VPN providers, detect OpenVPN/WireGuard/KEv2/IPsec/L2TP/IPsec/PPTP protocols to hunt down who are using VPN's.

No need to compare Malaysia with the China GFW: if Indonesia can do it, what is to say Malaysia can't?

Cross posting from Unifi thread for those who didn't go there. Running cost should be less than USD $0.60 per month

DNS wall climbing for beginner
This quick guide will teach you how to use CDN to front DoH server using Amazon CloudFront.
The benefit this provides over other method is the difficulty of the censor to block this kind of setup without blocking the whole CDN provider.

Requirements:
AWS Account
Browser / OS / resolver supporting DoH

Login to your AWS account and search for CloudFront. Create a new distribution.
Refer to the setting below and put in your desired DoH server:


After you are done creating the distribution, wait for it to finish deploying:


Put the address and the full path into your browser / OS / resolver:


Finally test your resolver:


DNS wall climbing stealth setup
This is a setup for people who are already using CloudFront for their business and wish to hide DoH inside it.
I am using ControlD here instead of Cloudflare DNS. The "/dns-query" in cloudflare is "/p0" in controld.

First add an Origin like below:


Then add a Behavior:


Wait for it to finish deploying. You will access it via https://mydomain.com/bkaj41f

For people wondering what is my "DoH-fronting" policy, here is it:


This post has been edited by kwss: Aug 16 2024, 08:16 AM

No other country will deploy china gwf if thats your concern. That thing gobbled up $$ to maintain which my doesn't have. Even indo block is still kids play to evade. Hell theres a dedicated ppl still playing cat and mouse game with china gwf till this day with vray, xray etc.