It doesn't have to be China level GFW, but there is a lot that can happen between DNS53 hijacking and GFW for internet censorship.

Its a slippery slope. And most people don't know the technical details. Once MCMC blocked The Malaysia Insider their traffic dried up and it died from lack of ad revenue (amongst other reasons). Similar thing happened with MalaysiaNow.

Despite the fact it is easily circumvented by changing the DNS server query IP address.

Don't expect people to understand Doh/DoT, much less roll their own DNS server for USD $0.60 per month.

For the site operator themselves, of course they'll get the end of the stick. We're talking about end user perspective here. If the time comes ppl will learn. Maybe not all makcik and pakcik but some would. Vpn, tor is still the easiest solution if its not gwf, which is close to impossible to happen. Doesn't even need to learlinux cli and stuff. Install client, pay if its a paid service, connect.

One thing I want to mention is never underestimate the censor. Look at countries that are poor yet they can throw a lot of money into building nuclear bomb and rocket. All it takes is one guy to come into power.

As for plaintext DNS traffic, my personal opinion is that we should all just kill it. Not just for the sake of anti-censorship, but for the sake of your personal security.

It is the same as killing plaintext HTTP and anything less than TLS v1.2. Merely moving to HTTPS/3 aka QUIC will increase the difficulty of the censor to snoop your SNI, even without Encrypted Client Hello.

Increasing your network security should be the ultimate goal.

In a perfect world yes we all should stop using unencrypted protocol. But http, plaintext dns is still alive and kicking for backward compatibility. Many router still only support legacy plaintext dns.

But at least on modern android, Private DNS should activate by default though after 1st time boot and after reset, using google dns.

If it ever comes to such tightly regulated situation in the country, it's best that consumers start to wake up and do what it's due.

Start DOWNGRADING your internet plans to more affordable ones out there and cut spending on it. Head out of your house and experience the real world more yourself and not being a hermit behind the screen.

Soon all those ISPs will see a sharp decline in revenues and traffic. The datacenter industry will soon COLLAPSE and many of them will go out of business.

The internet will return to what it once meant to be SOLELY for BUSINESS transactions/promotion and information seeking.

There is actually a real life out there that humans should cherish more than to be over reliant on dumb electronics.

Over the years socmed has turned so toxic that it became the source of political propaganda, hate, lies, family breakups, rumors and woke nonsensical brainwashing.

What you suggested does not really work well with the general population of internet users out that that makes up mostly of mobile phone users.
Probably <1% of them would resort to drastic measures to circumvent the filtering with non popular VPN protocols like v2ray, vmess/vless, XTLS, TrojanGFW etc..It's just too much a hassle to set up on your phone.

Also most of the socmed content sites such as TikTok, Meta and Google can detect traffic originating from suspected VPN and restrict access to their contents.

This is EXACTLY the BEST strategy for consumers to stand up against unwanted content/rumor mills which are funded by political elitists.

DO NOT FEED the MONSTER and it'll soon starve itself.
Deprive them on click ad-revenues and stop subcscribing to their overpriced plans.

Malaysian internet consumers can do their part but downgrading the internet plans and stop paying for plans which they don't use it fully.
Why pay hundreds every month on useless fixed internet subscriptions when you are rarely at home, most of your internet usage is on your mobile device outside and subscribe to pay TV contents when you only to have time to bath then go to sleep before returning to work the following day?

it will happen if ISP started to Blackhole 1.1.1.1/32 or any dns/32 address route?

like this need create own DNS server?

The most censorship resistant method is to CDN whatever DNS or proxy you use.
The censor can block individual VPS, but they cannot afford to block CDN.

If hosting own BIND9 and connecting to Root Server, this method also being poisoned?

I wondering Malaysia blocking Root Server to prevent hosting own BIND9 at home

Your method won't work if they redirect port 53. Reason is root server / authoritative server lookup only works on plaintext DNS.
Celcom is using this exact method of blocking. However you can still bypass it by telling your recursive resolver to use TCP.

It is not authenticated / encrypted and I no longer recommend this. I see no benefit of running a recursive resolver other than for lab purpose. You can find many third party resolver with QNAME Minimization.
Resolver logging you is a question but ISP snooping and tampering with your DNS query is now happening.

welp Root Server also not safe.
I just DoH via WG to my friend server then,

this way no one know that DoH being tunnel

Hosting the bind9 in malaysia network and xafr icann root servers will be a problem since the icann root server only support plaintext port 53. They can theoretically poison the query to the root servers itself.

99% of the internet users out there mostly mobile users won't bother or they'll just adapt by losing interests in the internet after this or downgrading their internet plans when they're not utilizing as much as before.

Including myself, if you're occupied fully by day job to do you won't bother going to the extend of setting up your own private DNS or VPS.

It'll be a blow to the datacenter industry and ISPs since many will start losing interests in abusing the internet after this.

Those who still access the internet on their desktops are declining in market share today.

Indonesia heavy internet filtering is probably the reason why datacenters found them less viable because of data access restrictions does not go well with their policies.

Do you know that even Singapore has more relaxed and open policy compared to Malaysia when it comes to torrenting?

Unless you are the top heavy user in torrenting and pirating, regular users are overlooked in Singapore unlike Malaysia.

Here's the table of torrent and information friendly countries 2024:

Countries Where Torrenting is Legal — Updated Guide in 2024
https://www.vpnmentor.com/blog/torrents-ill...update-country/

4 Levels of intensity for torrent allowance Malaysia is ranked highest when it comes to torrent treatment on the same oppressive levels as Australia, China, Russia and USA where zero tolerance and shutdown of torrent sites on discovery.

If Google or Cloudflare doesn't comply government rules they can block 853 or 443 directly or blackhole from the DNS server directly. Even you are using private hosting that using malaysia ISP or Cloud Service Provider also will be targeted.

But i dont think this will happen because both company have business with organization in malaysia.

i dont think is big fuss they not targeting on social media block.

This post has been edited by heLL_bOy: Aug 16 2024, 05:08 PM

Chance being blackhole is nil

This post has been edited by heLL_bOy: Aug 16 2024, 05:11 PM

Google and cloudflare are too big for gov to outright block them. At most both will comply with gov order. If I'm not mistaken cf already complied with france order to poison query to eurocup pirate sites earlier https://torrentfreak.com/google-cloudflare-...vention-240613/

I stopped using cf, google and other big dns provider for upsteam knowing they'll comply with gov and entertainment industry request. I want my query to be vanilla as site owner intended for. For malware, virus etc i managed my own blocklist on adguardhome no need dns provider to decide for me.

Actually can i use openwrt in my unused router, let say a Dlink dir842 stock router, to configure DoH in it?

seems like only one variant of that dlink is supported
if it was, then yeah, there are packages you can install for that

are they even hijacking ? don't see the ip being routed