openvpn also kena.
if someone found a loophole, keep it for yourself. i dont think TM will stop at here.

i am currently plan to have dns server that are not using standard port 53, will like masquerade as port 443
good thing openwrt accept non standard port dns service as upstream

This post has been edited by zerorating: Sep 4 2024, 02:10 PM

lol nice one. but IP not fixed meh?
TM can always hijack these IPs.

you can always do /32 static route what. small inconvenience are acceptable

shhhhhhhhh, dont challenge them.
i take dns block than IP block anyday

cant comment further, the company i work have dedicated IP per CDN site which we can access most of our endpoint. the only differentiating factor is them SNI.

honestly our company VPN is better than paid vpn hosted in malaysia in term of performance lel.

actually they did IP block before during covid, it just to conserve bandwidth as most people stay at home. once bukkake they release it lel.

yup, the A record provide by CDN provider point to the same IP address (depend on which site, current client geolocation), with custom cert installed too issued by CDN provider, but cant pass HSTS la, to pass HSTS we need to use our own server cert.
still we can use other IP if we feels like, but leceh la need change hosts file bagai

i believe the fixed IP is for convenience, our client just only need to whitelist few of the IP in their firewall rule without the need to whitelist whole subnet.

This post has been edited by zerorating: Sep 5 2024, 12:49 AM

makes me wonder wheres the idea of transparent proxy came from, thats like the most expensive method as the appliances (regardless it is virtual or physical) need to check every packet datagram.

there are some service will senyap2 use different DNS settings than the one we set on our device. takeover someone else IP memang dick move.

whats shopee doing here?

you sure that was the first round test?
i dont think it is possible for you to get that kind of response time if include TLS handshake. how long the connection can last? can we keep sending keep-alive packet?

doesnt tell much, you could have connection open already. to create a connection, you need client hello, server hello, clientkeychange and change cipherspec first before you could send application data.

also as per this support thread, connection is close after 10sec of inactivity.
https://community.cloudflare.com/t/dot-conn...n-timeout/54201

This post has been edited by zerorating: Sep 6 2024, 12:24 AM

dont have wireshark ready

anyway my plaintext test already higher than yours.

around 11ms to freedns.controld.com. still its better than nothing
i used DoT via router on cloudflare previosly, im pretty sure im experience a bit of lag to open a webpage. but nothing to kill someone for.

anyway there are still many plaintext dns still around, so i stick with them for some time.

i think there is possibility that dig only starts its timer when it sends application data, not counting tls handshake period.

This post has been edited by zerorating: Sep 6 2024, 12:54 AM

consumer product wont get special treatment la brader.

yes we are very smart, koff koff fake shopee product, facebook marketplace scam, call scam here and there, download this apk to get discount.

I only indirectly speaking there are tons of gullible people out there. when sms URL message got removed, scammer opting to use whatsapp instead. responsible citizen might report the link given by scammer to polis or hotline 997, so the domain can quickly be blocked by skmm or other other gomen organization like KPDN or polis themselves.
but when it come to public dns, google and other party wont layan, so the dns records remain and gullible users may further kena scam. yes google have the dangerous domain database, but how long it will take them to add suspicious domain into the list?

yes dns redirect wont totally eliminate scam activity, but it will somewhat reduce it. gomen is trying to reduce the possibility of scam activity keep happening, but too bad they resorted to the most extreme method instead. people keep questioned gomen what their action when it come to scam activity, this is one of their action.

you can say this is just alasan, but the issues is real. there are tons of unreported case when it came to scam and story that will not be picked up by media (the amount of losses are not news worthy). i have family member who kena-ed,but good think he didnt keep much money on the account, so he didnt face large losses. ability to be able to censor sites that are not friendly with gomen are just an extra bonusses.

anyway i should say fake shopee listing instead, there are listing ask the buyer to deal tepi, ecommerce site are not responsible to return the money if the purchase on not made thru their platform.

simply saying, we are susah because gomen want to protek the weak. but since netizen dont want it, then lets go to the less radical action or go back to last state.

if people are againsting this DNS redirect, then gomen have option to do IP blocking more seriously instead, thats is something that i rather dont want to happen for popular sites, if i got a choice between public dns server ban and IP block, i choose DNS public server ban anytime.

This post has been edited by zerorating: Sep 8 2024, 02:17 AM

policy change will never satisfy anyone whether we like or not.

are we implying that total freedom is very good thing to have now, we didnt learn from other countries issit, especially abang besar amerika?