Thursday, December 6, 2018

Bypassing website blocking/censorship with Secure DNS and Encrypted SNI (cloudflare only)

I haven't posted in a while, but today I have something interesting to share. Recently, multiple service providers that I use have started blocking some websites using deep packet inspection firewalls. Earlier, these firewalls would only block traffic by examining hostname in GET requests (which is easy to bypass by just using the https version of the target website), but now they employ some more techniques. Specifically, they block based on the SNI field of the TLS client hello, and sometimes also block on the basis of DNS queries. I was looking for ways to bypass these using custom extensions on my browser, but found out that it'll be a very non-trivial problem. Then I looked around and found that-

  1. Latest firefox Nightly builds (and maybe even mainline firefox) have support for DNS over HTTPS (so no DNS based blocking)
  2. Firefox has implemented the ESNI feature discussed in the drafts of TLS 1.3 (again, only available in Nightly build so far)
  3. Cloudflare has enabled ESNI.
I won't retell the whole tale, here are quick links-

The first link also has detailed steps on how to enable these features (plus explanation of what's actually happening). I'll surmise them quickly-

0. Get firefox nightly
1. Type about:config on the url bar.
2. Search for network.trr, change network.trr.mode to 2
3. Search for and set it to true

In all likelihood, your ISP/institution/etc will now not be able to block any website on cloudflare (a LOT of websites use cloudflare), as long as you use firefox nightly. With increased adoption of ESNI, more websites will be able to evade blocking.

(These steps won't work if you are in a workplace and the employer has installed his own certificate on the machines and uses a ssl proxy in conjunction with the firewall)

No comments:

Post a Comment

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC