Encrypted DNS (DoH/DoT) + SNI block in Indonesia

From https://www.reddit.com/r/indonesia/comments/tzj5h4/comment/i4f7z94

Summary of accessibility of Reddit with Indonesian mobile operators and fixed ISPs (as of 12 April 2022):

  • Mobile operators: Most operators are already blocking alternative Domain Name System (DNS) resolvers, with DNS hijacking, DNS redirection, Transmission Control Protocol (TCP) reset attack, Server Name Indication (SNI) filtering, and Deep Packet Inspection (DPI). Solution is to use a DPI bypass software (dpitunnel, GoodbyeDPI, GreenTunnel, PowerTunnel), Virtual Private Network (VPN), or Tor
  • Certain mobile operators aren’t implementing the new blocking mechanism yet, meaning that encrypted DNS systems like DNS over TLS may still usable
  • Fixed ISPs (fibre or hybrid fibre coaxial): Encrypted DNS systems like DNS over HTTPS, DNS over TLS, DNS over QUIC, and DNSCrypt still work with most fixed ISPs. Modified host file (like bebasid) also still work. Some fixed ISPs are already implementing DNS hijacking, DNS redirection, SNI filtering, and DPI and if that happened with your connection, you can use a DPI bypass software (dpitunnel, GoodbyeDPI, GreenTunnel, PowerTunnel), VPN, or Tor
  • Certain fixed ISPs are only partially redirecting alternative DNS resolvers (those hosted outside Indonesia), for example MyRepublic. You can use an alternative DNS resolver based in Indonesia to bypass the block (Cloudflare 1.1.1.1 and Quad9 have Indonesian-based resolvers)

— OG Post—

From https://twitter.com/fransallen/status/1515486447922524165

You will no longer be able to use Cloudflare 1.1.1.1 or any other popular DNS resolver service in Indonesia.

ISPs have started blocking DNS services that can bypass censorship.

Based of replies, seems like XL Axiata, Tri (3, can confirm that I’m now having trouble getting Private DNS nor Edge/Firefox’s encrypted DNS to bypass domain blocking on ASN45727, but since the DNS servers themselves are still accessible via HTTPS, I’m not sure how to properly test), and Telkom (Telkomsel, Indihome) have started rolling out the block.

Mozilla’s default DNS is mozilla.cloudflare-dns.com. Does it open?

Yes, along with chrome.cloudflare-dns.com and dns.google


Now I’m pretty doubtful on whether I’m actually experiencing the block or not, since it could just as easily be a browser misconfig at my end

(post updated with the more comprehensive reddit summary)

Can confirm that I was experiencing SNI blocking, not DoH/DoT blocking

>curl -v --connect-to ::172.67.159.231: https://nhentai.net
* Connecting to hostname: 172.67.159.231
*   Trying 172.67.159.231:443...
* Connected to 172.67.159.231 (172.67.159.231) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: ALPN, offering http/1.1
* schannel: failed to receive handshake, SSL/TLS connection failed
* Closing connection 0
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

>curl -v --connect-to ::172.67.159.231: --header "Host: nhentai.net" https://cloudflare.com
* Connecting to hostname: 172.67.159.231
*   Trying 172.67.159.231:443...
* Connected to 172.67.159.231 (172.67.159.231) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: ALPN, offering http/1.1
* schannel: ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: nhentai.net
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< ...

Along with the usual DNS poisoning and HTTP sniffing:

>curl -v http://nhentai.net
*   Trying 116.206.10.31:80...
* Connected to nhentai.net (116.206.10.31) port 80 (#0)
> GET / HTTP/1.1
> Host: nhentai.net
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html
< Location: http://restricted.tri.co.id/index.html
< Accept-Ranges: bytes
< Connection: Keep-Alive
< Date: Mon, 25 Apr 2022 07:25:44 GMT
< Age:      12
< Content-Length:        184
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.8.1</center>
</body>
</html>
* Connection #0 to host nhentai.net left intact

>curl -v --header "Host: nhentai.net" http://example.com
*   Trying 93.184.216.34:80...
* Connected to example.com (93.184.216.34) port 80 (#0)
> GET / HTTP/1.1
> Host: nhentai.net
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Moved
< Content-Length: 0
< Location: http://lamanlabuh.aduankonten.id/
< Pragma: no-cache
< Cache-Control: no-cache
<
* Closing connection 0


MyRepublic (ASN63859) seemingly tried to sniff HTTPS traffic too for a brief period (around ~02:55 2022/05/03 GMT+7, lasted about 3 minutes) as I got an SSL_PROTOCOL_ERROR on browser, and curl showed a blockpage with the insecure flag (I was too stupid to atleast screencap any of these though, sorry :pensive:)

EDIT: They tried randomly (some connections get through) intercepting and redirecting HTTPS again, but properly (CERT_COMMON_NAME_INVALID with a *.myrepublic.co.id domain subject) and it seemed to only last for an hour (started around ~05:00 GMT+7)

MyRepublic user here…

It seems like since 2022-05-17 evening it has been doing DNS poisoning with all DNS resolvers, including the ones based in Indonesia (like Cloudflare’s 1.1.1.1).

Do you experience it with your connection as well? (which I assume is also MyRepublic)