Try something like
goodbyedpi.exe -6 -e 130
It will work only for Firefox though.
Your ISP started to search for the ServerNameIndication pattern in the TCP packets, apparently due to Chrome’s usage of Kyber, which causes TLS packet to be larger than a single TCP packet. However, it looks for the pattern beginning only in the first 256 bytes of TCP packet payload (even when there’s no TCP session started by 3-way handshake), while Chrome with Kyber enabled could put it anywhere, so my assumption is that Chrome would sometimes connect to the blocked website without any circumvention methods.
The workaround for GoodbyeDPI is to split the packet exactly at the ServerNameIndication (domain name) boundary.
I’ll make a proper fix somewhere next month.
ksa_ntcparty.pcapng (33.5 KB)