How to block DoH without blocking other Cloudflare services: ngrep -K 100 http://cloudflare-dns.com 'dst 1.1.1.1 and tcp port 443' - Because SNI.
dnscrypt-proxy actually uses 1.0.0.1 and dns[.]cloudflare[.]com; I don’t know what other clients do. But the point is that SNI leaks that fact that you are trying to use DoH, so the connection can be reset.
-
-
Lot of services doesn't use SNI. I remember some Android library makes most of android traffic without SNI (so it's not something special).
-
Without SNI, there can be only one service on that IP, so the whole IP can be blocked.
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.