2026-lange-towards
findings extracted from this paper
-
Both Firefox and Chromium leak cleartext DNS before establishing encrypted DNS connections: they first send an unencrypted UDP DNS query to resolve the DoH server's domain (e.g., doh.opendns.com). An in-path censor can intercept and poison this initial query, making encrypted DNS in browsers completely ineffective without additional circumvention of the resolver-lookup step. Additionally, Chromium always includes the SNI extension in the encrypted DNS TLS handshake (e.g., "doh.opendns.com"), leaking the resolver identity even after the initial lookup. No resolver requires SNI to be present for certificate validation when the resolver's IP certificate is configured.
-
DNS censorship of encrypted protocols is inconsistent in both China and Iran. In China, Yandex resolvers are censored only when the SNI extension is present; omitting SNI bypasses censorship for these resolvers. In Iran, DoH requires SNI omission for Quad9, Google, Adguard, CleanBrowsing, and NextDNS resolvers, but works with SNI for Yandex and Cisco resolvers. These inconsistencies suggest resolvers have been accidentally missed by censors, highlighting the value of automated tools that trial all resolver-mode combinations rather than hard-coding a single strategy. The support evaluation found 47 resolvers supporting DoH, 16 supporting DoH3, and only 8 supporting DoQ out of ~65 tested.
-
DPYProxy-DNS tested 8 circumvention modes against DNS censorship from vantage points in Iran (AS201295, Mashhad) and China (AS4837, China Unicom). In Iran, DoQ was entirely uncensored even with the SNI extension present; DoH3 worked for all Cloudflare and NextDNS resolvers. Iran's censor operates in-path (not on-path like the GFW), making the "Last Response" mode (wait 3s for the last UDP reply) ineffective in Iran but highly effective in China. Auto-mode averaged 12.32s (median 8.28s) in Iran and 13.78s (median 12.90s) in China to discover a working combination.
-
TCP segmentation (splitting a DNS message into 20-byte TCP fragments) successfully circumvented DNS censorship in China for nearly all resolvers that support TCP. In Iran, TCP segmentation was only partially effective due to the censor's ability to reassemble TCP fragments when system load permits—some runs succeeded completely, others failed entirely across all resolvers. The "Last Response" mode (wait 3 seconds for the final UDP reply) was highly effective against China's on-path GFW injector for all resolvers except the fully IP-blocked Cloudflare 1.1.1.1 resolver.