isp block dns over tls and poison any unencrypted dns resolution

[chris13]

the isp s are blocking port 835 and poisoning any unencrypted dns resolution that is not going to the isp dns server.
is there a way to circumvent this using the asus merlin firmware, without resorting to doh?

edit they blocked DoT on port 443 too and reroute dns queries to their own dns server.

but it only lasted for about 3 hours, now everything is back to normal. Now i have to consider alternatives.

 

[Tech9]

If your ISP is intercepting port 53 and blocking port 853 you may have to use DoH or DoQ.

Both are available options in AdGuard Home add-on for Asuswrt-Merlin firmware. Runs well on 1GB RAM routers.

 

[bbunge]

There are several DoT servers that can use port 443. Would like to see the ISP block that!

See this list for more: https://dnsprivacy.org/test_servers/

 

[Tech9]

Would like to see the ISP block that!

They actually can, if they want to. The same applies to VPN on port 443.

 

[bbunge]

They actually can, if they want to. The same applies to VPN on port 443.

Well, you have to try it once...

 

[chris13]

If your ISP is intercepting port 53 and blocking port 853 you may have to use DoH or DoQ.

Both are available options in AdGuard Home add-on for Asuswrt-Merlin firmware. Runs well on 1GB RAM routers.

too bad i thought maybe there's something can be done to keep DoT.
guess they are still testing it, now i have to consider alternatives if they implemented that.

 

[chris13]

Well, you have to try it once...

was tinkering with the setting and found out it was blocked too. what a dick move.

 

[Tech9]

Is this practice of intercepting DNS something common in your country?

 

[chris13]

Is this practice of intercepting DNS something common in your country?

nope, but the regulator is well known to requiring isp to block certain internet sites, like porn, pirated, and sites that is criticizing the gov.
what the isp did in the past were just pure dns filtering on their own dns.

it's new to me with what they did it just now. Guess they were just testing, but it was 3am. Maybe there were similar test being carried out in the past without me realising when i was asleep.

 

[Tech9]

Encrypted DNS may not help you at all in this case. Your ISP may just block the IPs of whatever is restricted.

 

[chris13]

Encrypted DNS may not help you at all in this case. Your ISP may just block the IPs of whatever is restricted.

hopefully they don't resort to ip blocking.

 

[Tech9]

I don't know what your situation is. Some countries are running firewalls on a national level and blocking not only IPs but VPNs as well plus making them illegal for private use with no licence. No matter what solution you come up with - stay away from trouble.

 

[RMerlin]

One option would be to use a VPN (either to a VPS, or to a commercial VPN provider), and only redirect DNS traffic through that DNS.

 

[sfx2000]

Well - this is a sound use-case for DNS over HTTPS - as much as I don't like it...

That said - it's easy to block hosts over HTTPS...

Some suggest VPN's , but considering state interference, look towards things like shadowsocks and the similar items...

 

[RMerlin]

Actually if going down the VPS route, might as well just host your own DoT resolver on that VPS, and set it to a different port than 853. Would be simpler and more efficient than a VPN.