How to get around Reliance Jio GigaFiber blocking of websites?
- Thread starter Logik
- Start date
- Replies 47
- Views 35,526
-
- Tags
- blocking reliance jio websites
@webie
Try changing DNS to 1.1.1.1 in your GW device (router) admin console.
All that ESNI do it encrypt the name of website (which is using HTTPS) so ISP can not trace the name.
More info - Cloudflare Improves Privacy by Encrypting the SNI During TLS Negotiation
You should be gettign 3 green ticks for no 1,3&4 on this page after you run test at below page
Cloudflare ESNI Checker | Cloudflare
Try changing DNS to 1.1.1.1 in your GW device (router) admin console.
All that ESNI do it encrypt the name of website (which is using HTTPS) so ISP can not trace the name.
More info - Cloudflare Improves Privacy by Encrypting the SNI During TLS Negotiation
You should be gettign 3 green ticks for no 1,3&4 on this page after you run test at below page
Cloudflare ESNI Checker | Cloudflare
firefox do not rely on router DNS or system level DNS. ESNI only works with firefox DOH enabled.
bugzilla.mozilla.org
1500289 - Support using the OS Resolver for ECH
RESOLVED (nobody) in Core - Networking: DNS. Last updated 2025-01-11.
bugzilla.mozilla.org
I am getting 4 ticks. I haven't changed the DNS manually though. it seems firefox is catching the DNS automatically.
The success of DOH, SNI, etc depends on how the websites are blocked. I'll try to detail them in this post from easiest to toughest.
1. DNS Block - Easiest to circumvent
For some ISPs (BSNL), just changing the DNS server (8.8.8.8, 1.1.1.1 etc) works. This is because they just do DNS blocking and that too only on their own nameserver. So a DNS query for blocked.com wont work on BSNL's nameserver but will on any other public server.
2. HTTP Block
This is content based blocking and mainly works on unencrypted HTTP sites. So although you've bypassed the DNS block(1), HTTP traffic being plaintext the ISP can clearly identify (like from Host header) that you are trying to connect to blocked.com and consequently block that request. This can be bypassed by browsing the HTTPS version of the website.
3. DNS Inspection
Here, your nosy ISP inspects your DNS traffic as well. DNS is a plaintext protocol. It doesn't matter which DNS server you are using. The DNS traffic has to go through the ISP before it reaches the DNS server. So if your ISP sees a DNS requests for blocked.com it will block that outright. Without the IP address you are no good.
This can be bypassed using Encrypted DNS commonly known as DoH, DoT etc. All it does it is encrypts the DNS request in a SSL wrapper. Being encrypted the ISP has no way to know which site the DNS query is for.
4. SNI blocking
SNI (Server Name Identification) is a way to host multiple SSL websites on a single IP, similar to virtual hosting in HTTP. If you had two SSL websites running on the same IP, the web server would use the SNI info to connect to the correct SSL site. Traditionally, SNI was always plaintext. Using the SNI info, the ISP can selectively block SSL traffic from connecting to the said IP. For example, if both good.com and bad.com resolves to 100.101.102.103, using SNI info the ISP can selectively block traffic to bad.com without affecting the other.
As usual the bypass technique is Encrypted SNI (ESNI). Using ESNI, the ISP cannot know which specific site on that IP you are connecting to. All it knows is that you are connecting to 100.101.102.103. So either it has to allow both or block both(5).
5. IP based blocking - Hardest to circumvent
This is the strongest form of blocking. This is equivalent to a blanket ban on an IP. Considering the previous example, this means you will be blocked from connecting to both good.com and bad.com since they both resolve to the same address.
Bypassing IP based blocking is possible using proxies, VPN, Tor, I2P, Psiphon etc unless the circumvent service is also blocked.
1. DNS Block - Easiest to circumvent
For some ISPs (BSNL), just changing the DNS server (8.8.8.8, 1.1.1.1 etc) works. This is because they just do DNS blocking and that too only on their own nameserver. So a DNS query for blocked.com wont work on BSNL's nameserver but will on any other public server.
2. HTTP Block
This is content based blocking and mainly works on unencrypted HTTP sites. So although you've bypassed the DNS block(1), HTTP traffic being plaintext the ISP can clearly identify (like from Host header) that you are trying to connect to blocked.com and consequently block that request. This can be bypassed by browsing the HTTPS version of the website.
3. DNS Inspection
Here, your nosy ISP inspects your DNS traffic as well. DNS is a plaintext protocol. It doesn't matter which DNS server you are using. The DNS traffic has to go through the ISP before it reaches the DNS server. So if your ISP sees a DNS requests for blocked.com it will block that outright. Without the IP address you are no good.
This can be bypassed using Encrypted DNS commonly known as DoH, DoT etc. All it does it is encrypts the DNS request in a SSL wrapper. Being encrypted the ISP has no way to know which site the DNS query is for.
4. SNI blocking
SNI (Server Name Identification) is a way to host multiple SSL websites on a single IP, similar to virtual hosting in HTTP. If you had two SSL websites running on the same IP, the web server would use the SNI info to connect to the correct SSL site. Traditionally, SNI was always plaintext. Using the SNI info, the ISP can selectively block SSL traffic from connecting to the said IP. For example, if both good.com and bad.com resolves to 100.101.102.103, using SNI info the ISP can selectively block traffic to bad.com without affecting the other.
As usual the bypass technique is Encrypted SNI (ESNI). Using ESNI, the ISP cannot know which specific site on that IP you are connecting to. All it knows is that you are connecting to 100.101.102.103. So either it has to allow both or block both(5).
5. IP based blocking - Hardest to circumvent
This is the strongest form of blocking. This is equivalent to a blanket ban on an IP. Considering the previous example, this means you will be blocked from connecting to both good.com and bad.com since they both resolve to the same address.
Bypassing IP based blocking is possible using proxies, VPN, Tor, I2P, Psiphon etc unless the circumvent service is also blocked.
this is why cloudflare + ESNI is such a powerful combo. if you block cloudflare ips, you end up blocking an incredibly large number of websites.
socrates
I got banned!
1. Most isp are using transparent DNS proxy to redirect open dns request to their servers.
www.dnsleaktest.com
2. VPN would make your connection slower, free vpn would not work well with video content, streaming site etc.
DNS leak test
2. VPN would make your connection slower, free vpn would not work well with video content, streaming site etc.
