Does DNS filtering still work?
By Vince
DNS, or domain name system is how nice names like google.com get translated into an IP address and eventually find the server that has your content.
For this article we are going to focus on website filtering (or content filtering) since the goal is to block access to websites that are deemed inappropriate. This can be blocked by a parent, employer, ISP, or government regulation/policy.
Employers typically have an enterprise policy which gets pushed out to your web browser, and they often have a proxy at the edge of the network which does HTTPS inspection. That will make all of the techniques we are going to discuss irrelevant since the employer controls all aspects of the network. This article mainly focuses on non-enterprise users.
The typical solution for content filtering is to intercept the DNS request and block it in some manner. Tactics such as returning a bad IP address instead (like localhost), return an IP which goes to a website that explains why it was blocked (a redirect), or not responding to the request at all (timeout).
Outside of straight DNS, there are a few other ways that filtering can happen. The main one is with TLS (or called SSL based on the older version of the protocol) header inspection using Server Name Indication or SNI. This is where your browser sends the domain name we are trying to reach with the TLS handshake. The intended purpose of SNI is so you are presented with the correct certificate when connection to a web server, otherwise you would get an invalid cert error.
The way SNI inspection works, when the device that is looking at the traffic sees a blocked URL, it will send a TCP RST packet back to the sender which tells your browser/client to tear down (stop) the connection.
The main flaw with SNI from a website blocking perspective is that it doesn’t include support for the entire URL. We are only able to see google.com not google.com/the/specific/thing/i/want/to/block. This means we are restricted to blocking entire domain names (in this case would be all of google.com) instead of specific web pages. Sometimes this is desired, but often we only want to block sections of a website that are inappropriate.
SNI - there is a new standard called Encrypted SNI (ESNI) which encrypts the portion that includes the domain name rendering it useless to a blocking device. ESNI works by the website sending out a public key before-hand through DNS. The browser requests this public key, then it uses that key to encrypt the hello portion of the TLS packet. Cloudflare has a great write up on how that works, so I won’t get into any more details: How does encrypted SNI work?. This will make any SNI inspection obsolete unless your browser is managed and excludes this option.
We have identified the two main ways to block or filter websites (there are more but they are complex and expensive), now what are the ways around them? There are ahhh plenty.
With the two techniques we talked about, most of them are ignored by default with a modern web browser.
Now let’s say we want to get around the first technique of just blocking the DNS request. There is a protocol called DNS over HTTPS (DoH) where the client uses standard HTTP or HTTP/2 requests directly to Cloudflare, in the US. This makes the DNS request look like standard browsing traffic, so all traffic to those sites have to be blocked to make DNS filtering effective.
Firefox has DoH enabled by default for a couple years now, you can read more about that here: DNS-over-HTTPS
In response to DoH, Firefox allows network administrators to signal that it should be disabled by using a canary domain “use-application-dns.net”. There is a special response code that the browser will look for and disable DoH. Details linked here. This will typically only apply to enterprises and ISPs in countries that mandate blocking.
Ok so we have a way that DoH can be rendered bad, but this is assuming that we are using the provided DNS servers. If you manually set the DNS server to Cloudflare (1.1.1.1) all of those protections are moot. There are many choices of DNS servers out there to use.
The response to that is that a network operator must block DNS requests to any server that they do not control. This can be done at a network edge but gets complicated if they have to specify which users must be blocked and which users are allowed through.
The last technique to get around all of this is to just use a VPN. A Virtual Private Network will send all your traffic as encrypted packets directly to another device on the internet, and that device in turn sends them out. So all the traffic you are sending appears to come from that external device. What this looks like to a network operator or government is a bunch of encrypted packets sent directly to one host.
Network operators can block VPN traffic, but this can get quite difficult as it’s possible to mask that traffic as HTTPS or use the many different types of VPN providers out there. Some use UDP, some use TCP, so this may involved traffic inspection which gets very expensive at scale.
Another VPN option is to use Tor, which is a great protocol that uses the onion network to route your connection. Can read more about Tor here and download the browser which takes care of all the heavy lifting to get on the Tor network.
As you can see, this is often a cat and mouse game between two sides. One who respects privacy, and one who wants to restrict access. There are some things that I agree with that should be blocked (CSAM abuse) but outside of that I want a private, open internet and hope you do too.