Just an fyi, dnscrypt-proxy allows you to run a local DoH server you can use with Firefox, so you don't have to trust some public server.
that local server still has to get the data from somewhere.
Another poster said there’s lots of ways to get past doh/dot and they’re right. The goal is to run your ech packet safely to your dns server. To that end, make your vpn server connection first then ask for ech from your trusted doh/dot server.
If you’re dealing with dpi you gotta fuck up your packets a bunch to get them through. It makes things slow.
A good way to avoid dpi is to just not deal with it. Often dpi systems are at border crossing points so if you connect to your trusted vpn endpoint inside the borders of the place you’re trying to obfuscate from you can make it out to a dot or doh.
both xray and amneziawg selfhosted solutions are great enough to provide needed layer against new censorship mechanisms, i think you from russia, i have vpn for friends in this region, someone livee under white lists every day for 2 years, so we found a method to even resist "white lists" the trun proxy is great but still vulnerable to privacy, but work realy great, let's kill their network together)
idk the technical details much but DoH/DoT doesn't bypass DPI for most websites for me in South Korea. zapret/GoodbyeDPI works.
To your last question there’s a technology called encrypted client hello intended to solve that problem.
I'm using NextDNS, I enabled all of the security filters, and I also block piracy and NSFW sites so I don't accidentally access them without a VPN.
I'm not quite satisfied with NextDNS, but it's the only option on which I can block the xyz, click, and top TLD's.
Yes, everyone should set up DoH (DNS-over-HTTPS) or DoT (DNS-over-TLS). You can do this at the browser level, like you just did in Firefox, or at the OS level.
You can also block ads this way, by cutting off connections to known ad domains before they even start. Mullvad runs a free ad-blocking DoH server anyone can use. See https://mullvad.net/en/help/dns-over-https-and-dns-over-tls for instructions on how to set that up on your OS.
Firefox has also just announced a built-in VPN, which could help get around other types of ISP-level censorship. That's probably the only free VPN I'd trust, personally. Mullvad and Proton are well-regarded paid VPNs if you want to go that route.
DoH (DNS-over-HTTPS)
the acronyms in this context are the biggest barrier for people to understand wtf is going on. lol
Ad blocking with DNS only works some time.
Right. It only works for dedicated ad domains. In practice, that's a LOT of ads.
On Android, it'll block most ads, including full-screen ads, within apps.
In will NOT, however, work with sites like Netflix or Youtube, because those use the same domains for ads as for the actual videos.
Proton also has a free tier on their VPN
is it available to all proton email users?
You have weak dpi system in ur country then. the gfw and dpi aint just playing with ip blocks no more—they straight up dropping any ech packets on sight and nuking quic udp 443 to force that tcp fallback so they can sniff your sni while using active probing and ja3 fingerprinting to instant-kill any encrypted stream that dont look like a regular chrome handshake 1:1 and now they even doin alcpn hijacking and timing analysis
I guess they could theoretically block the DoH server(s) by IP. The problem is overblocking. They cannot tell if you're accessing a webpage or a DoH server. They are basically the same thing.
Of course in terms of privacy the DoH provider can tell what domains you requested. But that is true with every DNS service.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)