Hi, so recently my country (which I won’t name) has started trying to implement some strong censorship laws. I have already been using a VPN full time on my mobile and PC, and use either Quad9 or MullvadDNS (Base configuration). Recently I considered moving to DNSCrypt since it is more resistant to MITM attacks and what-not (if I am correct, that is). However, on both my devices, services like Office365 (Outlook) and Uber are not working properly solely when DNSCrypt is enabled. I have been able to use both on my mobile with Quad9 DoH and RethinkDNS local filter lists without any issues whatsoever.
Is there any known solution to this? I am dependent on these services to a great extent (partly for work, and partly for convenience for both me and my family). If DoH is the best option, how good is it in a censorship scenario?
Also, as a side query, is ProtonVPN (free tier) good to bypass censorship? In my situation, it’s mainly preventing the distribution of content, or posting social media comments/posts, which are deemed as “fake/creating public disorder”. I can’t use TOR for all my apps (like Office365). Considering looking into PGP but unfortunately it’s barely used by anyone I know so there’s no point anyways because most of them unfortunately feel that any free, or famous, VPN service (including ExpressVPN) are more than sufficient for anything.
Some online services not working when using DNSCrypt?
Check Rethink’s DNS Logs UI to see if you spot any failing queries (tapping on those queries would reveal some more information about it: like send fail / client error / invalid query etc) when you open those apps that don’t work.
You’re right in that, if a nation state MiTMs Web PKI (hard to do undetected given CLs + CRLs/OCSP stapling + Pinning), DoH / DoT are pretty much done for. It is however very unlikely they have the capability to do so in stealth.
Yes, until they start blocking popular DoH servers. In which case, you can opt to deploy your own DoH resolver for $0 on Cloudflare’s network (and there are no servers to maintain); see: GitHub - serverless-dns/zero: No gimmick DoH stub resolver
Since you use Rethink (the app), I must point out that we are adding support for Oblivious DoH in the next version (v055b), a new DNS protocol, with guarantees similar to that of DNSCrypt v3. There aren’t many public-facing resolvers that support Oblivious DoH today, but Rethink (the resolver) will in the coming months.
May be if you use their official app. WireGuard or OpenVPN on their own aren’t censorship resistant. Censorship resistance itself is a complex topic, and there are teams that work on it and specialize in it. Unsure if Proton has the expertise or invests in it. However, projects like Lantern, Psiphon, Tor, I2P, XRay, V2Ray, Shadowsocks exist that are plenty capable of breaking down even China’s GFW. But it remains a constant game of cat & mouse.
You need anonymity. This isn’t easy. Don’t use your smartphone for dissident activities. Rethink (or any VPN / network monitor for that matter) is not enough of a protection (Reddit - Dive into anything). Read this (part 1 of 8): https://archive.is/0ZgjZ
Thank you so much. This is such a wonderful insight. There has been a bunch of errors stating that there was No Answer from the domain. Only happens with DNSCrypt unfortunately.
On a separate note, can we use the RethinkDNS with something like Psiphon (I know it has Orbot support but I’m looking for other options that aren’t TOR)?
Now THAT is mindblowing! Free self-hosted serverless DoH, jeez, what an amazing concept! I have just tried to set it up on Cloudflare, figured out all API Keys and permissions and all that. It accepted all steps that were required, then proceeded to initialize deployment and an error occured and nothing deployed anywhere, no idea if it’s CF or Github or what.
P.S. Btw, i have set up Wireguard proxy in Rethink since our last talk in that topic here on the forum and never had any app-induced issues, works like a charm!
EDIT: Tried this in Vivaldi and it worked, bruh. Mullvad browser was the problem apparently
The Rethink app is just purely wonderful. The only issue I have comes from using DNSCrypt. Might switch to using DoH with local blocklists and Orbot given my current situation.
Hello everyone. Small update here. I believe the issue may have been that I was using a ProtonVPN profile. I set up DNSCrypt on my laptop today (works like a charm…using Anonymized DNS and random load balancing which is such a beauty). When I connected the ProtonVPN app, my system was forced through the ProtonVPN DNS. I have a feeling that in the Rethink app, there may have been some sort of clash with the servers trying to override each other? which may have caused the issue. Not sure if this is correct so will be testing more. Hoping that I can find a good alternative VPN to change my IP address for selected apps only. I use TOR Browser, but there are other apps I need to route too.
Special thanks to @ignoramous for all your support. Will keep you posted with any updates from my end.
Hey guys, I have another update. Any help would be much appreciated.
So, I tried using the ProtonVPN app on Windows with the custom DNS option (provided in the app itself) set to 127.0.0.1 (for dnscrypt-proxy) but it actually ended up blocking internet access. However, the Wireguard client TunnlTo (I used this because it’s easier to split tunnel for apps, so that I can exclude TOR Browser etc.) worked perfectly. I just added a ProtonVPN config, set it to include some apps only, and changed the DNS from 10.2.0.1 to 127.0.0.1, and everything was perfect.
On Android, switched to InviziblePro and it works like a charm (not using TOR for Outlook and Gmail in K-9 Mail). I’m guessing the real problem was some sort of issue that arose from ProtonVPN trying to override DNSCrypt.
If I am using DNSCrypt full time on my PC, do I need a VPN? If so, why? The TunnlTo client does have some issues with WireSock at times, making it useless most of the time (especially when I hibernate my device or change the network). I am currently looking for free options (if any), preferably with app-based split-tunneling so that I can bypass TOR Browser etc., since I am currently a student and will move to paid options once I start making my own income.
Would a proxy (like Privoxy) be sufficient instead? My threat model would be avoiding ISP and Big Tech surveillance, and reducing cross-site tracking. I use Firefox for most of my work, and TOR Browser whenever I need/would like something to be kept private from my identity. Was using Mullvad Browser too, but not right now since I feel using it without a VPN would make it redundant.
Please share this with anyone you think may be able to help me. It would be much appreciated.
Your threat model requires full encryption of your traffic while hiding it under a blanket of one IP destination address, which a VPN satisfies completely.
If you’re considering a proxy then make sure to use one that encrypts your traffic in transit from you to the exit point, like a traditional VPN (on the Wireguard, OpenVPN, IPsec and etc protocol). I couldn’t find any evidence about Privoxy that explicitly states that it encrypts traffic in transit.
What’s for split tunneling, i don’t know any Wireguard client on Windows that supports split tunneling except for TunnlTo. No idea about OpenVPN custom clients with split tunneling, if your VPN supports that.
I know that TunnlTo is not the sharpest tool in the shed, i’m using it myself on a daily basis, but it’s the best i’ve got. Gotta endure Honestly, i’m just thankful that it exists.
If you’re really frustrated with TunnlTo, i can only recommend using a virtual machine with a full VPN inside it, so you could tunnel programs within a VM and bypass other programs on your host.
By the way, why do you want to bypass Tor Browser? You’re not losing any privacy by tunneling it and you’re also hiding from your ISP the fact that you’re using Tor Browser in the first place. Does your VPN provider block Tor?
I agree. TunnlTo is a wonderful client. Proton does not block TOR but I do remember reading in several places that the TOR Browser should ideally not be tunneled through a VPN. Apart from that I have no other issues. I guess I’ll just move to using Wireguard or TunnlTo with a Proton configuration so that I can continue to use DNSCrypt (I personally prefer it more than DoH/DoT and I’ve also set up random load balancing and AnonymizedDNS which is a further step in privacy). If my government goes ahead with the proposed bill, they will not be discreet about any attempts to restrict access to sites or use MitM attacks for censorship so I feel that DNSCrypt will be more useful in this scenario. I’m not exactly an open activist but I do stay alert and access news resources etc. which may end up being blocked in the future.
I personally believe this is recommended for antifingerprinting and crowding purposes, like the more people use Tor browser directly from their residential IP the less suspicious looks every one of them in particular. There’s also a question of trust to your VPN provider in comparison to your ISP, which you’ll figure out yourself.
If you have an equal choice, better to use it directly, but if it’s inconvenient or impossible (e.g. it’s just blocked) don’t stress over bypassing it, there’s no real harm in tunneling it.
Great, thank you. Suppose my ISP (and all national ISPs by extension) were to block VPNs, what would be the next best step to take after that? I can’t use TOR system wide, and I need to use Windows (sigh) so need some advice here.
Here you step on the territory of censorship circumvention and that’s a huge topic in itself. I could tell you quite some but you should make another post with this request to keep the forum organized.
There’s enough materials in my native language but i never researched it in English, so i’d have to do the same amount of research as you’d need to find answers to all your questions.
If you need just a quick rundown, check here, seems fine for a start. There’s also links to some legit tools.
If you need just the tools without explanations, download Nekoray and find a bunch of keys to self hosted proxy servers that you could import there when you need to access something blocked and your VPN doesn’t work.
Better find some keys or a reliable source of them in advance. If the need arises when suddenly all VPNs get properly and completely blocked (which is very unlikely, you’ll get the bells ringing about that very much in advance) you won’t have the means to get out of the cage so to speak. The tools from the first link will help with that. Just download them, update them occasionally once every several months and keep them, they don’t even need configuring and maintaining.
Hi everyone, small issue. So it turns out that the reason TunnlTo allowed DNSCrypt was due to DNS cache. Today all the servers ended up being from Netherlands when I tried to connect.
Do I go for a VPN (Proton free) or DNSCrypt? Which is better in terms of circumventing censorship? I could use YogaDNS but I prefer not to since it is closed source, and the official dnscrypt-proxy setup allows the use of “random” lb, better AnonymizedDNS support and blocklist support. Psiphon works well with DNSCrypt on Windows, but Lantern overrides the DNS.
A VPN definitely does not less in terms of censorship circumvention since it encrypts everything from your ISP and it can’t see anything except that you’re using a VPN. It also helps with IP blocks. Can’t say the same for DNSCrypt.
Censorship circumvention tools are not inherently built with privacy in mind. I too wish to have the best of both worlds, but alas.
Regarding DNSCrypt with Proton VPN, I received a reply from Proton to state that custom DNS server support is not available so naturally such requests would be blocked. The Windows app does have options to state any preferred DNS servers (IPv4) but nothing for blocklists or local resolution. Fortunately, they are working on a feature to implement this.
Honestly, i’m just thankful that it exists.