By Filtering Techniques

We investigated the types of filtering techniques that can be employed for DoH downgrades and how downgraders are currently utilizing them. To accomplish this, we first enumerated the possible filtering techniques for DoH downgrades.

In the process of a DoH query, there are four major steps involved:

Initially, a traditional, unencrypted DNS resolution is conducted by a DoH client to acquire the IP address of a DoH resolver.
Subsequently, a TCP connection between the DoH client and the DoH resolver is established.
A TLS handshake is then initiated.
Finally, the DoH client sends a DoH query, and the DoH resolver responds to the request.

Based on these four steps, four types of filtering techniques can be utilized for DoH downgrades, which we enumerate and mark with circled numbers:

DNS filtering ①: DoH downgraders can eavesdrop on the plaintext DNS messages and prevent the client from obtaining the correct IP address of the DoH resolver.
IP filtering ②: DoH downgraders can block any packets destined for the DoH resolver's IP address.
Hostname filtering ③: DoH downgraders can inspect the Server Name Indication (SNI) field in the TLS hello message and prevent the establishment of the TLS session.
DoH message filtering ④: DoH downgraders can identify encrypted DoH messages among other encrypted web traffic and block them.

While the first three techniques only require simple match-and-drop operations, the last filtering technique necessitates deep packet inspection (DPI) of the encrypted HTTPS traffic.

Four major steps are involved in DoH resolution.

To determine which filtering techniques are employed in each country, we devise a stateful and proactive probing method to test the existence of one or more filtering techniques. First, we test which types of filtering techniques are used for the current DoH downgrades by attempting to bypass each filtering technique proactively (proactiveness). However, if we fail to bypass the existing DoH downgrades, we employ a combination of multiple bypass techniques (statefulness). In this way, we can test the presence of layered filtering techniques.

Below, you can find the ratios of filtering techniques employed in each country. We conducted measurements for 19 countries that exhibited more than a 5% downgrade rate on average. Countries are sorted alphabetically by their country codes.

Page updated

Google Sites

Report abuse