0

I'm looking for a method to check whether DNS over TLS is blocked in my network by my ISP or not. A method that isn't just trial and error of a bunch of popular DoT providers to see which one connects because I need to know for a fact that my ISP is using a block list or well-known DoT providers or they are using a technique (if any?) to block all DoT connections entirely.

I've tried lots of DoTs but none of them work on my Internet, DoH works though, most likely because it uses the same port 443 as the rest of the HTTPS web traffic.

Is there a fundamental method to use to find out which protocols, such as DoT, VPN protocols etc. are being blocked in a network by the ISP, administrator etc.?

  • Did you try asking them? – schroeder Jul 01 '22 at 12:21
  • Unfortunately that's not an option. –  Jul 01 '22 at 12:22
  • 2
    Setup your own listener with `openssl s_server ...` on port 853 on an external system in your control - which is not a well known as DoT endpoint. Try to connect to it with `openssl s_client ...`. If TLS handshake works then it is not blocked based on well-known DoT endpoints. – Steffen Ullrich Jul 01 '22 at 12:39
  • FWIW: DoH is HTTPS is Port 443, also you can use a few other tools to 'ping' ports per guidance here: https://devconnected.com/how-to-ping-specific-port-number/ – Ed Daniel Jul 01 '22 at 12:57
  • does this website work? https://tenta.com/test/ . this website https://www.howtogeek.com/795644/how-to-enable-secure-private-dns-on-android/ says "It shows if your ISP’s DNS is TLS enabled or not." –  Jul 01 '22 at 13:12
  • @SteffenUllrich is there a way to do this without setting up a remote server from outside of the network? I'm thinking by setting up DoT and using Wireshark, tracert or similar tools to view the traffic and catch any problem in the path of it going from my network to the destination and possibly find out where/if it is blocked? –  Jul 01 '22 at 13:18
  • 2
    Depends on what you see on the network. If you always see a TCP RST when trying to connect to arbitrary IP port 853 then this port is blocked. If the connection attempt just times out you don't know if the packets are blocked by the ISP or if there simply is no server to respond at this IP. – Steffen Ullrich Jul 01 '22 at 13:33

1 Answers1

0

Fundamentally you just try to connect using a particular protocol, run queries and check the results but that all will be protocol specific. There's no one utility which will do it automatically for you.

Deep packet inspection devices and firewalls work differently and may exhibit different behavior.

Artem S. Tashkinov
  • 1,389
  • 5
  • 13