Hello friends,
Today OONI published a new research report, titled: "DNS over TLS blocked in Iran".
You can access this report here: https://ooni.org/post/2020-iran-dot/
DNS over TLS (DoT) is a network protocol that secures DNS queries (https://ooni.org/support/glossary/#dns-query).
DoT improves the privacy and security of DNS queries, and makes DNS-based blocking harder.
We investigated whether DoT works in Iran by gathering a list of 31 well-known DoT endpoints and running experiments from four distinct Iranian mobile and fixed-line Internet Service Providers (ISPs): MCI, TCI, Irancell, and Shatel.
We discovered that:
* 57% of the endpoints are blocked on a least one ISP;
* the blocking is not implemented uniformly across ISPs;
* most blocking happens by interfering with the TLS handshake;
* in some cases TLS handshake blocking seems to depend on the SNI, while in other cases it seems to depend strictly on the TCP endpoint being used;
* forcing TLSv1.3 does not change the rate of successful TLS handshakes compared to letting the server choose a TLS version between v1.0 and v1.3.
In our report, we share details from our experiments and findings.
Please share our research: https://twitter.com/OpenObservatory/status/1275842846520741888
Thanks,
~ OONI team.