[anti-censorship-team] Azure domain fronting, DNS rendezvous
David Fifield
david at bamsoftware.com
Mon Mar 29 19:39:18 UTC 2021
On Sat, Mar 27, 2021 at 10:33:46AM -0400, Cecylia Bocovich wrote:
> It looks like Azure is going to shutdown domain fronting:
> https://www.microsoft.com/security/blog/2021/03/26/securing-our-approach-to-domain-fronting-within-azure/
>
> There isn't a time frame listed in the article, and I haven't gotten any
> notifications through my Azure account yet.
Another option is to implement this existing idea for rendezvous using
DNS (DNS over HTTPS or DNS over TLS).
https://bugs.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/25874
It's not reflected in the ticket, but since then there is
https://www.bamsoftware.com/software/dnstt/ which implements an
encrypted, reliable channel over DNS queries and responses.
Unfortunately some sort of reliability channel is necessary, as
Snowflake client messages are longer than the ~100 bytes you can fit
into a single DNS query. But it's not really any different than the
Turbo Tunnel / KCP / smux that Snowflake is already using.
A downside is that encrypted DNS servers do not have as much blocking
resistance as we had with domain fronting.
More information about the anti-censorship-team
mailing list