RSS

Distributing the Keys for Private Access to the Web

grittygrease1 pts0 comments

Distributing the Keys for Private Access to the Web - Center for Democracy and Technology

Distributing the Keys for Private Access to the Web - Center for Democracy and Technology

ECH’s Catch-22thing-strange-in-the-dns" href="#something-strange-in-the-dns" class="toc-anchor">Something Strange in the DNS use it. That’s the fundamental challenge facing encrypted DNS and Encrypted Client Hello (ECH). These protocols can protect your browsing from prying eyes, but only if you can first obtain the cryptographic configurations that make them work. In places like China, censors have […]" />

Skip to Content

Every lock needs a key, but that key only works if it’s in the hands of the person who needs to use it. That’s the fundamental challenge facing encrypted DNS and Encrypted Client Hello (ECH). These protocols can protect your browsing from prying eyes, but only if you can first obtain the cryptographic configurations that make them work. In places like China, censors have figured out that you don’t need to break the encryption. You just need to block the key deliver

This is the third post in a series on ECH. The first post examined what ECH is and why it matters [1]. The second explored the challenges of rolling out ECH without drawing attention from censors [2]. This post focuses on a different vulnerability: the DNS-based censorship that can prevent ECH from ever getting started, using China’s Great Firewall as the primary example.

Something Strange in the DNS

DNS is the Internet’s phonebook: It translates text-based domain names into numerical IP addresses so your computer can reach the right website. Corrupt that phonebook and you control what people can access. Long before encrypted DNS was on the scene, censors recognized this vulnerability. China’s Great Firewall became notorious for DNS injection, swiftly returning fake IPs for blocked domains [4]. But encrypting DNS was supposed to fix that.

In early 2021, users on a GitHub thread began comparing notes [3]. Something strange was happening to their encrypted DNS connections inside China. The servers weren’t permanently blocked; they still responded to pings. But after making a DNS-over-HTTPS query, the connection would fail for a few minutes, then come back up. It took the community a while to piece together what was happening: the Great Firewall had found a new way to strangle encrypted DNS without outright blocking it.

The pattern that emerged was methodical. Plain, unencrypted DNS was still being poisoned as always (fake replies were injected faster than real ones, and wrong IPs were cached across the network). DNS-over-TLS (DoT) on port 853 (the port typically affiliated with DoT) was simply blocked outright, with connections never completing. But DNS-over-HTTPS (DoH) required something more clever. Because DoH hides DNS queries inside regular HTTPS traffic on port 443 (the default port for HTTPS traffic), mixed in with all web browsing, the firewall couldn’t just block the port without blocking everything. Instead, it appeared to identify DoH traffic through deep packet inspection or active probing, then temporarily blacklist the resolver’s IP after each query [3]. The result wasn’t a clean block; it was death by unreliability, because people often give up trying to access a website after a few seconds [10].

How did the firewall know it was looking at a DNS query inside HTTPS? Possibly via patterns like the DNS provider’s hostname in the Server Name Indication (SNI) we discussed in the previous post, or by actively probing suspected servers to see if they responded to DoH requests [3]. The exact method remains unclear, but the outcome was unmistakable: encrypted DNS protocols were being systematically degraded. A DoT connection couldn’t be established, and DoH connections became too flaky to use.

This degradation wasn’t subtle. Studies show that dozens of backbone networks in China inject forged DNS replies, and that even DNS traffic passing through China (not just originating there) can get intercepted, causing collateral damage internationally [4]. China also showed a willingness to blackhole entire IP ranges of popular DNS resolvers, such as Cloudflare’s 1.1.1.1[5] (a public DNS resolver that makes DNS queries faster and more secure).

The result: in heavily censored regions, the average user has no choice but to use the DNS provided by their ISP, which the government tightly controls. The Great Firewall has effectively forced users back to resolvers it can surveil and tamper with [3]. Merely encrypting a protocol doesn’t help if the regime simply blocks the protocol wholesale.

ECH’s Catch-22

This brings us to ECH. Encrypted Client Hello is the latest tool in the privacy arsenal, encrypting the TLS handshake’s SNI (and related extensions) to close one of the few remaining privacy leaks in HTTPS: the plaintext hostname. With ECH, a network observer shouldn’t be able to tell which website is being visited by inspecting the TLS...

encrypted china firewall https access strange

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.