I am helping run a website that has been blocked for political reasons by the same Russian agency that has previously tried blocking Telegram (RosKomNadzor). This is not the first time it happens, and previously we would just change the domain, but this has its own implications and loss in readership.
They are blocking only the domain name, not the IP (we're using Cloudflare anyways). We're using HTTPS, but ISPs are still somehow able to get the DNS information about a request coming our way from their clients. Technically, we can suggest our readers to configure their /etc/hosts, but that is not a viable option.
Is there something that could be done on our server's side to encrypt/obfuscate the DNS information without users making any changes/installing software? Or is waiting for DNS over HTTPS to become mainstream our only option?
From Russia with love.
Unfortunately, circumventing censorship is better addressed on the client side, so there aren't many server side settings that could help with that. You could advise your users to use a VPN, Tor, and/or public DNS with DNS-over-HTTPS (RFC 8484) or DNS-over-TLS (RFC 7858).
You make the assumption that the censorship method has something to do with DNS, but have you actually tested this? Did you know that the server name indication (SNI, RFC 6066, 3) in the ClientHello is unencrypted and may also be used to block the TLS connection? Luckily, TLS Encrypted Client Hello (draft-ietf-tls-esni-09) is on its way and can help with that. More reading on the subject:
(We don't usually add any greetings to our Q/A posts, but your 007 reference is golden!)
Most of Russian providers implement Inquisition requests by intercepting DNS traffic and changing it on the fly (and it's pretty easy since it's unencrypted), effectively using the man-in-the-middle scheme, for instance, all of the Ertelecom-affiliated ISPs are using this method. In this case (which can be easily determined by just comparing client-side resolved IP vs the real IP) nothing can be done from server side: even if you'll implement DNSSEC and signed answers will start to flow, all this technique will do is breaking the client-side name resolving stack entirely, when it comes to your domain (however, this is purely a theory, but you can easily prove I'm wrong; if I am).
Unffortunately, all of the available solutions to bypass DNS MitM needs to be applied to the client side, not the server one.
Russian government-mandated censorship is known to use DNS spoofing (that's how select porn sites are blocked).
They also use packet filters based on IP address/range (that's how they tried and failed to block Telegram).
An idea: time-based domain name!
RosComNadzor are a government agency, so they should be somewhat slow to respond.
DOS them! Example:
etc...
You'll need a new domain name every week ($10) and your lovely RosKomNadzor bureaucrats are not really that much operative.
Your users should remember to add the last Sunday date to the domain name. If the things get worse, you can as well go faster and just a bit more expensive (you can as well negotiate a better price for that much domains).
At some point, they can as well adapt their procedures to your scheme. You have to change it only a little bit.
Make your content available through IPFS! https://ipfs.io/ It's a decentralized version of the internet. Where each client who visits your site, stores copies of your content on their machine.
No, because DNS requests are processed by dedicated name servers and as such they are not routed through your web server.
Pretty much; DNS-over-HTTPS was designed to enhance privacy, thwart censorship, and prevent attacks such as those you described. It is supported by recent versions of Google Chrome and Firefox (on the desktop at least) so in theory most of your users should already be able to use it.
You could do what Telegram did. It requires making a mobile app out of the website. Then you can change your IP address whenever blocked and send the new one to the app by a push notification, which is a channel that can’t be inspected and censored, only disabled completely which RKN is unwilling to do.
Bypassing DNS Censorship
Acquire several dozen domain names from different registrars, or more if you can afford it. Set up HTTPS and CDN on all of these domains. Ensure your site accepts all of these domains in your virtual host settings. Give different batches of users different places to learn the alternate domain names on shared sites like github and gitlab in different accounts. This means if one of the users is a mole, only a percentage of your users will be blocked.
This method is not perfect, no single solution will be. Maybe the censorship is slower than your userbase picking up the new domain names.
As others mentioned, you can also encourage your users to utilize Tor if it is not blocked in their country. This means you would have to allow Tor in your CDN settings.