Comment by shitloadofbooks

It likely overrides DNS resolution to CDN/POPs in countries which don't require age checking, or routes the traffic through TCP proxies so your traffic appears to come from a different country without these laws.

This will increase the latency of all traffic to that site though.

lelanthran 6 days ago

> It likely overrides DNS resolution to CDN/POPs in countries which don't require age checking,

I don't understand what this means:

1. It resolves DNS requests - got it.

2. The resolution sends back an address to a CDN - okay, not sure that I got it

3. The resolved address is in a country which doesn't require age checking - Totally don't get it: how will this help?

Reply View 1 reply

dbmnt 5 days ago

They're (ab)using the EDNS Client Subnet feature:
https://en.wikipedia.org/wiki/EDNS_Client_Subnet

Reply View | 0 replies

selcuka 6 days ago

A DNS provider can not route your traffic through TCP proxies, so it must be the former.

Reply View 8 replies

cluckindan 6 days ago

Sure they can. When your browser resolves a host, they replace the actual IP with the IP of a proxy that is configured to forward traffic according to the Host HTTP header.

Reply View | 7 replies
- okasaki 5 days ago
  
  You would have to install a certificate for that to work.
  
  Reply View | 5 replies
  
  aaronmdjones 5 days ago
  
  No you wouldn't.
  The current situation:
  - You ask Foo DNS Provider for the IP address of pornhub.com
  - Foo DNS Provider responds with the real IP address
  - You connect to that address, send a TLS ClientHello containing a Server Name Indication extension of "pornhub.com"
  What could happen:
  - You ask Foo DNS Provider for the IP address of pornhub.com
  - Foo DNS Provider responds with one of their own IP addresses
  - You connect to that address, send a TLS ClientHello containing a Server Name Indication extension of "pornhub.com"
  - Foo DNS Provider now knows that you intend to connect there, so it connects there for you and relays your ClientHello to it
  - Foo DNS Provider then just acts as a dumb relay, passing everything back and forth with no modifications
  - The certificate verifies fine because the traffic was not modified and it was presented by the party who controls the corresponding private key
  - The website thinks you are connecting from Foo DNS Provider, not your real address
  The only thing that would break this is ECH (Encrypted ClientHello), currently supported only by CloudFlare and Google Chrome (and its derivatives) as far as I know. This security feature is provisioned with ... DNS records! So Foo DNS Provider can simply indicate that the records required for ECH do not exist, and your web browser wouldn't encrypt the ClientHello. It's already tampering with the responses to address lookups anyway, so DNSSEC wouldn't be an issue -- you simply would not expect to be able to validate anything.
  
  Reply View | 4 replies
- selcuka 5 days ago
  
  Good point. I was thinking of an HTTP proxy, but surely a TCP proxy would work.
  
  Reply View | 0 replies

rany_ 5 days ago

I tried out NextDNS and this feature doesn't seem to work anyway. Enabling "Bypass Age Verification" has no effect. I tested it out on PornHub and XVideos.

I also can't find anything different in the returned A/AAAA records compared to my standard resolver.

Reply View 0 replies