Government censors HTTPS traffic to our website. Workarounds?

I am helping run a website that has been blocked for political reasons by the same Russian agency that has previously tried blocking Telegram (RosKomNadzor). This is not the first time it happens, and previously we would just change the domain, but this has its own implications and loss in readership.

They are blocking only the domain name, not the IP (we’re using Cloudflare anyways). We’re using HTTPS, but ISPs are still somehow able to get the DNS information about a request coming our way from their clients. Technically, we can suggest our readers to configure their /etc/hosts, but that is not a viable option.

Is there something that could be done on our server’s side to encrypt/obfuscate the DNS information without users making any changes/installing software? Or is waiting for DNS over HTTPS to become mainstream our only option?

From Russia with love.

Unfortunately, circumventing censorship is better addressed on the client side, so there aren’t many server side settings that could help with that. You could advise your users to use a VPN, Tor, and/or public DNS with DNS-over-HTTPS (RFC 8484) or DNS-over-TLS (RFC 7858).

You make the assumption that the censorship method has something to do with DNS, but have you actually tested this? Did you know that the server name indication (SNI, RFC 6066, 3) in the ClientHello is unencrypted and may also be used to block the TLS connection? Luckily, TLS Encrypted Client Hello (draft-ietf-tls-esni-24) is on its way and can help with that. More reading on the subject:

• Seth Schoen: ESNI: A Privacy-Protecting Upgrade to HTTPS (EFF)

• Matthew Prince: Encrypting SNI: Fixing One of the Core Internet Bugs (Cloudflare)

(We don’t usually add any greetings to our Q/A posts, but your 007 reference is golden!)