DPI & ESNI: Blocking Websites

TL;DR

Deep Packet Inspection (DPI) can block websites even when using Encrypted Server Name Indication (ESNI). However, it’s becoming harder. DPI looks at patterns in encrypted traffic and metadata to identify sites. ESNI hides the domain name from traditional DNS lookups, but DPI can still use other methods like TLS fingerprints, connection timing analysis, or known IP addresses associated with specific websites. Blocking is not foolproof and relies on constantly updating DPI signatures.

How DPI Works

1. Packet Inspection: DPI examines the contents of data packets as they travel across a network.
2. Signature Matching: It compares packet data against a database of known patterns (signatures) associated with specific applications, websites, or content types.
3. Metadata Analysis: Even if the payload is encrypted, DPI can analyze metadata like IP addresses, port numbers, packet sizes, and timing information.
4. Behavioral Analysis: More advanced DPI systems use machine learning to identify unusual traffic patterns that might indicate blocked content or applications.

What is ESNI?

Encrypted Server Name Indication (ESNI) encrypts the domain name sent during the TLS handshake, preventing eavesdropping on DNS requests. This improves privacy and security.

Can DPI Bypass ESNI?

1. TLS Fingerprinting: DPI can analyze subtle differences in how different web servers implement TLS (e.g., supported cipher suites, key exchange algorithms). Each server has a unique ‘fingerprint’.
2. Connection Timing Analysis: The time it takes to establish a connection with a specific server can be used to identify the website, even if the domain name is hidden.
3. IP Address Blocking: If a website uses a limited number of IP addresses, DPI can block all traffic to those IPs. This is blunt and may affect other services hosted on the same IP.
4. HTTP/3 Analysis: With HTTP/3 (QUIC), some metadata might still be visible even with ESNI.
5. Machine Learning & Traffic Patterns: DPI can learn to identify websites based on their overall traffic patterns, even without knowing the domain name.

Steps to Check if a Website is Being Blocked

1. Test with Different DNS Servers: Use public DNS servers like Cloudflare (1.1.1.1) or Google Public DNS (8.8.8.8, 8.8.4.4). If the website works with a different DNS server but not your usual one, it suggests a problem with your local DNS resolution.
2. Use a VPN: A Virtual Private Network (VPN) encrypts all your traffic and routes it through a remote server, bypassing DPI filters. If the website works with a VPN, it confirms that DPI is likely blocking access.
3. Check Browser Developer Tools: Open your browser’s developer tools (usually by pressing F12). Look for network errors or long loading times when trying to access the blocked website.
4. Use Online Website Testing Tools: Several websites offer tools to check if a site is being blocked from different locations.

Mitigation Strategies (for website owners)

1. Content Delivery Network (CDN): Using a CDN distributes your content across multiple servers, making it harder for DPI to block all access points.
2. TLS 1.3: Use the latest version of TLS (1.3), which offers stronger encryption and makes fingerprinting more difficult.
3. Obfuscation Techniques: Implement techniques to disguise your traffic patterns, making it harder for DPI to identify your website. This is complex and requires ongoing effort.
4. IP Address Diversity: Use a large number of IP addresses to avoid simple IP-based blocking.

Example Command (ping)

You can use the ping command to check basic connectivity:

ping example.com