Government censors HTTPS traffic to our website. Workarounds?
Solution 1:
Unfortunately, circumventing censorship is better addressed on the client side, so there aren't many server side settings that could help with that. You could advise your users to use a VPN, Tor, and/or public DNS with DNS-over-HTTPS (RFC 8484) or DNS-over-TLS (RFC 7858).
You make the assumption that the censorship method has something to do with DNS, but have you actually tested this? Did you know that the server name indication (SNI, RFC 6066, 3) in the ClientHello is unencrypted and may also be used to block the TLS connection? Luckily, TLS Encrypted Client Hello (draft-ietf-tls-esni-09) is on its way and can help with that. More reading on the subject:
- Seth Schoen: ESNI: A Privacy-Protecting Upgrade to HTTPS (EFF)
- Matthew Prince: Encrypting SNI: Fixing One of the Core Internet Bugs (Cloudflare)
(We don't usually add any greetings to our Q/A posts, but your 007 reference is golden!)
Solution 2:
Most of Russian providers implement Inquisition requests by intercepting DNS traffic and changing it on the fly (and it's pretty easy since it's unencrypted), effectively using the man-in-the-middle scheme, for instance, all of the Ertelecom-affiliated ISPs are using this method. In this case (which can be easily determined by just comparing client-side resolved IP vs the real IP) nothing can be done from server side: even if you'll implement DNSSEC and signed answers will start to flow, all this technique will do is breaking the client-side name resolving stack entirely, when it comes to your domain (however, this is purely a theory, but you can easily prove I'm wrong; if I am).
Unffortunately, all of the available solutions to bypass DNS MitM needs to be applied to the client side, not the server one.
Solution 3:
Russian government-mandated censorship is known to use DNS spoofing (that's how select porn sites are blocked).
They also use packet filters based on IP address/range (that's how they tried and failed to block Telegram).
An idea: time-based domain name!
RosComNadzor are a government agency, so they should be somewhat slow to respond.
DOS them! Example:
- www.against-putin-24-jan.org (registered Friday, Jan 23)
- www.against-putin-31-jan.org (registered Friday, Jan 29)
- www.against-putin-07-feb.org (and so on)
etc...
You'll need a new domain name every week ($10) and your lovely RosKomNadzor bureaucrats are not really that much operative.
Your users should remember to add the last Sunday date to the domain name. If the things get worse, you can as well go faster and just a bit more expensive (you can as well negotiate a better price for that much domains).
At some point, they can as well adapt their procedures to your scheme. You have to change it only a little bit.
Solution 4:
Make your content available through IPFS! https://ipfs.io/ It's a decentralized version of the internet. Where each client who visits your site, stores copies of your content on their machine.
Solution 5:
Is there something that could be done on our server's side to encrypt/obfuscate the DNS information without users making any changes/installing software?
No, because DNS requests are processed by dedicated name servers and as such they are not routed through your web server.
Or is waiting for DNS over HTTPS to become mainstream our only option?
Pretty much; DNS-over-HTTPS was designed to enhance privacy, thwart censorship, and prevent attacks such as those you described. It is supported by recent versions of Google Chrome and Firefox (on the desktop at least) so in theory most of your users should already be able to use it.