ISP can still hijack

[techmagus]

Summary: When visiting, for example, https://mediafire.com, the ISP's "government warning" is still showing up. For some reason, the ISP can still hijack the connection (they even use a fake SSL certificate).

• resolv.conf - setup correctly, pointing to dnscrypt-proxy

• WiFi settings - set to custom DNS and points to dnscrypt-proxy as well for good measure

• DNS leak test - negative

• When pkill-ing dnscrypt-proxy no browsing works

• Firefox's DoH set to point to my local dnscrypt-proxy DoH as well

• Internet connection: Hotspot/tether from mobile phone (no other connection available)

• Also tested with Edge version 93.0.957.0. It's not possible to set a custom DoH with localhost in Chromium-based browsers but the results are the same as above (DNS leak test, pkill-ing, and ISP hijack)

• As an additional test, I also switched to an OpenNIC server and visited grep.geek and it works in both Firefox (with local DNScrypt-proxy DoH) and Edge (without local DNScrypt-proxy DoH)

---

Browser: Firefox 91.0b6
OS: Ubuntu 20.04
dnscrypt-proxy version: 2.0.45

---

Also attached in my config file for dnscrypt-proxy.
Also attached is what the ISP hijack looks like.

dnscrypt-proxy.toml.fake.zip

Anything I did incorrectly? Or are our ISPs found a way around DNScrypt?

[dapphp]

Encrypted DNS only prevents your ISP from seeing and tampering with your DNS traffic. It doesn't prevent them from intercepting or tampering with the data you exchange with the server after having used DNS to resolve a name to a number.

To stop this kind of snooping, you need a VPN, Tor or some other means of tunneling your traffic from your computer/phone to the remote network.

From my location, Mediafire appears to use Cloudflare and it resolves to 104.16.203.237 and 104.16.202.237. If you're getting those addresses back from DNS resolution, then your DNS responses are good and haven't been changed.

It looks like your ISP is using gear from Palo Alto networks to intercept your SSL traffic based on the common name in the SSL certificate.

[techmagus]

Ahh, I understood encrypted DNS as preventing ISPs from seeing the destination (since the DNS request was encrypted) which then prevents them from knowing which to intercept (even though the data isn't encrypted). Thank you for the explanation, I understand it better.

Thank you also for the additional information too, much appreciated!

[lessload]

Main url still leak by SNI in Client Hello. someone note here https://madaidans-insecurities.github.io/encrypted-dns.html#sni
Your ISP seem like ip interception because mediafire.com use fix ip.