# wtf cf-hls-media.sndcdn.com
cf-hls-media.sndcdn.com is an alias for d1ws1c3tu8ejje.cloudfront.net.
d1ws1c3tu8ejje.cloudfront.net has address 13.33.240.123
β 13.33.240.123
The day began when I finished the DNS-over-HTTPS server to relieve the phantom pains from the work of Roskomnadzor began with the once again silenced radio .
These pains are well described by @ValdikSS in the article "In Russia, there are still problems with the availability of sites, but no one notices them . "
You don't have to think too much, the essence of the problems is simple and the solution is also not very difficult : just throw out the blocked IP addresses from the DNS responses, and if there are no addresses left, replace them with suitable addresses from the same CDN. At least Cloudflare and Amazon Cloudfront allow this mockery of DNS.
For example, if addresses 23.1.14.0
and came from AKAMAI in the conditional DNS response 23.1.20.2
, and the first one is blocked by RKN, then the DNS server can give the client only one address out of two, and the browser will not "blunt" in an attempt to establish a connection with the blocked IP. This is not bypassing locks, rather the opposite. But it reduces pain measurably. I would be glad to see such a design in Yandex.DNS in "Safe" mode, but I still don't think that Yandex is ready to implement such a moderately "gray" feature.
Get out of the country in a panic? Wrap all traffic in a VPN? What for! The Internet in Russia is not yet so broken as to add 50-100ms to all its Zoom-calls in times of widespread self-isolation. You can still try to fix something, but laugh at what is left.
, DNS- kabysdoh.gulag.link
-, DNS-. XML- , GitHub Unbound . Knot Resolver @ValdikSS - .
Android mobile devices support DNS-over-TLS, which is available at kabysdoh.gulag.link
(but it seems that we found a bug in Unbound and there are problems with DNS-over-TLS ), and Mozilla Firefox supports DNS-over-HTTPS at https://kabysdoh.gulag.link/dns-query
. Screenshots of an example configuration can be seen below (you can read about all possible DoH options in Firefox on the wiki ):
I have everything for today! I hope this construction will be useful to someone. And remember, once you step into the waters of modifying in-flight DNS messages it seems like crocodiles all the way down .