ForkMaster/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-01-04 07:20:35 +05:00
Code Issues Actions Packages Projects Releases Wiki Activity

move back When it will not work chapter

Browse Source
This commit is contained in:
awslawsl233 2021-12-14 19:50:56 +08:00 committed by GitHub
parent 4bb54bdeca
commit 7eebc7d3b1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/readme.eng.md
View File

@ -38,14 +38,6 @@ or adding a dot at the end of the host name: `Host: kinozal.tv.`
There is also more advanced magic for bypassing DPI at the packet level.
## When it will not work
* If DNS server returns false responses. ISP can return false IP addresses or not return anything
when blocked domains are queried. If this is the case change DNS to public ones, such as 8.8.8.8 or 1.1.1.1.Sometimes ISP hijacks queries to any DNS server. Dnscrypt or dns-over-tls help.
* If blocking is done by IP.
* If a connection passes through a filter capable of reconstructing a TCP connection, and which
follows all standards. For example, we are routed to squid. Connection goes through the full OS tcpip stack, fragmentation disappears immediately as a means of circumvention. Squid is correct, it will find everything as it should, it is useless to deceive him. BUT. Only small providers can afford using squid, since it is very resource intensive. Large companies usually use DPI, which is designed for much greater bandwidth.
## How to put this into practice in the linux system
In short, the options can be classified according to the following scheme:
@ -118,6 +110,14 @@ In the PREROUTING DNAT chain, it is possible to any global address or to the lin
the packet came from.
NFQUEUE works without changes.
## When it will not work
* If DNS server returns false responses. ISP can return false IP addresses or not return anything
when blocked domains are queried. If this is the case change DNS to public ones, such as 8.8.8.8 or 1.1.1.1.Sometimes ISP hijacks queries to any DNS server. Dnscrypt or dns-over-tls help.
* If blocking is done by IP.
* If a connection passes through a filter capable of reconstructing a TCP connection, and which
follows all standards. For example, we are routed to squid. Connection goes through the full OS tcpip stack, fragmentation disappears immediately as a means of circumvention. Squid is correct, it will find everything as it should, it is useless to deceive him. BUT. Only small providers can afford using squid, since it is very resource intensive. Large companies usually use DPI, which is designed for much greater bandwidth.
## nfqws
This program is a packet modifier and a NFQUEUE queue handler.