1

Subject: Request to support DoT on port 443 and add alternative Anycast nodes due to country-wide DPI blocks in Azerbaijan

Hi NextDNS Team,

I am writing to report a major connectivity issue affecting users in Azerbaijan (Baku). The major state-owned and private ISPs here (such as Delta Telecom, AzerTelecom, CityNet, Baktelecom) have deployed strict Deep Packet Inspection (DPI) systems that perform heavy censorship on encrypted DNS protocols.

Currently, all major public Anycast IP addresses and default domains for NextDNS, Google, Cloudflare, Quad9, and AdGuard are being actively dropped at the firewall level.

Specifically, the DPI triggers on two things:

  1. Port 853 blocking: The default port for DoT (853) and DoQ (784/853) is completely blacklisted or heavily throttled for well-known providers.
  2. SNI filtering: The standard *.nextdns.io SNI is being caught and dropped during the TLS handshake.

My temporary workaround:
I managed to bypass this block by completely avoiding the default Anycast IPs and forcing my setup to connect via DoH2 directly to a specific regional node's hostname (e.g., anexia-sof-1.edge.nextdns.io). Since this specific host is not in the ISP's blacklist and it runs over standard HTTPS port 443, the DPI treats it as regular web traffic and lets it through. However, this breaks the core benefit of Anycast routing and lacks failover redundancy.

The Feature Request:
Some other alternative DNS providers (like Control D) officially allow users to connect to DoT over port 443 (e.g., ://controld.com). Since port 443 cannot be blocked without breaking the entire web, this is the most resilient way to keep DoT working in censored regions.

Could you please consider:

  1. Enabling DoT (DNS-over-TLS) and DoQ on port 443 for NextDNS profiles?
  2. Providing alternative, clean Anycast IP/domain options or dedicated fallback endpoints for regions facing heavy DPI interference?

This change would immensely help users in Azerbaijan and other strictly censored countries to maintain their privacy without relying on fragile custom workarounds.

Thank you for your amazing service and looking forward to your response!

 


1 reply

null
    • NextDNs
    • 5 hrs ago
    • Reported - view

    If they SNI block, moving to 443 would not make a difference. Since we require SNI on DoT to get the profile id, you could not even strip SNI. How would that help here?

Content aside

  • 1 Votes
  • 5 hrs agoLast active
  • 1Replies
  • 8Views
  • 2 Following