1

Subject: Request to support DoT on port 443 and add alternative Anycast nodes due to country-wide DPI blocks in Azerbaijan

Hi NextDNS Team,

I am writing to report a major connectivity issue affecting users in Azerbaijan (Baku). The major state-owned and private ISPs here (such as Delta Telecom, AzerTelecom, CityNet, Baktelecom) have deployed strict Deep Packet Inspection (DPI) systems that perform heavy censorship on encrypted DNS protocols.

Currently, all major public Anycast IP addresses and default domains for NextDNS, Google, Cloudflare, Quad9, and AdGuard are being actively dropped at the firewall level.

Specifically, the DPI triggers on two things:

  1. Port 853 blocking: The default port for DoT (853) and DoQ (784/853) is completely blacklisted or heavily throttled for well-known providers.
  2. SNI filtering: The standard *.nextdns.io SNI is being caught and dropped during the TLS handshake.

My temporary workaround:
I managed to bypass this block by completely avoiding the default Anycast IPs and forcing my setup to connect via DoH2 directly to a specific regional node's hostname (e.g., anexia-sof-1.edge.nextdns.io). Since this specific host is not in the ISP's blacklist and it runs over standard HTTPS port 443, the DPI treats it as regular web traffic and lets it through. However, this breaks the core benefit of Anycast routing and lacks failover redundancy.

The Feature Request:
Some other alternative DNS providers (like Control D) officially allow users to connect to DoT over port 443 (e.g., ://controld.com). Since port 443 cannot be blocked without breaking the entire web, this is the most resilient way to keep DoT working in censored regions.

Could you please consider:

  1. Enabling DoT (DNS-over-TLS) and DoQ on port 443 for NextDNS profiles?
  2. Providing alternative, clean Anycast IP/domain options or dedicated fallback endpoints for regions facing heavy DPI interference?

This change would immensely help users in Azerbaijan and other strictly censored countries to maintain their privacy without relying on fragile custom workarounds.

Thank you for your amazing service and looking forward to your response!

 


4 replies

null
    • NextDNs
    • 2 days ago
    • Reported - view

    If they SNI block, moving to 443 would not make a difference. Since we require SNI on DoT to get the profile id, you could not even strip SNI. How would that help here?

      • Home_user1
      • 4 hrs ago
      • Reported - view

       

       

      Thank you for the explanation. However, there is a critical second part to this issue regarding how clients connect.
      Because port 853 is completely blocked nationwide, it is impossible to use the native "Private DNS" feature in operating systems. To use NextDNS at all, we are forced to use third-party DNS clients or specialized software where we can custom-configure the port and protocols.
      Moving DoT/DoQ to port 443 is necessary because it allows these advanced custom clients to establish the connection in the first place.
      Regarding the SNI problem: many modern custom DNS clients now support ECH (Encrypted Client Hello). If NextDNS enables DoT/DoQ on port 443 alongside ECH support on your infrastructure, the SNI *.nextdns.io will be completely encrypted and hidden from the ISP's DPI. This makes port 443 + ECH the ultimate solution for censored regions.
      Could you please consider supporting DoT/DoQ on port 443, so that users with ECH-capable custom setups can bypass these port-level and keyword-level blocks?

      • NextDNs
      • 3 hrs ago
      • Reported - view

       dot is already supported on port 443 but doh remains your best bet in this situation.

      • Home_user1
      • 3 hrs ago
      • Reported - view

       how? I'm several times wanted connecting via tls://, quic:// and typing in ending :443, but NO. 

      For example,  attention on screenshot 

Content aside

  • 1 Votes
  • 3 hrs agoLast active
  • 4Replies
  • 28Views
  • 2 Following