Opened 3 years ago

Closed 21 months ago

#22949 closed enhancement (wontfix)

Add some IP-HOST pair for meek use

Reported by: cypherpunks Owned by: n8fr8
Priority: Medium Milestone:
Component: Applications/Orbot Version:
Severity: Normal Keywords: meek
Cc: arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


  1. I want to use meek.
  2. My network is blocking DNS request.

Please consider adding some IP:PORT pair to Orbot itself.

Current behavior:
Orbot: "Hey DNS, resolve domain fronting)"
DNS: "Reject!"
Orbot: "Hey user, you can't connect!!"

Expected behavior:
Orbot: "Hey DNS, resolve domain fronting)"
DNS: "Reject!"
Orbot: "Then I'll try's IP addr.)"
Orbot: Trying to connect: with "Host:".
Orbot: Success. Fuck DNS :)

I'm not joking. By adding valid IP address into Orbot core, user
can access to Tor network even DNS is blocked.

Child Tickets

Change History (6)

comment:1 Changed 3 years ago by cypherpunks

Good idea, meek-amazon and meek-azure front-ends are probably only blocked in some corporate firewalls, so maybe countering DNS poisoning may be useful in those cases.

comment:2 Changed 3 years ago by yawning

Cc: yawning removed

Attempting in vain to remove myself from the cc list.

comment:3 Changed 3 years ago by dcf

Keywords: meek added
Priority: Very HighMedium
Severity: CriticalNormal
Type: defectenhancement

I think that a local IP address database is unlikely to be implemented, for maintainability reasons. Also I'm not sure this is actually a common problem. Have you actually encountered it in practice, or are you just suggesting it as a possibility?

meek-google hasn't worked for a year now—were you only using as an example, or are you actually using it for fronting somehow? Is there really a work network that blocks by DNS? How would anyone get any work done?

If you are on a network that actually is DNS-blocking the default front domain, you can try changing the front domain. You can also try configuring a DNS server other than the default. If that doesn't work, you can also maintain your own local DNS database in /etc/hosts or similar. Or just use obfs4 in that case?

comment:4 Changed 3 years ago by cypherpunks

Have you actually encountered it in practice

  1. Connect to AppsVPN (e.g. M88B's "NetGuard" - open source app)
  2. This VPN was configured to block DNS request to prevent DNSLeak.


  1. I can Connect to Tor using Orbot without bridge, IF the network is NOT CENSORED
  2. I can NOT connect to Tor using Orbot without bridge because the network is clearly monitored.

maintain your own local DNS database in /etc/hosts or similar

And how can I do such thing if my phone is unrootable?
Is there any way to solve this?

Can I solve this by adding "MapAddress" or what? --header 'Host:'

Orbot --- Advanced Torrc

Will above 1 line will make meek work WITHOUT DNS request?

comment:5 Changed 3 years ago by cypherpunks

and above google is just a example. I just want you to know that some network are blocking DNS requests. So, IP-Host pair is necessary. And for advanced user like me, please provide a way to solve this. I guess "MapAddress" do the trick, but I'm not sure meek.exe(?) obey torrc's MapAddress.

comment:6 Changed 21 months ago by dcf

Resolution: wontfix
Status: newclosed

If a network is blocking all DNS requests, that's outside of meek's purview.

Note: See TracTickets for help on using tickets.