Hi. is it possible to change mtu size (ipv4) in cloudflare ?
MTU should be 1500 within the Cloudflare network. Which is almost standard. Even if they changed it, it wouldn’t have any effect on your connection.
What’s the reason for your question?
Thanks for answer.
We have some troubles with some internet providers. They block some of our sites, and as we know, they use some DPI(deep packet inspection) hardware,
We want decrease MTU to force fragmentate our response headers,
if MTU will enough small, all headers will be fragmented.
which can be help us bypass blocking.(i hope )
What would they inspect, considering you hopefully have a proper TLS connection in place?
as i know they(providers) inspect SNI header for matching hostname , which need to block
SNI is something sent by the browser, so you’d need to control the visitor’s MTU.
Furthermore, even with a lower MTU there is no guarantee the packet containing the SNI would be fragmented (unless you set it two 2 or 3 :)), so in most cases the ISP would still be able to scan individual packets for your host name.
Last but not least, there is no real mainstream support for it but Cloudflare already supports ESNI, so once browsers have adopted it, that attack vector should disappear.
Last last :), the most common filtering technique is DNS poisoning.
Thanks for reply Sandro,
i think i understand
Is there any way to bypass blocking, when providers block my domain?
The first step should be to determine which approach is used to block your site.
I will research again and write here, thank you
Just to note -
eTLS eSNI should protect against blocking specific websites. It’s already a thing in Firefox and Chrome is working on it. At that point, ISPs and Governments will have to either take entire CDNs offline (like Cloudflare or Cloudfront) or go through due process of taking down a domain via the hosting provider.
Sorry, but ETLS is broken by design.
Oh my - I completely botched that! I meant eSNI (encrypted SNI).
It’s not. And depending on the reason/nature of the block of your website/service attempting to circumvent the block may be viewed as a violation of our terms of service by our Trust & Safety team.