Post #1618

About a month ago, when Iran experienced serious disruptions in Internet access, the XTLS team closely monitored the situation and collected data on methods that were actually effective in bypassing the restrictions. The analysis showed that in aggressive network environments, the solutions we normally rely on are sometimes insufficient for maintaining stable connectivity. In a number of cases, additional obfuscation mechanisms were required, for example mimicking DNS traffic, ICMP, or other protocols permitted within the country. At that time, implementing new obfuscation methods directly in the core was an extremely labor-intensive process. For instance, disguising traffic as DNS or ICMP would have effectively required implementing a full-fledged transport protocol from scratch. As a result, the idea was proposed to completely decouple data delivery from packet obfuscation, and a new concept called finalmask was introduced into the core. The final masking layer represents the lowest, unreliable layer. For UDP, it only performs per-packet obfuscation and does not provide reliable delivery. Reliability is handled by the upper layer. The responsibility model can now be structured as follows: Protocol: encryption and authentication. Transport: fragmentation, retransmission, and congestion control. Finalmask: a stack of stateless masks that sequentially wrap the packet before transmission. For clarity, we need to distinguish between several key concepts: header-: simply attaches a fake header to a packet. x: actually encapsulates and transmits data through the structure of the target protocol. xDNS: allows traffic to be tunneled inside legitimate DNS queries. Since it is an X* protocol, xDNS generates fully standards-compliant packets. Its implementation is straightforward. Client side: The data stream is split into small chunks and encoded. These chunks are then divided into 63-byte labels and assembled into an FQDN of the form: [N].[N+1].[domain] The result is encoded in DNS wire format. Server side: The server extracts the data and packs the response into a TXT answer record.