Skip to main content

DPI Evasion — TLS Fragmentation

Added in v4.0.0, TLS fragmentation bypasses Iran’s Deep Packet Inspection (DPI) systems that block encrypted DNS based on the SNI field in TLS handshakes.

How DPI Blocking Works

Iran’s DPI inspects the first TCP segment of TLS connections to read the Server Name Indication (SNI) — the hostname the client is connecting to. If the SNI matches a blocked domain (or a known DNS provider), the connection is reset.

How Fragmentation Defeats DPI

By splitting the TLS ClientHello across multiple TCP segments, the SNI is no longer visible in any single packet. Most DPI systems only inspect the first packet or cannot reassemble fragmented TLS handshakes.

Fragmentation Modes

ModeStrategyBest For
sniSplit at the SNI extension boundaryRecommended — most targeted and effective
randomRandom split point with random delay (NoDPI-style)Evades pattern-based DPI that learns split points
halfSplit the ClientHello in the middleGood fallback if SNI mode doesn’t work
chunkedSplit into 40-byte fragmentsMost aggressive — works against sophisticated DPI

Usage

Fragmentation is enabled via the --fragment flag on the proxy command: 
# Recommended: fragment at SNI boundary
dns-mns proxy --fragment sni

# Random split point (NoDPI-style, varies each connection)
dns-mns proxy --fragment random

# Split in half
dns-mns proxy --fragment half

# Maximum fragmentation (40-byte chunks)
dns-mns proxy --fragment chunked

# Combine with protocol preference
dns-mns proxy --protocol doh --fragment sni

Interactive Mode

When starting the DoH/DoT proxy from the interactive menu (Encrypted DNS → DoH/DoT Proxy), you’ll be prompted to choose a DPI evasion mode:
  1. SNI-targeted — Split at the SNI extension boundary
  2. Random (NoDPI-style) — Randomized split point and delay
  3. None — No fragmentation

How It Works Internally

  1. The proxy intercepts the first Write on each new TLS connection
  2. It detects if the data is a TLS ClientHello (byte 0x16 + handshake type 0x01)
  3. For sni mode: it parses the ClientHello to find the SNI extension offset
  4. It splits the data at the chosen point and sends each piece as a separate TCP segment
  5. A configurable delay (default 10ms) is added between fragments
  6. Subsequent writes pass through unchanged

Technical Details

  • Delay between fragments: 10ms fixed for SNI/half/chunked modes; 1–50ms random for random mode
  • Chunk size (chunked mode): 40 bytes
  • TCP_NODELAY: Enabled on all fragment connections to prevent OS from coalescing small TCP segments
  • TLS version spoofing: Outer record layer advertises TLS 1.3 (0x0304) to confuse DPI
  • Applies to: DoH and DoT connections through the smart proxy and DoH/DoT proxy
  • Does not affect: DNSCrypt (already encrypted from first packet)
  • Performance impact: Minimal — only the first packet of each TLS handshake is fragmented

Troubleshooting

Fragmentation not working?
  • Try chunked mode — it’s the most aggressive
  • Increase the delay between fragments if your DPI is timing-aware
  • Some ISPs use stateful DPI that can reassemble fragments; in that case, try a different protocol (DNSCrypt)
Connection timeouts?
  • Some servers reject connections from overly fragmented clients
  • Try half mode which only creates 2 fragments