Is Pakistan Restricting Encrypted DNS After VPN Crackdown?

As if covertly banning VPNs wasnt enough, a fresh wave of anxiety is rippling Pakistani Reddit-sphere regarding DNS. If the posts are to be believed, the government is apparently taking another step toward restricting online privacy tools. A widely circulated Reddit post in r/PakistaniTech titled “Restricting VPN now & Encrypted DNS?” triggered heated discussion and alarm when multiple users reported that popular Encrypted DNS providers, especially Cloudflare’s widely used 1.1.1.1 service, suddenly stopped working on many Pakistani mobile networks. Despite being a few months old, the post has become a real-time troubleshooting and speculation hub, with users across Jazz, Zong, Telenor, and Ufone reporting problems they are facing with DNS over HTTPS (DoH) and DNS over TLS (DoT). What Users Are Experiencing According to TechJuice research, here are some of the most common complaints found on the thread: Apps and browsers using DoH/DoT (Encrypted DNS) suddenly fail to resolve domains or load extremely slowly. Switching back to plain DNS (unencrypted, usually ISP-provided) makes everything work again. The issue is network-specific, i.e., Wi-Fi (especially non-cellular) often continues to work normally, while mobile data is heavily affected. The most commonly affected provider is Cloudflare 1.1.1.1, though some users also reported problems with Quad9 (9.9.9.9) and AdGuard DNS. One of the comments summed up the prevailing mood: Comment byu/mdammad007 from discussion inPakistaniTech Timeline & Possible Motives The restrictions reportedly began rolling out gradually in mid-to-late October 2025, with the majority of complaints surfacing between October 20–25. Possible official motivations (none officially confirmed): Blocking circumvention of content filters: Encrypted DNS makes it harder for ISPs to apply DNS-based blocking of websites (pornography, social media during protests, political content, etc.). Increasing visibility of DNS traffic: Plain DNS allows ISPs (and therefore authorities) to see every domain a user visits. Encrypted DNS hides that list. Preparation for broader internet controls: Many users in the thread believe this is a soft prelude to more aggressive VPN blocking, similar to what India, Bangladesh, and Iran have done in recent years. Ad revenue protection: Some speculate that mobile operators want to force users back to plain DNS so they can continue injecting ads or trackers at the DNS level (a practice already documented in several South Asian countries). Technical Breakdown: How Encrypted DNS Is Being Blocked The most common technique being reported (and partially confirmed by user packet captures) is SNI-based blocking or throttling of DoH traffic. When a device tries to connect to https://1.1.1.1/dns-query (Cloudflare DoH endpoint), the TLS ClientHello contains the domain name in plaintext via SNI (Server Name Indication). ISPs can inspect SNI and either drop the connection, reset it, or throttle it heavily when the destination is a known DoH server. This is a relatively cheap and effective way to block Encrypted DNS without needing full TLS decryption. A few users reported that even Encrypted Client Hello (ECH, i.e., the newer privacy extension meant to hide SNI) is not helping, suggesting that either ECH is not widely enabled yet or the ISPs are using IP-based blocking of known DoH servers. Community Reactions & Workarounds Being Tested The Reddit thread has since become a live workaround laboratory. Here are some of the comments which explain workarounds: Comment byu/mdammad007 from discussion inPakistaniTech Comment byu/mdammad007 from discussion inPakistaniTech Comment byu/mdammad007 from discussion inPakistaniTech Many commenters expressed resignation: It was only a matter of time. First they block p*rn sites, then social media during protests, now they’re coming for the last layer of privacy — DNS. RIP open internet in Pakistan. Another wrote: I used to setup Wireguard on a cheap VPS and implement obfuscation like WSTunnel. It worked flawlessly. Another one gave advice as: Step 1: Get a $5 VPS Step 2: Set up a VPN Step 3: Connect to it. It’s that simple. Broader Implications for Digital Rights in Pakistan The apparent restriction of Encrypted DNS arrives at a time when Pakistan is already facing criticism for: Systematic blocking of websites during political unrest Increasing pressure on VPN providers Delayed passage of the Personal Data Protection Bill Widespread telecom-level surveillance capabilities If Encrypted DNS is indeed being throttled or blocked at the carrier level, it represents a significant escalation in the state’s ability to monitor and control what citizens can access and how privately they can do so. As one Redditor put it bluntly: They don’t even need DPI anymore. Just kill DoH/DoT and force everyone back to plain DNS. Game over. The blocking (or heavy throttling) of Encrypted DNS on mobile networks in Pakistan is not yet officially acknowledged by authorities, but the pattern reported by dozens of users across multiple carriers is difficult to dismiss as coincidence. For now, the open, privacy-respecting internet in Pakistan is under increasing pressure, and Encrypted DNS appears to be one of the latest targets.