| skipped 197 lines |
198 | 198 | | tunnel server is acting as a proxy, for example), unless that data has |
199 | 199 | | been separately encrypted before being sent through the tunnel. |
200 | 200 | | |
| 201 | + | The dnstt client does not do anything special to disguise its TLS |
| 202 | + | fingerprint. It uses the crypto/tls package from Go, and its TLS |
| 203 | + | fingerprint will depend on what version of Go it was compiled with. You |
| 204 | + | should assume that the DNS tunnel client is identifiable by TLS |
| 205 | + | fingerprint. A path to hiding the TLS fingerprint would be to integrate |
| 206 | + | uTLS (https://github.com/refraction-networking/utls). |
| 207 | + | |
201 | 208 | | |
202 | 209 | | ## Encryption and authentication |
203 | 210 | | |
| skipped 75 lines |