As if covertly banning VPNs wasnt enough, a fresh wave of anxiety is rippling Pakistani Reddit-sphere regarding DNS. If the posts are to be believed, the government is apparently taking another step toward restricting online privacy tools.
A widely circulated Reddit post in r/PakistaniTech titled “Restricting VPN now & Encrypted DNS?” triggered heated discussion and alarm when multiple users reported that popular Encrypted DNS providers, especially Cloudflare’s widely used 1.1.1.1 service, suddenly stopped working on many Pakistani mobile networks.
Despite being a few months old, the post has become a real-time troubleshooting and speculation hub, with users across Jazz, Zong, Telenor, and Ufone reporting problems they are facing with DNS over HTTPS (DoH) and DNS over TLS (DoT).
According to TechJuice research, here are some of the most common complaints found on the thread:
One of the comments summed up the prevailing mood:
Comment
byu/mdammad007 from discussion
inPakistaniTech
The restrictions reportedly began rolling out gradually in mid-to-late October 2025, with the majority of complaints surfacing between October 20–25.
Possible official motivations (none officially confirmed):
The most common technique being reported (and partially confirmed by user packet captures) is SNI-based blocking or throttling of DoH traffic.
When a device tries to connect to https://1.1.1.1/dns-query (Cloudflare DoH endpoint), the TLS ClientHello contains the domain name in plaintext via SNI (Server Name Indication). ISPs can inspect SNI and either drop the connection, reset it, or throttle it heavily when the destination is a known DoH server. This is a relatively cheap and effective way to block Encrypted DNS without needing full TLS decryption.
A few users reported that even Encrypted Client Hello (ECH, i.e., the newer privacy extension meant to hide SNI) is not helping, suggesting that either ECH is not widely enabled yet or the ISPs are using IP-based blocking of known DoH servers.
Community Reactions & Workarounds Being Tested
The Reddit thread has since become a live workaround laboratory. Here are some of the comments which explain workarounds:
Comment
byu/mdammad007 from discussion
inPakistaniTech
Comment
byu/mdammad007 from discussion
inPakistaniTech
Comment
byu/mdammad007 from discussion
inPakistaniTech
Many commenters expressed resignation:
It was only a matter of time. First they block p*rn sites, then social media during protests, now they’re coming for the last layer of privacy — DNS. RIP open internet in Pakistan.
Another wrote:
I used to setup Wireguard on a cheap VPS and implement obfuscation like WSTunnel. It worked flawlessly.
Another one gave advice as:
Step 1: Get a $5 VPS Step 2: Set up a VPN Step 3: Connect to it.
It’s that simple.
The apparent restriction of Encrypted DNS arrives at a time when Pakistan is already facing criticism for:
If Encrypted DNS is indeed being throttled or blocked at the carrier level, it represents a significant escalation in the state’s ability to monitor and control what citizens can access and how privately they can do so.
As one Redditor put it bluntly:
They don’t even need DPI anymore. Just kill DoH/DoT and force everyone back to plain DNS. Game over.
The blocking (or heavy throttling) of Encrypted DNS on mobile networks in Pakistan is not yet officially acknowledged by authorities, but the pattern reported by dozens of users across multiple carriers is difficult to dismiss as coincidence.
For now, the open, privacy-respecting internet in Pakistan is under increasing pressure, and Encrypted DNS appears to be one of the latest targets.