Document what the current method is expected to handle, what passes through directly, what may behave inconsistently, and what is not supported. Use this matrix to turn vague "site broken" reports into protocol-specific diagnostics.
| Protocol / technology | Current expected state | Main edge cases | Test requirement |
|---|---|---|---|
| TCP/443 HTTPS | Core supported path for targeted browser flows | Certificate trust, ALPN, SNI/ECH, provider drift | Browser test plus route-tag check |
| HTTP/1.1 over TLS | Supported through h11 local tunnel | WebSocket upgrades, keepalive, redirects | Test normal page + WebSocket endpoint |
| HTTP/2 over TLS | Supported through h2/h1 local tunnel | gRPC, stream resets, multiplexing | Test HTTP/2 page + gRPC-like h2 endpoint |
| HTTP/3 / QUIC / UDP/443 | Profile-defined UDP/443 policy | Strict/debug block QUIC; balanced/compatibility direct-route with warning | Test UDP/443 behavior explicitly |
| DNS UDP/TCP/53 | Routed through DNS handling | Resolver timeout, hijack, private domains | Resolver tests |
| DoH | Depends on configured resolver route | Resolver reachability, TLS behavior | DNS check script |
| DoT | Not explicitly modeled unless user adds it | Port 853 behavior | Document unsupported unless tested |
| DoQ | Not explicitly modeled | UDP/QUIC-based DNS | Document unsupported unless tested |
| WebSocket | May work when HTTP/1.1 path works | Upgrade headers and proxy behavior | Run WebSocket smoke probe |
| gRPC | May work when HTTP/2 path works | h2 stream handling | Run h2/gRPC ALPN smoke probe |
| WebRTC/STUN/TURN | App/browser-dependent, UDP-heavy | UDP route, IP leak risk, app pinning | Mark as degraded/experimental |
| IPv6 | Catch-all may direct-route IPv6 | IPv6-only/NAT64 differences | IPv6 route test |
| NAT64/DNS64 | Not guaranteed | IPv4-only assumptions | IPv6-only lab test |
| Captive portal HTTP | Environment-specific | DNS/HTTP hijack | Captive portal procedure |
| Private LAN | Should remain direct | Printers, router UI, local domains | LAN direct-route test |
| Enterprise TLS inspection | Competing MITM | CA conflicts | Document conflict behavior |
| Antivirus HTTPS scanning | Competing local TLS interception | Broken trust chain | Detection note |
Use these labels in issues and compatibility files:
supported Expected to work in current config.
degraded May require browser/app settings or behave inconsistently.
pass_through Not handled by method; direct behavior expected.
unsupported Known not to work reliably.
unknown Not tested yet.
- TCP/443 HTTPS targeted domain loads.
- HTTP/1.1-only endpoint loads.
- HTTP/2 endpoint loads.
- WebSocket endpoint connects or failure is documented.
- gRPC/h2 endpoint connects or failure is documented.
- UDP/443 behavior is known.
- DNS UDP/TCP works.
- DoH resolver path works.
- IPv6 behavior is known.
- Private LAN destination remains reachable.
- Captive portal behavior is documented.
- Android browser behavior is documented separately from Android app behavior.
| User symptom | Likely protocol issue | What to ask for |
|---|---|---|
| Page loads but video fails | QUIC, media domain, provider route, or DNS | Browser, domain category, route tag, DNS result |
| Login page loops | cookies, third-party domains, ad-block false positive, pinned endpoint | route tag, ad-block rule, browser console category only |
| Works in Chrome but not Firefox | browser trust store or HTTP/2 behavior | CA install scope and browser version |
| Works on desktop but not Android app | Android user CA / pinning / app trust | app name, browser vs app, Android version |
| Works on Wi-Fi but not mobile | DNS64/NAT64, IPv6, provider region | network type, IPv6 status, resolver status |
| Fails after disabling tool | FakeDNS stale cache | run FakeDNS recovery steps |
Use scripts/protocol_smoke.py for local, redacted protocol evidence:
python scripts/protocol_smoke.py --scenario udp443-policy
python scripts/protocol_smoke.py --scenario websocket-handshake --host example.com --path /
python scripts/protocol_smoke.py --scenario http2-alpn --host example.com
python scripts/protocol_smoke.py --scenario grpc-alpn --host example.com
python scripts/protocol_smoke.py --scenario ipv6-connect --host ipv6.google.com --port 443| Document | Topic |
|---|---|
transport-profiles.md |
Transport handling summary |
operating-profiles.md |
UDP/443 policy by profile |
android-trust-model.md |
App vs browser protocol scope |
routing-correctness.md |
Route tags for protocol paths |