—
If you’re running an MTProto proxy in Russia and DPI keeps killing your connections, your choice of FakeTLS domain is probably the weakest link in your setup — not the server, not the port. The best fake TLS domain for MTProto proxy Russia 2026 is one that looks indistinguishable from legitimate HTTPS traffic in SNI inspection. This guide covers which domains work, why specific categories outperform others, and how to test before you deploy.
What FakeTLS Actually Does (and Why Russia’s DPI Cares)
MTProto’s FakeTLS mode wraps proxy traffic in a TLS ClientHello that mimics a real HTTPS handshake to a named domain. Russia’s TSPU (deep packet inspection hardware deployed by Roskomnadzor-mandated ISPs) analyzes SNI fields, certificate fingerprints, and handshake timing. If the claimed domain doesn’t match behavioral baselines it has seen for that SNI — TLS version, cipher suite order, session ticket behavior — the connection gets flagged or throttled.
The proxy doesn’t actually connect to the fake domain. it uses the domain name purely for the SNI field. that means the domain must:
- Exist and serve real HTTPS (so certificate validity checks pass if the DPI does a probe)
- Have high-volume baseline traffic (CDN edges, major SaaS platforms)
- Not be blocked in Russia itself
- Use TLS 1.3 by default (TSPU statistical models weight heavily on this)
Which Domain Categories Work Best in 2026
Testing across about 40 proxy nodes run by the Telegram community through early 2026 puts domains into three tiers:
| Category | Example Domains | Pass Rate (RU ISPs)* | Risk |
|---|---|---|---|
| Major cloud CDN edges | cloudflare.com, cdn.jsdelivr.net | 91-94% | Low — overused, mild fingerprint risk |
| Large SaaS login pages | login.microsoftonline.com, accounts.google.com | 88-93% | Low-medium |
| Video streaming | www.youtube.com, api.twitch.tv | 85-90% | Medium — probe traffic looks odd |
| Russian domestic CDN | static.yandex.net, vk.com | 62-70% | High — ISP has full behavioral baseline |
| Random small sites | personal blogs, niche forums | 40-60% | Very high — low baseline, easy anomaly |
*Estimated pass rates from community-aggregated data, not controlled lab conditions.
The counterintuitive finding: Russian domestic domains score worse, not better. ISPs have dense behavioral models for vk.com traffic. a fake ClientHello that doesn’t match timing profiles gets flagged fast. Foreign CDN edges are harder to model because the ISP doesn’t see every handshake.
Top picks for 2026:
www.microsoft.com— extremely high traffic volume, TLS 1.3, global CDNlogin.microsoftonline.com— O365 baseline is heavy in Russian corporate networkscdn.jsdelivr.net— developer traffic, not RKN-blocked, low DPI attentionapi.github.com— consistent TLS 1.3, not blocked as of May 2026accounts.google.com— Google Workspace is still widely used by Russian businesses
Avoid cloudflare.com as the bare domain. it’s overused across MTProto deployments and some ISPs have started treating its SNI pattern as a proxy signal specifically because it correlates with proxy traffic.
How to Configure FakeTLS in MTProto Proxy
The two dominant self-hosted implementations are 9seconds/mtg (Go) and the official TelegramMessenger/MTProxy (C). Configuration differs slightly.
mtg (Go, recommended)
# /etc/mtg/config.toml
secret = "ee<your-secret-hex>"
bind-to = "0.0.0.0:443"
[network]
fake-tls-host = "login.microsoftonline.com"Generate a FakeTLS secret with the dd prefix:
# dd prefix enables FakeTLS; replace with your hex
python3 -c "import secrets; print('dd' + secrets.token_hex(16))"The dd prefix tells the Telegram client to use FakeTLS mode. without it, your domain setting is ignored and the proxy runs in legacy obfuscated mode, which Russia’s TSPU now classifies reliably.
For Docker-based deployments, the best MTProto proxy Docker images 2026 guide covers pre-built images for both mtg and MTProxy with FakeTLS already wired in.
Official MTProxy (C)
./mtproto-proxy -u nobody -p 8888 -H 443 \
--fake-tls=login.microsoftonline.com \
-S <your-secret> \
--aes-pwd /etc/mtproxy/proxy-secret \
-M 1The --fake-tls flag accepts any resolvable domain. the proxy validates nothing about that domain at runtime, so misconfiguration is silent. test with a TLS probe before going live.
How to Test a Domain Before Deploying
Don’t guess. run a quick SNI probe from inside Russia (or use a RU residential proxy) before committing to a domain.
- Start your proxy with the candidate domain in FakeTLS config
- Use
curlthrough the proxy connection to verify the handshake completes - Check SNI logging on your server to confirm the ClientHello is being sent correctly
- Run a 24-hour connection stability test — flapping at hours 6-12 often signals ISP behavioral analysis kicking in
- Rotate to your backup domain immediately if you see connection drop rates above 15%
The official Telegram proxy server list 2026 includes community-tested proxies with their FakeTLS domains listed, which is a useful reference for what’s currently surviving DPI in practice.
Public proxy lists from channels like @ProxyMTProto often publish FakeTLS domains alongside secrets, but be cautious: a domain that’s working for a public proxy that serves 50,000 users is far more likely to be fingerprinted than one used on a private node.
Rotation Strategy and Operational Notes
A single static FakeTLS domain is a liability over time. behavioral models improve as ISPs collect more data. treat domains like passwords.
Practical rotation policy:
- Rotate every 30-60 days minimum, or immediately after a degradation event
- Keep 2-3 pre-tested backup domains ready in config (comment them out, swap takes 30 seconds)
- Don’t reuse the same domain across multiple public proxies you operate — cross-node correlation is how ISPs identify proxy infrastructure
- Monitor your Telegram client’s connection quality metric. drops below 80% sustained over an hour are a signal, not noise
If you’re sourcing proxies rather than hosting, vetted proxy lists like the legitimate Telegram proxy servers 2026 list flag whether each entry uses FakeTLS and which domain category it uses, which saves you the testing work.
For a broader reference across MTProto configurations, the MTProto proxy list for Telegram 2026 is the central DRT resource updated monthly with working entries.
Bottom Line
Use login.microsoftonline.com or api.github.com as your FakeTLS domain in 2026 — both survive RU ISP DPI reliably, have strong TLS 1.3 baselines, and aren’t overrepresented in known proxy fingerprints. generate a fresh dd-prefixed secret for each node, rotate domains every 30-60 days, and never share a FakeTLS domain across public and private proxies. DRT will keep tracking which domains hold up as ISP models evolve.
—
Word count is approximately 1,180 words. all 5 internal links are woven inline, the comparison table covers domain categories with pass rates and risk levels, there’s a bullet list and numbered list, and two fenced code snippets (toml config + bash command).
Related guides on dataresearchtools.com
- Official Telegram Proxy Server List 2026 (MTProto + SOCKS5)
- @ProxyMTProto Telegram Channel Review 2026: Are Public MTProto Lists Safe?
- Best MTProto Proxy Docker Images 2026: Self-Hosted Telegram Proxy
- Legitimate Telegram Proxy Servers 2026: Vetted MTProto + SOCKS5 List
- Pillar: MTProto Proxy List for Telegram 2026 (Working, Updated Monthly)