I’ve tried operating an exit node in the past, but got spammed by abuse requests and was eventually booted from my hoster. I’m aware of similar conversations like [1]. I understand the hoster’s position and am in no mood to pick fights with infrastructure providers over this, so I’m looking for a technical solution which restricts exit traffic to a well-known set of target domains.
Roger’s great DEFCON talk explained how TLS-based DPI works, so I’m wondering whether SNI could be used for that? Anything else that would do the job?
The link you cited has already stated it’s the expressway to get yourself a BadExit flag.
If you feel like you will get yourself into trouble for running exit nodes, don’t run exit nodes. Running exit nodes that censor contents in place of user choice is against to purpose of Tor.
Expectations for relay operators specifically stated you should not “look at, or modify, network traffic”.
https://community.torproject.org/policies/relays/expectations-for-relay-operators/