DNS Censorship

The cheapest firewall is a DNS resolver

DNS censorship exploits the same property that makes DNS filtering effective for security: before your device can connect to anything, it must first ask DNS where to find it. If the resolver lies — or a middlebox intercepts the query — the connection never happens.

For governments, this makes DNS the lowest-cost censorship layer. No expensive deep packet inspection, no need to inspect encrypted traffic. Just configure every ISP’s resolver to return false results for blacklisted domains.

Censorship techniques

Governments and ISPs employ a range of DNS-based techniques, varying in sophistication:

DNS filtering (resolver-level)

The simplest approach: ISP resolvers return false results for blacklisted domains. The resolver might return NXDOMAIN (pretending the domain does not exist), redirect to a government block page, or return no answer at all. Russia’s Roskomnadzor maintains a centralized blacklist that all ISPs must enforce. Iran redirects blocked domains to 10.10.34.34, which serves a government block page.

DNS poisoning (injection)

A middlebox at the ISP or national gateway inspects DNS queries in transit. When a query for a censored domain is detected, the device races to inject a forged response before the legitimate answer arrives. China’s Great Firewall operates primarily as an on-path injector — it inspects copies of packets and injects spoofed responses. Research has documented that queries merely transiting through Chinese networks can receive poisoned responses, affecting users in other countries.

Transparent DNS proxying

Network equipment captures all outbound DNS traffic on port 53 and reroutes it through the ISP’s resolver — regardless of which DNS server the user configured. The user believes they are querying 8.8.8.8 or 1.1.1.1, but their queries are silently intercepted. In August 2024, Malaysian ISPs implemented transparent proxies intercepting traffic to Google DNS and Cloudflare DNS. Following public backlash, the government suspended the implementation in September 2024.

BGP hijacking of DNS

The most aggressive technique: using BGP routing manipulation to intercept DNS traffic at the network level. In March 2014, Turkey’s Turk Telekom hijacked BGP routes for Google Public DNS (8.8.8.8) after citizens bypassed a Twitter ban by switching to Google’s resolver. The ISP set up impersonation servers at the hijacked IP addresses.

Comparison

Technique	Sophistication	Circumvention difficulty
DNS filtering	Low	Easy (change DNS server)
DNS poisoning/injection	High	Moderate (encrypted DNS helps)
Transparent DNS proxy	Medium	Moderate (use DoH/DoT)
BGP hijacking of DNS	High	Hard (requires VPN/tunnel)

Country profiles

China — the Great Firewall

The most extensive DNS censorship system in the world. A study testing 411 million domains per day over nine months detected 311,000 domains censored by the Great Firewall’s DNS filter. The system blocks Google, Facebook, Twitter/X, YouTube, Wikipedia (Chinese language), WhatsApp, Instagram, and thousands of other domains. China also blocks access to foreign public DNS resolvers from within the country.

Freedom House score (2024): 9/100

Russia — TSPU and the sovereign internet

Russia’s “Sovereign Internet Law” (2019) requires all ISPs to install DPI equipment. Russia created a National Domain Name System (NSDI) — all network operators were required to use it beginning January 2021. In 2024, Roskomnadzor shut down 197 VPN services and declared advertising of VPN services a criminal offense. In December 2024, regional internet outages occurred as Russia tested sovereign internet disconnection capabilities.

Freedom House score (2024): 21/100

Iran — centralized in-path filtering

DNS tampering is the primary censorship technique. The system operates in-path (directly intercepting traffic, not just injecting competing responses), affecting over 6.5 million IPs daily. In February 2024, Supreme Leader Khamenei ordered the Supreme Council of Cyberspace to ban VPN circumvention technology. In late May 2024, Iran began blocking IPv6 traffic entirely.

Freedom House score (2024): 11/100

Turkey — the 8.8.8.8 graffiti protests

When Turkey blocked Twitter in March 2014, citizens discovered they could bypass the DNS-based block by switching to Google Public DNS. The numbers 8.8.8.8 and 8.8.4.4 were spray-painted as graffiti on walls across Istanbul — becoming an iconic symbol of anti-censorship resistance. The government escalated to BGP hijacking of Google DNS routes within days.

Freedom House score (2024): 32/100

Democratic countries

DNS censorship is not limited to authoritarian regimes. The United Kingdom uses court-ordered DNS blocks for copyright enforcement — ISPs blocked over 7,000 piracy domains in the first half of 2024 alone. Italy’s Piracy Shield system requires ISPs to block domains within 30 minutes; in October 2024, it accidentally blocked Google Drive and YouTube for hours. In France, court orders led to OpenDNS withdrawing from the country entirely rather than comply.

Circumvention

Changing DNS resolvers

The simplest bypass: switch to a public resolver like Cloudflare (1.1.1.1) or Google (8.8.8.8). This defeats basic resolver-level filtering but not transparent proxying or BGP hijacking.

Encrypted DNS (DoH/DoT)

DNS-over-HTTPS sends DNS queries as regular HTTPS traffic on port 443, making them indistinguishable from web browsing. This defeats transparent proxies and DNS injection. Major browsers support DoH natively. However, sophisticated censors (China, Iran, Russia) counter by blocking IP addresses of known DoH resolvers, using DPI to detect DoT on port 853, or blocking resolver hostnames at the DNS level.

VPNs

VPNs tunnel all traffic (including DNS) through an encrypted connection to a server in another country. Approximately 1.7–1.8 billion people worldwide use VPNs. In Russia, about 41% of internet users rely on VPNs. VPN demand in Iran surges 1,840% above normal during crackdowns. Governments counter by blocking VPN protocols via DPI and shutting down VPN services — Russia closed 197 VPN services in 2024 alone.

The effectiveness paradox

DNS censorship exists in a paradox:

1. It is trivially easy to circumvent for technically literate users
2. It is highly effective against the general population who use default settings
3. It drives adoption of privacy tools (VPNs, encrypted DNS), which undermine the surveillance capabilities DNS logging provides
4. It creates collateral damage — Italy’s Piracy Shield blocking Google Drive, China’s DNS poisoning leaking globally, OpenDNS withdrawing from France
5. It incentivizes escalation to more aggressive techniques (DPI, IP blocking, internet shutdowns) with even greater costs

ICANN’s Security and Stability Advisory Committee concluded in 2025 that DNS resolvers are “not a censorship tool” and that DNS blocking measures are “often implemented without legal or technical precision, transparency, or accountability.”

Global internet freedom has declined for 15 consecutive years according to Freedom House. DNS censorship is both a symptom of that decline and, through the privacy tools it drives adoption of, a catalyst for the encryption that will eventually make it obsolete.