DNS queries for blocked domains were intercepted on-path and never reached the authoritative server; instead, the DNS server received 5 TCP RST packets spoofed from the client's address — despite the original queries being UDP, a likely misconfiguration. Three RST packets carried an identical random sequence number while two had a relative offset of 30 from the first three, the same distinctive 3+2 RST pattern observed in the HTTP blocking mechanism.

Measurement of Alexa top-500 websites across 18 categories found that over 50% of the internet's most-visited sites were blocked in Iran, with adult content blocked at over 95% and the Art category the third-most censored. DNS hijacking was applied selectively to only three domains (facebook.com, youtube.com, plus.google.com), while HTTP Host filtering accounted for the vast majority of blocks.

§4.1, Table 1 evaluation

Traceroutes from one major Iranian ISP to 3,160 destination IPs across 13 countries consistently showed a single private-address node (10.10._._) as the first observable external hop, preceded by one of only two TCI-owned transit nodes. TTL-based probing confirmed that both HTTP and DNS blocking originated at this same centralized node, suggesting that the processing capacity of this national chokepoint is a key bottleneck in Iran's censorship infrastructure.

§4.5, §6, Figure 5 evaluation

Iran's HTTP censorship allows the TCP three-way handshake to complete normally before acting on the HTTP GET request: the censor responds with a '403 Forbidden' and simultaneously sends 5 spoofed RST packets to the destination server (3 with in-sequence numbers, 2 with seemingly random offsets). No modifications to TCP/IP or HTTP headers were observed at either endpoint, ruling out a transparent proxy and pointing to inline DPI.

§4.2, Figure 3 detection

SSH transfers utilized only 15% of available bandwidth versus 85–89% for HTTP/HTTPS. When SSH was obfuscated by XORing payloads with a constant key (hiding the plaintext handshake), throughput dropped to near-zero during all trials. Applying the same obfuscation to HTTP transfers produced the same near-zero result, supporting the hypothesis that Iran whitelists known-approved protocols rather than blacklisting specific ones, which would preemptively block any unrecognized or randomized transport including Tor's obfsproxy.

§4.4 detection

Empirical evaluation against nine major commercial VPN providers found all five tested connection tracking frameworks (Linux Netfilter, FreeBSD PF, IPFW, IPFilter, natd) and eight of nine providers vulnerable to at least one session manipulation attack, resulting in 19 assigned CVEs/CNVDs.

2026-yang-invisible-adversaries-systematic §I, §IV rst-injectiondns-poisoning

A co-tenant attacker sharing the same VPN server can launch a port-exhaustion DoS in an average of 4 seconds with over 90% success rate, inject forged HTTP responses in 64.11 seconds at a 66.7% success rate, and hijack DNS responses at success rates of 20% to 70%.

2026-yang-invisible-adversaries-systematic §I, §IV-B, §IV-C, §IV-D rst-injectiondns-poisoningport-blocking

TTL-based path analysis showed that all censorship actions (DNS poisoning, HTTP injection, TLS resets) in the June 2025 shutdown occurred at the same network hop across all tested ISPs, indicating a single centralized national border gateway—likely TCI AS gateways—rather than per-ISP enforcement. Global BGP announcements were kept intact throughout, making the shutdown invisible to routing monitors while domestic connectivity collapsed.

2025-aryapour-stealth-blackout §4.5 dpidns-poisoningrst-injection

Iran's DNS censor now injects two distinct block-page IPs: 10.10.34.36 (≈87% of 47,633 censored domains) and 10.10.34.34 (≈13%). Both originate from the same network node at Iran's border. Prior research (Aryan et al. 2013) described only 10.10.34.34. The IP injected correlates strongly with the HTTP censorship method applied: domains with 10.10.34.34 in DNS receive TCP RST via HTTP (86.8% of RST cases), while domains with 10.10.34.36 in DNS receive HTTP block pages (84.6% of block-page cases).

2025-lange-i-ra-nconsistencies §3.1, Table 2 dns-poisoningrst-injectionpacket-injection

Neither China nor Iran directly block ECH ClientHello messages; instead both effectively prevent ECH by censoring encrypted DNS resolvers. China blocks Cloudflare's DoH/DoT resolver (mozilla.cloudflare-dns.com) via SNI-based blocking in TLS and QUIC, causing residual censorship of up to 360 and 180 seconds respectively. Iran blocks both Cloudflare and NextDNS DoH hostnames via DNS block-page injection, TLS TCP RST, and HTTP block pages. Iran cannot analyze QUIC, so DoQ is uncensored and enables ECH in Iran. China's NextDNS IP blackholing affected only one of two resolved IPs, leaving an uncensored path.

2025-niere-encrypted §5, Table 1, Figure 5 dns-poisoningsni-blockingrst-injectionhttp3-quic-block

Six injected IPv4 addresses (8.7.198.46, 39.109.122.128, 46.82.174.69, 59.24.3.174, 93.46.8.90, 103.97.3.19) accept TCP SYN→SYN+ACK from within China but immediately reply RST when the client sends application data (PSH flag). These hosts mirror IPID values from probe packets, show no response from outside China, and appear to operate statelessly — suggesting GFW-controlled surveillance infrastructure that collects connection metadata without revealing itself.

2025-sheffey-extended §2.2.2 dns-poisoningrst-injection