Across all four studied countries (China, Iran, India, Kazakhstan), HTTP/3 over QUIC had consistently lower failure rates than HTTPS over TCP: 27.1% vs 37.3% in China, 16.2% vs 34.4% in Iran, and 12.0% vs 15.0% in India (AS55836). The only QUIC-specific interference method observed was black-holing during the QUIC handshake (QUIC-hs-to); no RST injection or SNI-based QUIC filtering was detected.

In China (AS45090), HTTP/3 over QUIC has a lower overall failure rate (27.1%) than HTTPS over TCP (37.3%), but hosts that time out during the TCP handshake (TCP-hs-to, indicating IP blocking) always also fail over QUIC — while hosts blocked via TLS-hs-to or conn-reset (SNI-based methods) nearly always succeed over QUIC.

§5.1, Table 1, Figure 3a evaluation

In India (AS55836), TCP and QUIC failure rates closely track each other (15.0% vs 12.0%), with every TCP-hs-to and route-err failure matched by a corresponding QUIC failure, confirming IP-based blocking affects both protocols equally. In contrast, India AS14061 (VPS) shows 16.3% TCP failure entirely from route-err but only 0.1% QUIC failure, suggesting the VPS vantage point sits outside the censored path.

§5.1, Table 1, Figure 3b detection

In Iran (AS62442), HTTPS connections fail at 34.4% (mostly TLS-hs-to, consistent with SNI filtering), while HTTP/3 over QUIC fails at only 16.2%. SNI spoofing reduces TCP failure from 60.1% to 10.2% but has zero effect on QUIC (20.1% both with real and spoofed SNI), indicating Iranian censors apply separate UDP endpoint blocking to QUIC rather than SNI-based identification.

§5.2, Table 3 detection

Only approximately 5% of domains from the combined Citizen Lab and Tranco Top-4000 test lists supported QUIC in early 2021, heavily skewing the measurable set toward large global .com domains (e.g., Google properties). This bias means the study predominantly captures censorship of internationally targeted sites rather than country-specific domains.

§4.3 evaluation

Censorship enforcement varies dramatically across Iranian ASes. AS58224 (TCI, 3.6M IPs) blocks 89-98% of IPs across DNS injectors and 87.6% for UDP. AS197207 (MCCI, 2.3M IPs) and AS44244 (IranCell, 1.3M IPs) show near-zero censorship (0.15-0.76% across injectors). AS31549 (RASANA, 577k IPs) blocks 97-99% for DNS/HTTP but 64% for UDP. Some IPs— including those belonging to the Iranian President's website and Ministry of Foreign Affairs—are deliberately exempted from bidirectional censorship. Two exempted MFA IPs (109.201.19.184 and 109.201.27.67) appear linked to APT15 (Playful Taurus) C&C infrastructure.

2025-tai-irblock §5.1, §5.2, Table 1 dns-poisoninghttp3-quic-blockip-blocking

Russia's TSPU ("Средства противодействия угрозам") system is deployed inline at individual ISP edges rather than at centralized internet exchange points, producing substantial per-ISP heterogeneity: some providers apply layer-7 SNI/Host filtering while others rely primarily on IP-prefix blocklists, and QUIC/HTTP3 is blocked at several major providers. Rollout timing and enforcement depth vary measurably across autonomous systems, meaning a single "Russia passes/fails" test fixture systematically underestimates blocking coverage.

2024-xue-tspu-russia §4–§5 sni-blockingdpihttp3-quic-blockip-blocking

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

Chinese users treat full proxy/VPN (Shadowsocks, V2Ray/Clash, commercial VPNs) as the '终极大杀器' (ultimate solution) for bypassing GitHub DNS poisoning, implying that lighter-weight DNS-only fixes fail in some network environments where the censor adds firewall-layer blocking beyond DNS.

2026-anon-6-github-dns §3 使用代理或 VPN dns-poisoningip-blocking

Rule-based proxy tools (Clash, Shadowsocks, V2Ray) are documented as the most reliable solution for accessing GitHub from China, with split-tunneling rules routing only GitHub traffic through the proxy while keeping domestic traffic on the direct path. Git command-line tools require explicit proxy configuration (git config --global http.proxy http://127.0.0.1:7890) to route clone/push operations, as they do not inherit system proxy settings automatically.

2026-anon-github-2026-6-dns §方法二 dns-poisoningip-blocking

The GFW blocks GitHub via DNS poisoning across at least four domains — github.com, assets-cdn.github.com, github.global.ssl.fastly.net, and raw.githubusercontent.com — causing connection timeouts and page-load failures for mainland China users. The block is persistent as of February 2026, affecting both browser access and command-line git operations.

2026-anon-github-2026-6-dns Introduction / §方法一 dns-poisoningip-blocking