In a 75-domain, 492-destination experiment, domains that showed small-scale routing-induced censorship changes — where some (source IP, source port) combinations bypassed censorship while others did not — were exclusively domains first censored within the last 2 years, indicating inconsistent GFW censorship-node configuration during rollout.

Chinese DNS censorship operates symmetrically — injecting forged responses for both inbound and outbound DNS packets regardless of whether any real service exists at the destination IP. This means any DNS response received for a probe sent to a closed-port IP inside China is unambiguously a censorship injection, not a legitimate resolver reply.

§3.1 detection

Routing-induced censorship variation is persistent across time: packet retries do not resolve observed differences, and manual re-measurement days later yielded identical censorship outcomes for the same (source IP, source port, destination IP) tuples across 12 iterative experiment rounds, ruling out transient packet loss or short-term routing fluctuations.

§4.5, §5.2 evaluation

The lowest 3 bits of the source IP nearly double the number of destinations experiencing censorship measurement changes, consistent with routers XOR-ing low-order bits of source and destination IPs for load-balancing decisions. Varying source IPs produced a mean of 89 routing nodes and 134 distinct paths, versus 55 nodes and 110 paths when varying only source ports.

§5.3 evaluation

Across 10,000 destination IPs in China, 37% showed some change in censorship behavior depending on source IP and source port, spanning 56% of measured ASes. The dominant form of variation (95% of cases) was all-or-nothing: a given (source IP, source port) pair either experienced no censorship or 'expected' censorship, with no intermediate states.

§5.2 evaluation

Of 6,915,266 domains extracted from the 572 GiB Geedge Networks Leak (GNL), 298,955 censored domains (93.7% of all GNL-censored domains) appear in neither Tranco top-1M nor CitizenLab test lists. Measurements across China (Guangzhou/Nanjing), Myanmar, Pakistan, and Algeria confirmed censorship via DNS injection and SNI-based TLS connection termination. The GNL covers 25–62% of Tranco-censored domains across countries, showing substantial but incomplete overlap. This vendor-side ground truth reveals a censorship surface roughly two orders of magnitude larger than curated academic test lists.

2026-sheffey-geedge §4.1, Table 2 dpisni-blockingdns-poisoningmeasurement-platform

Majority-vote ML inference (OCSVM + IF) over OONI data uncovered at least 5 previously undocumented DNS injection IPs active in Russia (e.g., 195.19.90.226, 95.167.13.51, 61.95.167.13.50, 188.19.132.154, 144.85.142.29.248) absent from OONI's existing blocking-fingerprints database, along with novel fingerprints in Italy, Czech Republic, and the UK. Records with fewer than 50 instances were excluded as a conservative false-positive filter.

2024-calle-toward §4.3, Table 5 dns-poisoningml-classifiermeasurement-platform

XGBoost trained on a single month of OONI data achieves near-optimal performance; expanding the training window to 24 months produces deviations of only 0–5 percentage points for FNR, 0.07 PP for FPR, and 0.10 PP for accuracy — suggesting that larger windows introduce noise and overfitting rather than improving detection. Isolation Forest performance degrades more sharply, with accuracy dropping ~5 PP as training data grows beyond 6 months.

2024-calle-toward §4.2, Figure 3 dns-poisoningml-classifiermeasurement-platform

For the Isolation Forest model, resolver ASN (SHAP importance 0.237) and probe ASN (0.220) are the two most predictive features for DNS tampering, reflecting that censorship is topologically concentrated at specific network vantage points. For XGBoost, headers_match dominates (0.317), followed by asn_control_match (0.177), indicating that supervised models rely more on cross-layer consistency signals. DNS tampering represents only 0.5–0.8% of all OONI measurements across 2022–2023 (Figure 2), creating severe class imbalance in any training set.

2024-calle-toward §4.1, Table 4, Figure 2 dns-poisoningml-classifiermeasurement-platform

XGBoost achieves a False Positive Rate of 0.0005, True Positive Rate of 0.9403, and overall accuracy of 0.9991 on OONI global DNS measurement data (2.5% stratified sample), vastly outperforming unsupervised alternatives: Isolation Forest achieves FPR 0.1321 / ACC 0.8699, and One-Class SVM degrades to FPR 0.9711 / ACC 0.0598, making OCSVM effectively unusable for this task.

2024-calle-toward §4.1, Table 3 dns-poisoningml-classifiermeasurement-platform

Brown et al. (2023) combined supervised ML models trained on expert-labeled data with unsupervised models establishing a baseline of 'normal' behavior to detect DNS-based censorship from Satellite and OONI datasets, achieving high true-positive rates for both known and new DNS censorship instances. The hybrid supervised/unsupervised approach is proposed as a template for the LLM-based system.

2024-gao-extended §2 Related Works dns-poisoningmeasurement-platformml-classifier