Alternative DNS resolvers trivially circumvent EU sanctions enforcement: third-party providers such as Google Public DNS and Cloudflare DNS implement no sanctions filtering regardless of user location, meaning any user who can switch their resolver can bypass most enforced blocks. The paper concludes that 'as long as a user can utilize an alternative DNS resolver, they would be able to bypass most sanctions enforcement.'

DNS-based blocking was the dominant EU sanctions enforcement mechanism: 87% of the 125 OONI vantage points implementing blocks chose DNS, and RIPE Atlas measurements found 50% of blocking ISPs return DNS error responses. Coverage dropped with each new sanctions package—45% of vantage points blocked first-round domains versus only 17% for fourth-round additions.

§4.1, §4.2 evaluation

EU sanctions enforcement was deeply non-uniform across member states and over time: 77% of blocking autonomous systems enacted enforcement within 3 months of the initial sanctions, but adoption timelines, block-list coverage, and over/under-compliance patterns varied substantially by country and ISP. Austria blocked certain domains months after Germany despite advance specification; domains removed from the German list were eventually de-blocked with significant lag; the newly registered sputnikglobe.com was not widely blocked as of the study's writing.

§4.2, Figure 1 deployment

IP-level access control was the most complete and effective sanctions enforcement mechanism—applied at or near the content destination—but was also the least commonly deployed approach. The paper attributes its rarity to the over-blocking risk when multiple services share a single IP address; one observed instance involved DDoS-mitigation providers performing IP-based enforcement that did not appear in DNS measurements.

§5.4 evaluation

Mirror domains registered by sanctioned Russian outlets (e.g., rtde.site, rtde.xyz, rtde.live, rtde.tech) remained almost universally accessible across EU member states; Table 2 shows near-100% uncensored DNS responses for mirror domains in the vast majority of countries. The EU had no effective mechanism to police domain mirroring in real time, leaving it an unmitigated circumvention strategy throughout the study period.

§5.2, Table 2 evaluation

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

Encrypted DNS protocols (DNS-over-HTTPS and DNS-over-TLS via Cloudflare 1.1.1.1, Google 8.8.8.8, AdGuard, or NextDNS) prevent DNS injection by encrypting the resolver query, making it opaque to in-path GFW middleboxes. The blog recommends these as a lightweight defense that avoids the maintenance overhead of static hosts entries.

2026-anon-6-github-dns §2 使用加密 DNS 服务 dns-poisoning

The GFW blocks GitHub by hijacking DNS resolution to incorrect IP addresses, causing browser timeouts ('github.com 响应时间太长'). The poisoning can be confirmed by comparing nslookup results against a clean resolver (8.8.8.8) versus the local ISP resolver — divergent results confirm injection.

2026-anon-6-github-dns §5 验证 DNS 污染 dns-poisoning

Static /etc/hosts bindings that hardcode correct IPs (e.g. 140.82.113.3 for github.com, 185.199.108.153 for assets-cdn.github.com) bypass DNS-injection blocking entirely, but the blog warns that GitHub IP addresses change and the file must be updated periodically to remain effective.

2026-anon-6-github-dns §1 手动修改 Hosts 文件 dns-poisoning

Chinese users treat full proxy/VPN (Shadowsocks, V2Ray/Clash, commercial VPNs) as the '终极大杀器' (ultimate solution) for bypassing GitHub DNS poisoning, implying that lighter-weight DNS-only fixes fail in some network environments where the censor adds firewall-layer blocking beyond DNS.

2026-anon-6-github-dns §3 使用代理或 VPN dns-poisoningip-blocking

Rule-based proxy tools (Clash, Shadowsocks, V2Ray) are documented as the most reliable solution for accessing GitHub from China, with split-tunneling rules routing only GitHub traffic through the proxy while keeping domestic traffic on the direct path. Git command-line tools require explicit proxy configuration (git config --global http.proxy http://127.0.0.1:7890) to route clone/push operations, as they do not inherit system proxy settings automatically.

2026-anon-github-2026-6-dns §方法二 dns-poisoningip-blocking