GFW verification tests confirmed over 90% of OONI-detected DNS anomalies as true blocks: 429/457 domains in Beijing and 422/461 in Shanghai. In total, 527 unique domains were confirmed censored via DNS, HTTP, and HTTPS filters; an additional 718 domains suspected blocked due to IP-address-level blocking of their hosting servers rather than domain-level entries.

The automated probe list generation system discovered 45.79 potentially blocked domains per 1,000 domains crawled, compared to 4.11 for FilteredWeb — over 10× higher efficacy. It uncovered 1,490 potentially blocked domains in crawls of just 71,960 URLs, versus 1,255 blocked domains found by Hounsel et al. in crawls of 1,000,000 URLs, with 1,473 of the 1,490 domains not overlapping with prior work.

§5.5 evaluation

Only 36.66% of the 139,957 source list URLs (51,313) survived sanitization as live, meaningful pages, with 18,911 URLs removed for lack of content and many more for dead links — underscoring how rapidly manually curated probe lists decay. In Beijing and Shanghai, over 20% of known domains were consistently inaccessible, versus fewer than 4.5% at all other vantage points, and over 68% of known domains remained blocked, suggesting censored topics stay sensitive even as URLs go stale.

§3.1, §5.2 evaluation

Among inaccessible URLs that also triggered OONI anomalies, approximately 58% were generated by the Top2Vec-Trends pipeline (combining Top2Vec topic modeling with Google Trends keyword expansion), while LDA-TFIDF and Top2Vec alone each accounted for only 13–14%. BERTopic-generated pages were least effective at producing censored candidates.

§5.4 evaluation

VPS-based vantage points in Singapore and India detected censorship patterns similar to 'free' locations, failing to observe blocking known to be enforced by local ISPs following government directives. This occurred because ISP-level censorship is implemented per-carrier rather than centrally, and the VPS provider's ISP did not enforce those blocks — confirmed by re-testing from a residential IP that did observe the expected blocks.

§6.2 detection

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 dpisni-blockingdns-poisoningip-blockingbgp-hijackthrottling

GFWeb tested 1.02 billion domains against the GFW over 20 months and discovered 943,000 pay-level domains blocked by HTTP filters and 55,000 by HTTPS filters — the largest GFW blocklist dataset ever published. The HTTP-to-HTTPS ratio (17:1) confirms that the GFW's HTTPS keyword-based and SNI-based blocking covers far fewer domains than its HTTP host-header blocking, likely because HTTPS blocks carry higher collateral-damage risk.

2024-hoang-gfweb Abstract, §5.1 dpidns-poisoningip-blockingkeyword-filteringsni-blocking

The largest measurement study of Turkmenistan censorship to date tested 15.5 million domains and found more than 122,000 domains censored using separate blocklists for DNS, HTTP, and HTTPS. Reverse-engineering the blocking rules revealed approximately 6,000 over-blocking rules that cause incidental filtering of more than 5.4 million additional domains — a 44x collateral damage ratio relative to intentionally blocked domains.

2023-nourin-measuring §Results dns-poisoningdpikeyword-filteringip-blocking

OONI data shows anomaly rates in Russia's top five ASes (including Rostelecom AS12389, Vimpelcom AS8402) rose from roughly 7–11% in January and early February 2022 to 12–21% in mid-March 2022, with social-media and news domains such as Facebook, Twitter, Instagram, and BBC going from available to near-completely blocked after the invasion.

2023-ramesh-network §4.1 dpirst-injectionip-blockingdns-poisoning

Spain's blocking infrastructure, initially mandated for copyright and gambling enforcement, was repurposed to block 24 unique Catalan referendum URLs during October 2017, including the IPFS gateway and two GitHub Pages domains. GitHub Pages was blocked only via DNS manipulation (pointing to 127.0.0.1) rather than HTTP blocking specifically to avoid collateral blocking of all of GitHub.

2021-ververis-understanding §3.1.1, §3.3, §4 dns-poisoningdpiip-blocking