During Iran's near-complete February 2026 shutdown, DNS-based tunneling (dnstt over UDP port 53) was identified by the community as the only functioning circumvention method, with participants successfully sharing public dnstt server configurations to maintain connectivity.

Iran experienced a near-complete internet shutdown on February 28, 2026 beginning at approximately 07:00 UTC, with Cloudflare Radar measuring ~98% connectivity loss relative to the previous week, affecting Tehran, Fars, Isfahan, Alborz Province, and Razavi Khorasan simultaneously.

Issue body evaluation

IODA data confirmed the February 28, 2026 Iran shutdown was implemented via BGP route withdrawals and collapse of IP-space announcements, not merely application-layer blocking — the underlying routing infrastructure itself was withdrawn.

Issue body (IODA reference) deployment

Community experimentation during the February 2026 Iran shutdown revealed heterogeneity across ISPs in what survived: participants tested different DNS resolvers and ISPs to find working dnstt paths, indicating the BGP withdrawal was not perfectly uniform across all Iranian autonomous systems.

Issue comments evaluation

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 dpisni-blockingdns-poisoningip-blockingbgp-hijackthrottling

Iran executed a full-stack internet shutdown beginning at 18:45 UTC on January 8, 2026, withdrawing BGP prefix announcements nationwide and causing routing failures that prevented clients from completing TCP handshakes. Traffic dropped to effectively zero within hours of the shutdown's onset.

2026-free-the-internet-iran-internet-shutdown §Issue body / Abstract bgp-hijackip-blocking

On Feb. 5, 2021, Campana Mythic (AS136168) announced Twitter's 104.244.42.0/24 prefix—apparently intending to blackhole Twitter traffic locally as part of the national Twitter block—but the route leaked to operators in Singapore and Vietnam, causing collateral disruption for Twitter users outside Myanmar. This accidental BGP leak corroborates evidence that Myanmar ISPs were independently implementing IP-level censorship without a centralized national kill switch.

2021-padmanabhan-multi-perspective §3.4 bgp-hijackip-blocking

If India deployed centralized filtering at its key ASes, approximately 121,931 foreign-origin paths (1.15% of all Internet paths to censored sites worldwide) that transit Indian ASes would experience collateral blocking, affecting non-Indian users in Finland, Hong Kong, Singapore, Malaysia, the US, and elsewhere who have no connection to Indian censorship law.

2017-gosain-mending §4.1, §4.4 ip-blockingbgp-hijack

Table 1 of the survey documents that by 2013–2014 censors were deploying simultaneous blocking across BGP, DNS, IP/port filtering, TCP disruption, TLS, and application-layer keyword filtering. No single detection tool in the survey covers all six layers; the most comprehensive, OONI (2012), covers DNS, IP/port, TCP, TLS, keyword, and HTTP but notes only partial BGP coverage.

2015-aceto-internet Table 1 bgp-hijackdns-poisoningport-blockingip-blockingrst-injectiontls-fingerprintkeyword-filteringdpi

When Turkish users shifted to foreign DNS providers as a circumvention mechanism, Türk Telekom escalated by rerouting traffic destined for Google Public DNS (8.8.8.8 and 8.8.4.4) to a local DNS server serving false answers (Event E, March 28), causing a rapid drop in Tor and YouTube availability across all Atlas probes regardless of DNS configuration. At least 6 distinct shifts in filtering strategy were documented within a two-week period.

2014-anderson-global §4.1 dns-poisoningip-blockingbgp-hijack