Testing approximately 130 million domain names uncovered 35,332 censored domains from which 14,495 keywords were extracted across 7 distinct matching patterns. The blocklist grew by approximately 10% over eight months (August 2013–April 2014), and more than two-thirds of censored domains had expired registrations, suggesting the GFW rarely removes entries.

The GFW does not distinguish DNS query traffic directionality, injecting forged replies for both inbound and outbound queries on monitored links. This causes collateral censorship of DNS resolvers outside China when they contact authoritative nameservers located in or whose paths transit China, even for non-Chinese clients.

§2 detection

The GFW deploys DNS injection nodes only at China's border, within 2–3 hops of international transit points, across 16 border ASes. Internal probing found only 0.04% of 42,849 domestic routing paths exhibited DNS pollution, versus ~80% of externally-facing /24 subnets.

§5 detection

Probing ~150,000 open DNS resolvers inside China over two weeks found that more than 99.85% provided polluted answers for blocked domains. The small fraction of clean resolvers achieved this by forwarding queries to Google Public DNS or OpenDNS via uncensored tunnels, or by locally dropping responses containing known GFW 'Bad IP' addresses (174 identified IPs).

§4 evaluation

A single GFW node employs approximately 360 distinct processes, load-balanced by source and destination IP address, which collectively inject censored DNS responses at an average rate of ~2,800 packets per second, ranging from 1,100 to 4,000 pps over a day.

§7 detection

IRBlock discovered that 1.7M of 3.3M blocked apex domains (52%) were attributed to blanket suffix-level blocking rules rather than individual domain listings. Examples include regex patterns targeting all Israeli domains (.il TLD), adult content (.porn), and country-coded suffixes (.com.mx, .my.id). Of 87K Tranco-ranked apex domains analyzed, 37% fell into adult content, with entertainment and gambling following. Approximately 1.27M apex domains were jointly censored by both DNS and HTTP filters, while the two filters maintained operationally independent blocklists for a significant fraction of domains.

2025-tai-irblock §5.3 dns-poisoningip-blockingkeyword-filtering

GFWeb tested 1.02 billion domains against the GFW over 20 months and discovered 943,000 pay-level domains blocked by HTTP filters and 55,000 by HTTPS filters — the largest GFW blocklist dataset ever published. The HTTP-to-HTTPS ratio (17:1) confirms that the GFW's HTTPS keyword-based and SNI-based blocking covers far fewer domains than its HTTP host-header blocking, likely because HTTPS blocks carry higher collateral-damage risk.

2024-hoang-gfweb Abstract, §5.1 dpidns-poisoningip-blockingkeyword-filteringsni-blocking

The largest measurement study of Turkmenistan censorship to date tested 15.5 million domains and found more than 122,000 domains censored using separate blocklists for DNS, HTTP, and HTTPS. Reverse-engineering the blocking rules revealed approximately 6,000 over-blocking rules that cause incidental filtering of more than 5.4 million additional domains — a 44x collateral damage ratio relative to intentionally blocked domains.

2023-nourin-measuring §Results dns-poisoningdpikeyword-filteringip-blocking

The COVID-19 Wuhan lockdown caused geolocating Twitter users in China to increase 1.4-fold immediately, remaining 10% above pre-crisis baseline long-term; approximately 320,000 new Chinese users joined Twitter due to the crisis, and the available VPN application's ranking on the Chinese iPhone App Store jumped significantly around 23 January 2020 and maintained that elevated rank.

2022-chang-covid-19 Crisis Increased Censorship Circumvention ip-blockingdns-poisoningkeyword-filtering

In countries with no Great Firewall-equivalent censorship (Germany, Italy) and in less-censored authoritarian states (Iran — Persian Wikipedia; Russia — Russian Wikipedia) that experienced comparable COVID-19 outbreaks, no analogous spillover to politically sensitive content was observed; Wikipedia engagement in those countries increased generally but did not show disproportionate access to historically censored topics, confirming the gateway effect is specific to high-censorship environments.

2022-chang-covid-19 Comparison with Other Countries Affected by the Crisis / Table 1 ip-blockingdns-poisoningkeyword-filtering

Extending Geneva's genetic algorithm to the application layer automatically discovered 77 unique HTTP evasion strategies and 9 DNS evasion strategies against censors in China, India, and Kazakhstan — all requiring only unprivileged usermode modifications with no TCP/IP header access. Against India's Airtel censor, 56 of the 77 strategies succeeded; 29 worked against Kazakhstan; 22 evaded China's keyword-based HTTP censorship and 27 evaded its Host-header censorship.

2022-harrity-get §5.1, §6 dpikeyword-filteringrst-injectiondns-poisoning