At least two ISPs (Cyta and Wind) returned fake HTTP 404 errors instead of mandated block pages for a portion of censored entries, and some ISPs served connection timeouts (port 443 blocked) with no explanation — in both cases obscuring deliberate censorship as an apparent network or server failure. Additionally, Cyta embedded Google Analytics on its block landing page to track users who attempted to access censored content.

DNS hijacking of blocked gambling domains in Greece also destroyed MX records for those domains in seven of eight ISPs, making it impossible for users to send email to the censored companies. Only OTE preserved MX records for some (not all) blacklisted domains, and even those were not consistently updated. The Greek Gaming Commission's own public guidance directed affected users to consult prior bank statements for contact information.

§4.3 policy

After the EEEP blacklist was updated in July 2014 to remove pokerstarsblog.com, multiple ISPs continued blocking it — overblocking was observed at Cosmote (7 entries), Wind (7 entries), Vodafone (7 entries), Cyta (3 entries), Forthnet (3 entries), HOL (3 entries), and OTE (3 entries). The blacklist itself contained 28 duplicate domains (6.39%), 17 malformed entries (3.88%), and 3 entries (0.68%) with no gambling content (expired or parked domains).

§5.2, Table 4 evaluation

Across eight Greek ISPs measured in June–August 2014, DNS hijacking was the dominant blocking method: seven of eight ISPs used it exclusively, while only Vodafone deployed DPI (Bluecoat WebProxy/6.0) for URL-level filtering. Compliance with the EEEP blacklist of 438 entries ranged from 21.91% (Forthnet) to 100% (Cosmote, HOL, OTE), with no ISP exactly matching the regulator's list.

§4.2, Table 1 evaluation

Vodafone Greece's DPI system (Bluecoat WebProxy/6.0) performed exact-URL matching against the EEEP blacklist: requests to rivernilecasino.net and www.rivernilecasino.net passed through unblocked, while the exact blacklisted URL www.rivernilecasino.net/index.asp was intercepted and redirected to http://1.2.3.50/ups/no_access_gambling.htm. Subdomains of DNS-hijacked domains returned NXDOMAIN with no A record, making them silently unreachable rather than redirected.

§4.2, Appendix A.1 detection

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 dpisni-blockingdns-poisoningip-blockingbgp-hijackthrottling

TCP segmentation (splitting a DNS message into 20-byte TCP fragments) successfully circumvented DNS censorship in China for nearly all resolvers that support TCP. In Iran, TCP segmentation was only partially effective due to the censor's ability to reassemble TCP fragments when system load permits—some runs succeeded completely, others failed entirely across all resolvers. The "Last Response" mode (wait 3 seconds for the final UDP reply) was highly effective against China's on-path GFW injector for all resolvers except the fully IP-blocked Cloudflare 1.1.1.1 resolver.

2026-lange-towards §4.1, §6.2.1, §6.2.2 dns-poisoningdpi

TCP segmentation — splitting DNS-over-TCP messages into 20-byte fragments — successfully circumvented DNS censorship for 40 of 41 tested resolvers in China. In Iran, TCP segmentation is inconsistently effective: it succeeds in some scan runs and fails entirely in others, suggesting the Iranian censor can reassemble TCP fragments when processing capacity permits.

2026-niere-dpyproxy-dns §6.2.1, §6.2.2 dpidns-poisoning

Of 6,915,266 domains extracted from the 572 GiB Geedge Networks Leak (GNL), 298,955 censored domains (93.7% of all GNL-censored domains) appear in neither Tranco top-1M nor CitizenLab test lists. Measurements across China (Guangzhou/Nanjing), Myanmar, Pakistan, and Algeria confirmed censorship via DNS injection and SNI-based TLS connection termination. The GNL covers 25–62% of Tranco-censored domains across countries, showing substantial but incomplete overlap. This vendor-side ground truth reveals a censorship surface roughly two orders of magnitude larger than curated academic test lists.

2026-sheffey-geedge §4.1, Table 2 dpisni-blockingdns-poisoningmeasurement-platform

TTL-based path analysis showed that all censorship actions (DNS poisoning, HTTP injection, TLS resets) in the June 2025 shutdown occurred at the same network hop across all tested ISPs, indicating a single centralized national border gateway—likely TCI AS gateways—rather than per-ISP enforcement. Global BGP announcements were kept intact throughout, making the shutdown invisible to routing monitors while domestic connectivity collapsed.

2025-aryapour-stealth-blackout §4.5 dpidns-poisoningrst-injection