Among Iris's DNS manipulation detection metrics, AS-level consistency was most effective, classifying 90% of DNS responses as unmanipulated. IP-address identity matching flagged approximately 80% of correct responses, while HTTPS certificate validation improved from 38% to 55% accuracy when SNI was included in follow-up TLS probes.

Iris detected 41,778 manipulated DNS responses (0.31% of 13.5 million queries) across 58 countries and 1,408 domains in a two-day measurement window in January 2017. Iranian resolvers exhibited the highest median manipulation rate at 6.02% per resolver; China followed at 5.22%. Iran and China together accounted for roughly 55% of all manipulated responses despite contributing only approximately 6% of total query volume.

§5.2, Table 6 evaluation

Iranian DNS censorship returns special-purpose/private IPv4 addresses in 99.99% of manipulated responses (only 0.01% public), whereas Chinese manipulation returns public IPs 99.46% of the time—often addresses that host no services at all. The 10 most frequent Chinese censor-injected IPs constituted approximately 75% of all Chinese manipulated DNS responses.

§5.2, Table 8 detection

Iris filtered 4.2 million open DNS resolvers down to 6,564 infrastructure resolvers by retaining only those with PTR records matching ns[0-9]+ or nameserver[0-9]*, achieving coverage across 157 countries with a median of 6 resolvers per country. The ethical constraint of excluding end-user home routers reduced usable resolvers by 99.8% but preserved global geographic breadth sufficient to detect country-level DNS manipulation at scale.

§3.3, §4.1, Table 1 evaluation

DNS manipulation is heterogeneous within countries, not uniform across ISPs. In Iran, one cluster of domains is manipulated by approximately 80% of in-country resolvers while a second group is manipulated by fewer than 10%, consistent with differential blackholing by separate DNS manipulation infrastructure tiers. China shows a similar bimodal split (~80% vs ~50%), while Greece and Kuwait exhibit more homogeneous cross-resolver manipulation.

§5.3, Figure 7 evaluation

Of 6,915,266 domains extracted from the 572 GiB Geedge Networks Leak (GNL), 298,955 censored domains (93.7% of all GNL-censored domains) appear in neither Tranco top-1M nor CitizenLab test lists. Measurements across China (Guangzhou/Nanjing), Myanmar, Pakistan, and Algeria confirmed censorship via DNS injection and SNI-based TLS connection termination. The GNL covers 25–62% of Tranco-censored domains across countries, showing substantial but incomplete overlap. This vendor-side ground truth reveals a censorship surface roughly two orders of magnitude larger than curated academic test lists.

2026-sheffey-geedge §4.1, Table 2 dpisni-blockingdns-poisoningmeasurement-platform

Majority-vote ML inference (OCSVM + IF) over OONI data uncovered at least 5 previously undocumented DNS injection IPs active in Russia (e.g., 195.19.90.226, 95.167.13.51, 61.95.167.13.50, 188.19.132.154, 144.85.142.29.248) absent from OONI's existing blocking-fingerprints database, along with novel fingerprints in Italy, Czech Republic, and the UK. Records with fewer than 50 instances were excluded as a conservative false-positive filter.

2024-calle-toward §4.3, Table 5 dns-poisoningml-classifiermeasurement-platform

XGBoost trained on a single month of OONI data achieves near-optimal performance; expanding the training window to 24 months produces deviations of only 0–5 percentage points for FNR, 0.07 PP for FPR, and 0.10 PP for accuracy — suggesting that larger windows introduce noise and overfitting rather than improving detection. Isolation Forest performance degrades more sharply, with accuracy dropping ~5 PP as training data grows beyond 6 months.

2024-calle-toward §4.2, Figure 3 dns-poisoningml-classifiermeasurement-platform

For the Isolation Forest model, resolver ASN (SHAP importance 0.237) and probe ASN (0.220) are the two most predictive features for DNS tampering, reflecting that censorship is topologically concentrated at specific network vantage points. For XGBoost, headers_match dominates (0.317), followed by asn_control_match (0.177), indicating that supervised models rely more on cross-layer consistency signals. DNS tampering represents only 0.5–0.8% of all OONI measurements across 2022–2023 (Figure 2), creating severe class imbalance in any training set.

2024-calle-toward §4.1, Table 4, Figure 2 dns-poisoningml-classifiermeasurement-platform

XGBoost achieves a False Positive Rate of 0.0005, True Positive Rate of 0.9403, and overall accuracy of 0.9991 on OONI global DNS measurement data (2.5% stratified sample), vastly outperforming unsupervised alternatives: Isolation Forest achieves FPR 0.1321 / ACC 0.8699, and One-Class SVM degrades to FPR 0.9711 / ACC 0.0598, making OCSVM effectively unusable for this task.

2024-calle-toward §4.1, Table 3 dns-poisoningml-classifiermeasurement-platform

Brown et al. (2023) combined supervised ML models trained on expert-labeled data with unsupervised models establishing a baseline of 'normal' behavior to detect DNS-based censorship from Satellite and OONI datasets, achieving high true-positive rates for both known and new DNS censorship instances. The hybrid supervised/unsupervised approach is proposed as a template for the LLM-based system.

2024-gao-extended §2 Related Works dns-poisoningmeasurement-platformml-classifier