29 of 80 VPN providers — including paid services — configure clients to resolve DNS through third-party public resolvers (Google Public DNS, Cloudflare, OpenDNS, Quad9) rather than provider-operated infrastructure. Three self-hosted solutions (Algo, Streisand, Outline) hardcode public DNS with no easy override, causing connection failures in regions where those services are blocked.

VPNalyzer is the first study to measure DNS leaks during tunnel failure, discovering that 8 VPN providers — including TunnelBear and Private Internet Access — allow DNS queries to bypass their kill switch or firewall rules, exposing users' ISP IP addresses and queried domain names to their ISP and DNS resolvers outside the tunnel.

§VI-B evaluation

Only 11 of 80 tested VPN providers supported IPv6 connectivity; 5 providers — Astrill VPN, Norton Secure VPN, Turbo VPN, SurfEasy VPN, and a university VPN — failed to block IPv6 traffic when the VPN tunnel did not support it, silently leaking all IPv6 data directly to the user's ISP even when IPv4 was fully tunneled.

§VI-A evaluation

Among 80 tested VPN providers, 26 leaked user traffic during tunnel failure: 18 exhibited a missing or broken kill switch leaking all traffic types, and 8 additional providers leaked only DNS traffic. In a case study of 39 top providers with all security settings explicitly enabled ('custom secure mode'), 10 still leaked traffic, with 6 leaking even with the 'kill switch' feature activated.

§VI-B, §VI-H evaluation

27 of 80 tested VPN providers had servers within a single AS (AS 9009, M247 Ltd), and VPNalyzer identified 14 providers sharing 4 specific IP blocks within that AS; 2 additional providers shared an IP block in AS 60068 (Datacamp). Such infrastructure concentration enables censors to block multiple VPN products simultaneously with a single IP-range or AS-level rule.

§VI-D evaluation

The automated probe list generation system discovered 45.79 potentially blocked domains per 1,000 domains crawled, compared to 4.11 for FilteredWeb — over 10× higher efficacy. It uncovered 1,490 potentially blocked domains in crawls of just 71,960 URLs, versus 1,255 blocked domains found by Hounsel et al. in crawls of 1,000,000 URLs, with 1,473 of the 1,490 domains not overlapping with prior work.

2024-tang-automatic §5.5 measurement-platformdns-poisoningip-blocking

VPS-based vantage points in Singapore and India detected censorship patterns similar to 'free' locations, failing to observe blocking known to be enforced by local ISPs following government directives. This occurred because ISP-level censorship is implemented per-carrier rather than centrally, and the VPS provider's ISP did not enforce those blocks — confirmed by re-testing from a residential IP that did observe the expected blocks.

2024-tang-automatic §6.2 measurement-platformip-blocking

The authors' blockpage-based methodology cannot detect transit censorship implemented via TCP RST injection or packet drops, because distinguishing these from transient network errors requires identifying their location on the routing path. As a result, the 8-country, 6-AS finding is explicitly characterized as a lower bound on the true extent of Russian transit censorship.

2023-ortwein-towards §4.1 Gathering Blockpages / §6 Conclusion rst-injectionip-blockingmeasurement-platform

ICLab's commercial VPN vantage points reside in data-center ('content') ASes for 41% of monitored networks, which may experience less aggressive censorship than residential ISPs, making VPN-based measurements a systematic lower bound on blocking rates faced by ordinary users. In countries where both VPN and volunteer-operated device (VOD) vantages coexist, identical block pages were observed from both AS types, indicating similar overt blocking policies, but covert IP-based or RST-injection blocking may still differ by AS class.

2020-niaki-iclab §III-B measurement-platformip-blocking

Four OR ports (443, 8443, 444, 9001) account for 82% of all active public bridge fingerprints as of April 2016, down from 95% in March 2013 but still concentrated. Scanning just three of these ports (443, 8443, 9001) is sufficient to deanonymize 71% of all active public bridges. Additionally, CollecTor's published per-bridge usage statistics allow a censor to rank bridges by client count per country and identify the highest-impact OR ports to scan next.

2017-matic-dissecting §V-D, Figure 6, Table IV ip-blockingmeasurement-platform

Aggregate measurements across nearly 180 countries over 17 days found that 60% of reflectors experienced some degree of connectivity disruption; the bias of detected blocks toward Citizen Lab Block List sites held for both inbound and outbound filtering, and temporal variability corroborated documented censorship events around political timelines.

2017-pearce-augur §VI-B measurement-platformip-blocking