TCP segmentation (splitting a DNS message into 20-byte TCP fragments) successfully circumvented DNS censorship in China for nearly all resolvers that support TCP. In Iran, TCP segmentation was only partially effective due to the censor's ability to reassemble TCP fragments when system load permits—some runs succeeded completely, others failed entirely across all resolvers. The "Last Response" mode (wait 3 seconds for the final UDP reply) was highly effective against China's on-path GFW injector for all resolvers except the fully IP-blocked Cloudflare 1.1.1.1 resolver.

Both Firefox and Chromium leak cleartext DNS before establishing encrypted DNS connections: they first send an unencrypted UDP DNS query to resolve the DoH server's domain (e.g., doh.opendns.com). An in-path censor can intercept and poison this initial query, making encrypted DNS in browsers completely ineffective without additional circumvention of the resolver-lookup step. Additionally, Chromium always includes the SNI extension in the encrypted DNS TLS handshake (e.g., "doh.opendns.com"), leaking the resolver identity even after the initial lookup. No resolver requires SNI to be present for certificate validation when the resolver's IP certificate is configured.

§2.4, §7, §10 detection

DNS censorship of encrypted protocols is inconsistent in both China and Iran. In China, Yandex resolvers are censored only when the SNI extension is present; omitting SNI bypasses censorship for these resolvers. In Iran, DoH requires SNI omission for Quad9, Google, Adguard, CleanBrowsing, and NextDNS resolvers, but works with SNI for Yandex and Cisco resolvers. These inconsistencies suggest resolvers have been accidentally missed by censors, highlighting the value of automated tools that trial all resolver-mode combinations rather than hard-coding a single strategy. The support evaluation found 47 resolvers supporting DoH, 16 supporting DoH3, and only 8 supporting DoQ out of ~65 tested.

§6.2, Table 2 evaluation

DPYProxy-DNS tested 8 circumvention modes against DNS censorship from vantage points in Iran (AS201295, Mashhad) and China (AS4837, China Unicom). In Iran, DoQ was entirely uncensored even with the SNI extension present; DoH3 worked for all Cloudflare and NextDNS resolvers. Iran's censor operates in-path (not on-path like the GFW), making the "Last Response" mode (wait 3s for the last UDP reply) ineffective in Iran but highly effective in China. Auto-mode averaged 12.32s (median 8.28s) in Iran and 13.78s (median 12.90s) in China to discover a working combination.

§6.2, §6.3 evaluation

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 dpisni-blockingdns-poisoningip-blockingbgp-hijackthrottling

TCP segmentation — splitting DNS-over-TCP messages into 20-byte fragments — successfully circumvented DNS censorship for 40 of 41 tested resolvers in China. In Iran, TCP segmentation is inconsistently effective: it succeeds in some scan runs and fails entirely in others, suggesting the Iranian censor can reassemble TCP fragments when processing capacity permits.

2026-niere-dpyproxy-dns §6.2.1, §6.2.2 dpidns-poisoning

Of 6,915,266 domains extracted from the 572 GiB Geedge Networks Leak (GNL), 298,955 censored domains (93.7% of all GNL-censored domains) appear in neither Tranco top-1M nor CitizenLab test lists. Measurements across China (Guangzhou/Nanjing), Myanmar, Pakistan, and Algeria confirmed censorship via DNS injection and SNI-based TLS connection termination. The GNL covers 25–62% of Tranco-censored domains across countries, showing substantial but incomplete overlap. This vendor-side ground truth reveals a censorship surface roughly two orders of magnitude larger than curated academic test lists.

2026-sheffey-geedge §4.1, Table 2 dpisni-blockingdns-poisoningmeasurement-platform

TTL-based path analysis showed that all censorship actions (DNS poisoning, HTTP injection, TLS resets) in the June 2025 shutdown occurred at the same network hop across all tested ISPs, indicating a single centralized national border gateway—likely TCI AS gateways—rather than per-ISP enforcement. Global BGP announcements were kept intact throughout, making the shutdown invisible to routing monitors while domestic connectivity collapsed.

2025-aryapour-stealth-blackout §4.5 dpidns-poisoningrst-injection

Over 90% of tested censored domains returned private IP addresses in the 10.10.34.0/24 range (chiefly 10.10.34.34) via injected DNS replies during the June 2025 shutdown, with poisoned response TTLs often very low—consistent with inline DPI injection rather than a recursive DNS lookup. A small set of domains including Google and state-approved services were whitelisted and resolved correctly.

2025-aryapour-stealth-blackout §4.1 dns-poisoningdpi