How blocking works

How does internet blocking work?

Internet blocking relies on several technologies to prevent internet users from accessing specific websites and services. The most common techniques are IP blocking, DNS blocking, Deep Packet Inspection (DPI), and HTTPS-based blocking.

How does IP blocking work?

IP-based blocking relies on blocking specific IP (Internet Protocol) addresses. On the internet, an IP is like a street address - you have one, your favorite website has one, everyone has one. However, IPs are expressed in numbers (e.g., 8.8. 8.8. 8.8), which are hard for people to remember. That’s why websites have URL addresses (e.g., tied to their IPs.

When you enter a URL, the device uses a service called DNS to translate the URL into an IP address. However, an internet service provider can set up a firewall that blocks connections to specific IP addresses.

IP blocking is a more thorough system than DNS blocking (which blocks the URL to IP translation) as it can’t be bypassed by switching the DNS service. Both methods rely on having access to someone in the loop of communication between the user and website to work. States accomplish this by making ISPs or whoever controls the local internet backbone infrastructure do the blocking.

How does DNS blocking work?

DNS-based blocking blocks DNS (Domain Name System) requests tied to specific websites. Your mobile phones don’t use URLs (e.g., to actually reach the websites. Instead, they take the URL you entered and ask the local DNS service about it.

DNS is like a phonebook that translates URLs (e.g., into IP addresses (e.g., 8.8. 8.8. 8.8). IP addresses are what devices actually use to communicate on the internet - even you have one. But since random numbers are hard to remember, we have a DNS service handle the translating from one into the other. But with a DNS block in place, the DNS service doesn’t give out an IP address when asked about a blocked URL. In some cases, it may even give an IP that will route users to a website set up by the authorities to warn them of their wrongdoing.

DNS-blocking relies on having access to someone in the chain of communication between the user and website to work. For states, this means demanding that local ISPs modify their DNS databases. However, DNS blocking is one of the easiest methods to overcome, as users with the barest minimum of technical knowledge can change the DNS address on their device.

How does deep packet inspection (DPI) work?

Deep packet inspection (DPI) is the most comprehensive and resource-intensive method of blocking online communications. It relies on carefully inspecting all the data an internet user is sending and receiving in real-time. So, for example, if a user types a banned keyword such as “Tiananmen Square,” the search might fail as the data associated with the search is blocked.

This content blocking measure is very costly, as the firewall has to check all of the data the user is sending or receiving. State actors employ them by forcing ISPs to implement firewalls that can carry out DPI tasks or by enforcing these controls at the local internet backbone infrastructure.

How does HTTP-based blocking work?

This method targets the URL address based on the web addresses of the data the user’s device is sending and receiving. If a user tries to connect to a specific URL address that contains sensitive keywords or matches banned addresses, the firewall can block it. So if Facebook is a banned website, an HTTP-based block would block access to any website address that includes the word “facebook.”

This is one of the cheapest and most ubiquitous methods to implement. It is also one of the easiest censorship methods to circumvent.