How blocking works

How does internet filtering work?

Several techniques are used to prevent internet users from accessing specific websites and services. The most common techniques are IP blocking, DNS poisoning, and Deep Packet Inspection (DPI) HTTPS-based filtering.

How does IP blocking work?

IP blocking relies on blocking specific IP (Internet Protocol) addresses. On the internet, an IP is like a street address - you have one, your favorite website has one, everyone has one. However, IPs are expressed in numbers (e.g., 8.8. 8.8. 8.8), which are hard for people to remember. That’s why websites have URL addresses (e.g., tied to their IPs.

When you enter a URL, the device uses a service called DNS to translate the URL into an IP address. However, an internet service provider can set up a firewall that blocks connections to specific IP addresses.

IP blocking is a more thorough system than DNS blocking (which interferes with the URL to IP translation) as it can’t be bypassed by switching the DNS service. Both methods rely on having access to someone in the loop of communication between the user and website to work. States accomplish this by making ISPs or whoever controls the local internet backbone infrastructure do the blocking.

How does DNS poisoning work?

DNS-based filtering targets DNS (Domain Name System) requests tied to specific websites. Your mobile phones don’t use URLs (e.g., to actually reach the websites. Instead, they take the URL you entered and ask the local DNS service about it.

DNS is like a phonebook that translates URLs (e.g., into IP addresses (e.g., 8.8. 8.8. 8.8). IP addresses are what devices actually use to communicate on the internet - even you have one. But since random numbers are hard to remember, we have a DNS service handle the translation from one to the other. But with DNS filtering in place, the DNS service doesn’t give out an IP address when asked about a blocked URL. In some cases, it may even give an IP that will route users to a website set up by the authorities to warn them of their wrongdoing.

DNS filtering relies on having access to someone in the chain of communication between the user and website. For states, this means instructing local ISPs to modify their DNS databases. However, DNS filtering and poisoning is one of the easiest methods to overcome, as users with the barest minimum of technical knowledge can change the DNS address on their device.

How does deep packet inspection (DPI) work?

Deep packet inspection (DPI) is the most comprehensive and resource-intensive method of blocking online communications. It relies on carefully inspecting all the data an internet user is sending and receiving in real-time.

This content blocking measure is costly, as the firewall has to check all of the data the user is sending or receiving although the technology is becoming more readily available to operators. State actors employ DPI filtering by forcing ISPs to implement firewalls that can carry out DPI tasks or by enforcing these controls at the local internet backbone infrastructure.

DPI filtering most frequently targets the HTTPS URL address based on the web addresses of the data the user’s device is sending and receiving. If a user tries to connect to a specific domain name that contains sensitive keywords or matches banned addresses, the firewall can drop the request. So if Facebook is a banned website, an HTTPS-based DPI filter would block access to any website address that includes the word “facebook” as it appears in the HTTPS request, also known as the TLS SNI header.