Triplet Censors: Demystifying Great Firewall’s DNS Censorship Behavior


Anonymous; Arian Akhavan Niaki, University of Massachusetts Amherst; Nguyen Phong Hoang, Stony Brook University; Phillipa Gill and Amir Houmansadr, University of Massachusetts Amherst


The Great Firewall of China (GFW) has long used DNS packet injection to censor Internet access. In this work, we analyze the DNS injection behavior of the GFW over a period of nine months using the Alexa top 1M domains as a test list. We first focus on understanding the publicly routable IPs used by the GFW and observe groups of IPs used to filter specific sets of domains. We also see a sharp decline in public IPs injected by the GFW in November 2019. We then fingerprint three different injectors that we observe in our measurements. Notably, one of these injectors mirrors the IP TTL value from probe packets in its injected packets which has implications for the use of TTL-limited probes for localizing censors. Finally, we confirm that our observations generally hold across IP prefixes registered in China.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {257178,
author = {Anonymous and Arian Akhavan Niaki and Nguyen Phong Hoang and Phillipa Gill and Amir Houmansadr},
title = {Triplet Censors: Demystifying Great {Firewall{\textquoteright}s} {DNS} Censorship Behavior},
booktitle = {10th USENIX Workshop on Free and Open Communications on the Internet (FOCI 20)},
year = {2020},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video