Internet censorship is no longer a single switch a government can flip. It’s a stack — four overlapping technical layers, each with its own logic and its own counters. Understanding the stack is the difference between buying a tool that helps you and buying one that just feels reassuring.
The four layers of modern censorship
Every sophisticated censorship system works by combining at least two of the following four techniques. The reason they’re stacked is simple economics: each layer is cheap to operate and handles a different class of traffic. Together they cover most of what a government or network operator wants to suppress.
DNS blocking is the oldest and cheapest layer. When your device wants to reach a domain — say, a news site that’s been declared off-limits — it first sends a query to a DNS resolver asking for the IP address behind that domain name. Operators who control the resolver (your ISP almost always runs one by default) can simply return the wrong answer, or no answer at all. You type the domain; your resolver lies; your browser reports a connection error. From a user’s perspective it looks exactly like the site is down. From an operator’s perspective it costs almost nothing — a blocklist of a few thousand domains can be enforced with a few database lookups per query. The main tooling is whatever software runs the ISP’s resolvers (BIND, Unbound, proprietary appliances), augmented with a regularly updated blocklist issued by the regulatory authority. DNS blocking is the most common first layer because it requires no per-packet inspection, scales to millions of users on commodity hardware, and can be updated in minutes.
IP blocking operates one layer down. Instead of lying to the DNS resolver, the network drops any packet destined for a specific IP address or IP range. This catches traffic that doesn’t use DNS at all — hardcoded IPs, VoIP clients, apps that cache addresses — and provides a harder technical block for sites where DNS evasion is common. Operators use routing tables and firewall rules at border routers to enforce it. The bluntness of IP blocking is also its weakness: a single IP address may host thousands of unrelated sites (shared hosting, CDNs), so blocking one usually blocks many. This collateral damage sometimes causes political problems and forces censors to be selective about which IPs they actually null-route.
Deep packet inspection (DPI) is the surveillance layer. Rather than acting on addressing information, DPI examines the payload and shape of network traffic in real time, looking for patterns that identify what kind of traffic it is and, in some cases, what it contains. A DPI appliance sitting at an ISP’s border can classify connections by protocol, identify VPN handshakes by their characteristic byte sequences, read unencrypted DNS queries even when routing says they should pass, and detect keywords in unencrypted HTTP traffic. This is the layer that makes censorship difficult to bypass with simple tools — because the block isn’t based on where you’re going but on the signature of how you’re getting there. The deep packet inspection explained article covers how DPI hardware makes these classification decisions at line rate. Commercial DPI appliances from vendors like Sandvine, Huawei, and ZTE are widely deployed in restrictive networks and can process traffic at carrier speeds without introducing meaningful latency.
Throttling is the subtlest layer. Rather than blocking traffic outright, throttling degrades specific services to the point of unusability — reducing speeds to a few kilobytes per second for video streaming, forcing connection timeouts on encrypted tunnels, or selectively degrading international links during politically sensitive periods. Throttling is harder to attribute and harder to prove than a hard block. A user who can’t stream a news broadcast experiences it as “bad internet today,” not as censorship, which is precisely the point. It’s also reversible instantly and deniably. Mobile carriers are frequently the enforcement point for throttling because spectrum and infrastructure are heavily regulated and regulators have direct administrative leverage over operators.
| Technique | What it blocks | Who enforces it | User experience |
|---|---|---|---|
| DNS blocking | Domain-name-based destinations | ISP resolver, national DNS | ”Site not found” — looks like the site is down |
| IP blocking | Specific server addresses or address ranges | Border routers, ISP firewalls | Connection timeout or reset — looks like a network problem |
| Deep packet inspection | Protocols, VPN handshakes, keywords | DPI appliances at ISP/national border | Selective failures — VPNs drop, specific apps stop working |
| Throttling | Anything the operator can classify | Mobile carriers, ISP QoS systems | Extreme slowness, timeouts, unusable — looks like congestion |
A short global tour — the shapes of censorship
Internet censorship doesn’t look the same everywhere, because the goal, the technical capacity, and the political constraints differ. Mapping those differences helps you understand why a tool that works in one environment fails completely in another.
The lightest censorship regimes rely almost entirely on DNS-level blocking, perhaps augmented by selective IP blocks for the highest-priority targets. This is common in countries with democratic institutions where regulatory authority over the internet is politically contested — courts can compel ISPs to block specific domains, but full DPI deployment would require legislation that doesn’t yet exist or would face constitutional challenges. The blocks are annoying but trivially bypassed with an alternative DNS resolver.
A more aggressive tier combines DNS and IP blocking with DPI-based VPN detection. These networks don’t just block destinations — they block the tools used to reach blocked destinations. A commercial VPN with a recognizable handshake will be detected and silently dropped. The user may find that certain ports are blocked, that VPN connections establish briefly and then die, or that only traffic that looks like ordinary web browsing flows reliably. This is the category where choosing the right transport matters more than choosing the right VPN provider.
The most sophisticated deployments add whitelisting: instead of maintaining a blocklist of forbidden destinations, they maintain an allowlist of permitted ones. Any destination not on the list is unreachable by default. Combined with mandatory registration of devices on the network, this creates an environment where the network topology itself enforces access control. You cannot bypass a whitelist with a VPN that reaches the open internet, because the VPN traffic itself goes to an IP address that isn’t on the whitelist. The only technical counters involve routing through an approved domestic server that then reaches the forbidden destination — which requires a cooperating entity inside the approved network.
Several factors determine how aggressive censorship gets in a given place. Technical capacity is one: building and maintaining DPI infrastructure at national scale is expensive and requires trained staff. Political will is another: censorship that angers a technically sophisticated urban middle class creates political costs. Legal frameworks matter too — countries where internet access is explicitly included in rights discourse face higher bars to overt blocking. And economics plays a role: heavy-handed blocking of international platforms can impede legitimate business activity, creating pressure from domestic commercial interests that don’t want their communications disrupted.
Finally, crisis periods change the picture sharply. Networks that apply light-touch DNS filtering during normal times may activate IP blocks and throttling within hours when protests begin, elections approach, or a major geopolitical event unfolds. The infrastructure for aggressive censorship is often built and kept on standby rather than applied continuously, because continuous application carries political costs that intermittent application avoids.
How each layer is bypassed — and the tradeoffs
Understanding each layer’s logic makes the bypasses obvious. Each bypass works by either moving the traffic to a path the censor doesn’t control, or making the traffic look like something the censor has decided not to block.
Bypassing DNS blocking is the easiest. The attack surface is narrow: if you control which DNS resolver your device uses, you can use one that answers honestly. DNS over HTTPS (DoH) and encrypted DNS-over-transport (DoT) are protocols that hide your queries inside an encrypted connection to a trusted resolver — 1.1.1.1 (Cloudflare), 9.9.9.9 (Quad9), or 8.8.8.8 (Google). An ISP-level DNS interceptor cannot read or tamper with these queries because they’re encrypted before they leave your device. Major browsers now support DoH natively; enabling it is a settings change, not a software installation. The cost is minimal: a negligible latency increase (a few milliseconds to a resolver outside your country), and the residual risk that an adversary blocks the IP addresses of the popular public resolvers — which some do. For users facing only DNS-level blocks, DoH alone is often sufficient, requires no VPN, and introduces no meaningful slowdown.
Bypassing IP blocking requires moving your traffic to a server that isn’t on the blocklist. A VPN is the standard tool here — your packets go to the VPN server’s IP rather than the blocked destination, and the VPN server forwards them onward. This works reliably when the VPN server’s IP isn’t itself blocked. The arms race is around IP address freshness: censors add VPN exit IPs to blocklists; VPN providers cycle in new IPs. Residential proxies — which route through IP addresses assigned to domestic internet subscribers rather than data-center ranges — are harder to block at scale because blocking them also disrupts legitimate residential traffic. The tradeoffs for residential proxies are cost (they’re more expensive to operate), speed (individual residential connections are slower than data-center fiber), and trust (you’re routing through someone else’s home device, which creates its own risks). For more on what a VPN actually does at the network level, including how IP-layer bypass works, that article has the detailed mechanics.
Bypassing DPI is the hardest problem, and it’s where most VPN marketing is misleading. DPI doesn’t block destinations — it blocks traffic signatures. So the solution isn’t to find a destination the censor hasn’t blocked; it’s to make your connection look like something the censor won’t block. In practice, this means making VPN traffic look like ordinary encrypted web browsing — using ports and traffic patterns that are indistinguishable from a normal browser session. The deep packet inspection explained article covers the specific signals DPI uses: packet sizes, timing distributions, the shape of the opening handshake bytes, the domain name field in the connection header. A VPN transport that gets all of these right is very difficult to block without also disrupting a large fraction of ordinary web traffic, which most censors are reluctant to do. The cost of this approach is compute and latency overhead — dressing packets to match a traffic fingerprint takes processing time. On modern hardware it’s typically a few milliseconds per connection, which is imperceptible in practice, but it sets a throughput ceiling below the raw capacity of a fast link.
Bypassing throttling is conceptually simple but technically dependent on the previous layer. Throttling is applied to traffic the network can classify — if the censor knows you’re streaming video or using a VPN, they can shape that traffic selectively. An encrypted tunnel that hides the nature of what’s inside prevents selective throttling, because the censor’s QoS system can’t tell a video stream from a document download from a VPN connection. The residual risk is that the censor throttles all encrypted traffic that they can’t classify — which some networks do, treating unclassifiable traffic as inherently suspicious. In this scenario, a transport that looks like ordinary web traffic gets better treatment than one that’s merely unclassifiable.
What VPNs actually do against censorship — and where they fail
A VPN is not a censorship bypass tool in general. It’s a censorship bypass tool for specific layers, and being honest about which layers helps you avoid overconfidence.
Against DNS blocking, a VPN works cleanly. Once you’re connected to the VPN server, all DNS queries go through the server’s resolver rather than your ISP’s. The lies your ISP’s resolver tells are irrelevant because you’re not using it. Even if you use a poorly configured VPN that leaks DNS queries, those queries go to the server’s resolver over the encrypted tunnel before the answer comes back — the ISP can’t intercept them.
Against IP blocking, a VPN works well — subject to the IP arms race described above. Your traffic goes to the VPN server’s IP; the blocked destination’s IP appears in the packet header only inside the VPN server, where the censor has no visibility. This breaks the moment the VPN server’s own IP is added to the blocklist. Providers that actively rotate server IPs stay ahead of this; providers that don’t will get blocked in heavily filtered networks.
Against DPI, the answer is: it depends on the VPN’s transport. A VPN that produces a recognizable handshake signature will be identified and blocked by a competent DPI deployment. A VPN that makes its traffic look like ordinary web traffic can evade DPI detection — but not all VPNs implement this. This is the distinction between stealth transports and conventional VPN transports, and it’s the axis most commercial VPN providers underexplain. Whether the VPN uses modern encryption is irrelevant to DPI evasion; what matters is what the traffic looks like on the wire, not what it contains.
Against whitelisting, a VPN is largely useless. If the network only allows traffic to a pre-approved list of destinations and the VPN server’s IP is not on that list, the VPN connection cannot be established in the first place. The only exception is a VPN server whose IP happens to be on the whitelist — which requires either a cooperating domestic provider or a VPN server disguised as an approved destination. This is technically possible but difficult to deploy at scale and requires active maintenance as whitelists are updated.
Against threats inside the device, a VPN provides nothing. If the device runs compelled software that logs activity and reports it to an authority, that software has access to traffic before it enters the VPN tunnel. Physical seizure of a device gives investigators access to anything stored locally, regardless of what VPN was in use. A VPN protects your network path; it cannot protect against an adversary who controls the endpoint.
The broader point is worth stating directly: a VPN moves the trust boundary from your ISP to your VPN provider. If the provider is located in a jurisdiction that cooperates with your adversary, or if the provider keeps logs that can be compelled, the VPN doesn’t provide much protection against a sophisticated state-level adversary. DPI evasion is a different axis from this — it helps you get traffic through, but it doesn’t make you anonymous to the VPN provider or to any downstream service you reach.
A hierarchy of tools — from convenient to drastic
Different threat models need different tools, and using a tool that’s more complex than your threat model requires costs you real convenience without buying real protection. The ladder runs from lightweight to heavy.
DoH/DoT — for casual DNS blocks. If your ISP blocks a handful of news sites at the DNS layer, encrypted DNS alone solves the problem. Enable DoH in Firefox or Chrome’s settings, or set your system resolver to 1.1.1.1 or 9.9.9.9. No VPN required, no app to install, no latency impact worth measuring. This handles the easiest tier of censorship instantly. What it doesn’t handle: IP blocks, DPI, or any situation where the censor blocks the encrypted DNS resolvers themselves (which some do).
VPN — for routine privacy and most regional blocks. A well-chosen VPN bypasses DNS and IP layers, and a VPN with a stealth transport also bypasses most DPI. For users living in countries that block social media, news sites, or specific services without aggressively prosecuting VPN use, a VPN is the right level of tool. The tradeoffs are small: a few milliseconds of added latency, a monthly cost, and a shift of trust from your ISP to the VPN provider. For more background on what a VPN actually does at the protocol level, what is a VPN covers the architecture in depth.
Bridges and pluggable transports — for networks that block VPN protocols. Tor Project’s bridge network is a set of volunteer-operated relay nodes whose addresses are not publicly listed. Pluggable transports like obfs4 make bridge traffic look like random bytes or ordinary web connections rather than recognizable Tor traffic. Snowflake is a pluggable transport that routes traffic through WebRTC data channels established by volunteers’ browsers — it’s hard to block because the IP addresses change constantly and blocking WebRTC would break many legitimate video conferencing applications. These tools are slower than a VPN — the overhead is meaningful — but they’re designed for networks that actively fingerprint and block VPN protocols. They require more setup than a VPN and the bridge addresses need to be obtained out-of-band (from bridges.torproject.org or by email to bridges@torproject.org).
Tor — for anonymity alongside bypass. Tor routes your traffic through at least three independently operated relays, so no single relay knows both who you are and what you’re accessing. This provides a qualitatively different property than a VPN: anonymity, not just privacy. But it’s genuinely slow — expect latency in the hundreds of milliseconds and throughput suitable for text-heavy sites, not streaming. Tor is the right tool when anonymity is the requirement, not just bypass. The comparison between VPN, Tor, and proxy — when each makes sense and what each actually provides — is covered in VPN vs Tor vs proxy. Tor can be combined with bridges and pluggable transports for networks that block Tor’s public relays.
Sneakernet — for the most extreme conditions. When all network paths are closed — during total internet shutdowns, in environments with no reachable external servers — people have historically used offline data exchange: USB drives, SD cards, Bluetooth transfers, and short-range mesh networks. Software like Briar routes encrypted messages over Bluetooth and WiFi directly between devices, without any internet connection. This is last-resort infrastructure: high friction, limited throughput, and geographic constraints. But it has worked during complete network blackouts when nothing else could.
The principle underlying this ladder is matching your tool to your actual threat model. Using Tor for casual content unblocking is like using a sledgehammer to hang a picture; using DoH in a network with active DPI is like using a paper shield. The sections below try to make those matches concrete.
Choosing for your threat model
Three reader personas, matched to the tools above.
Persona A: Casual privacy. You live in a country with a free internet. You’re not facing censorship. Your concern is that your ISP logs which sites you visit and sells that data, or that you’re tracked across sites by your IP address. What you need is a VPN — specifically one that handles DNS queries inside the tunnel, so your ISP sees only an opaque stream to the VPN server and nothing else. Stealth transport is unnecessary; the network isn’t trying to block you, so there’s nothing to evade. You want a VPN with clear no-log policies and a provider whose jurisdiction doesn’t require retention of connection metadata. Performance matters more than evasion capability. DoH alone handles the narrowest version of this concern — stopping your ISP from seeing your DNS queries — at essentially zero friction.
Persona B: Regional blocks. You live in a country where specific services are blocked — social media during elections, foreign news sites, messaging apps, VOIP — but VPN use is common, not aggressively prosecuted, and bypass tools are widely available. A VPN with a stealth transport is the right tool. You need bypass, not anonymity. DNS blocks and IP blocks are the primary techniques in use, possibly with some DPI for obvious VPN handshakes. A VPN that produces a conventional, fingerprintable handshake will sometimes be blocked; one using a stealth transport that makes traffic look like ordinary browsing will work more reliably. The tradeoff is a modest speed overhead. No additional tools required; operational security isn’t your primary concern.
Persona C: High-risk dissident or journalist. You’re in a genuinely hostile environment. You’re not just trying to access blocked content — you need the content of your communications kept private, your identity protected from a state-level adversary with legal authority to compel records from domestic providers, and your bypass activity itself to be non-attributable. Here, the honest recommendation is not ORION/VPN — it’s Tor combined with Tails OS and careful operational security. Tails is a live operating system that runs from a USB drive, leaves no trace on the computer it boots from, and routes all traffic through Tor by default. Careful operational security means compartmentalizing your identity, using dedicated hardware for sensitive work, and not reusing usernames or contact methods across contexts. A VPN is insufficient here not because the encryption is weak, but because the VPN provider has your connection metadata and is subject to legal process. Tor’s multi-hop architecture is specifically designed to withstand that pressure. This section would be incomplete without pointing directly to the Electronic Frontier Foundation’s Surveillance Self-Defense guide (ssd.eff.org) for detailed operational guidance.
Frequently asked questions
Is using a VPN to bypass censorship legal?
It depends entirely on jurisdiction. In most countries, VPN use is legal and unremarkable — businesses, academics, and developers use VPNs for legitimate purposes constantly. In a smaller number of countries, regulations restrict VPN use to state-approved providers, require VPN operators to log and share connection data, or prohibit personal VPN use entirely. The practical risk of VPN use in these countries varies: some enforce actively, others maintain the restriction on paper with limited enforcement. Using a VPN doesn’t provide legal immunity for whatever you do through it — the bypass tool and the content you access are separate legal questions.
What’s the fastest way to bypass DNS blocking?
Switch your device or browser to an encrypted DNS resolver — 1.1.1.1 (Cloudflare) or 9.9.9.9 (Quad9) over DoH. Most modern browsers let you configure this directly in settings under “Secure DNS” or “DNS over HTTPS.” This takes under a minute to set up, costs nothing, and eliminates DNS-layer blocks completely. If your network intercepts encrypted DNS traffic or blocks those resolvers’ IP addresses, you need a VPN — but try DoH first, because it’s faster and simpler than anything else.
Why does my VPN sometimes get blocked even when I use a paid one?
Most likely your VPN’s traffic has a recognizable signature that DPI equipment at a border router is matching and dropping. This isn’t about the quality of the encryption — it’s about what the connection looks like on the wire before the encrypted payload starts. VPNs with conventional transports produce handshakes that specialized equipment can classify in milliseconds. The fix is a VPN that uses a stealth transport — one designed to make connections look like ordinary web traffic. Not all VPN providers implement this. A secondary cause is that your provider’s server IP addresses have been added to a blocklist; switching to a different server or a provider with more IP diversity helps in that case.
Can a government tell I’m using a VPN?
With DPI equipment, yes — unless your VPN uses a stealth transport. The shape of a conventional VPN connection is distinct: specific port numbers, characteristic handshake byte patterns, packet size distributions. DPI at a border router can classify this accurately at high speed without decrypting anything. A VPN using a stealth transport makes connections look like ordinary browser sessions; distinguishing those from real browser traffic requires statistical analysis over time rather than per-connection classification, and even that produces errors. Using a stealth transport raises the bar significantly; it doesn’t eliminate the possibility of detection against a patient, well-resourced adversary.
Is Tor enough to bypass censorship on its own?
In many cases, yes — Tor can reach the open internet and bypasses DNS, IP, and DPI-layer blocks by design, since the final hop exits from a Tor relay’s IP rather than yours. The practical limitations are speed (Tor is slow — expect 1–5 Mbps with significant latency) and the fact that Tor’s public relays are themselves blocked in some countries. The solution to blocked relays is using bridges — private, unlisted entry points — combined with a pluggable transport that makes Tor traffic look like something else. Tor Browser bundles bridge and transport support; requesting bridges from bridges.torproject.org takes a few minutes. Tor is a better tool for anonymity than for routine unblocking; for most regional blocking scenarios, a VPN is faster and more practical.
How do I know if my country uses DPI?
Indirect signals: does your VPN work on some servers but not others that are geographically similar? Does switching to a different port or protocol change whether it connects? Do VPN connections establish and then die after a few seconds (a common DPI behavior — let the connection complete, observe the handshake pattern, then reset)? Do some apps fail while others with similar destinations work fine? These are fingerprints of DPI in action. Direct signals: researchers at organizations like OONI (Open Observatory of Network Interference) publish censorship measurement reports for most countries — checking ooni.org gives you documented evidence of which techniques are deployed where.
What’s a “Great Firewall” and is it just one thing?
The “Great Firewall” is a colloquial name for the national-scale censorship infrastructure of China, formally called the Golden Shield Project. It is not a single appliance — it’s a collection of systems operated by different ISPs under centralized regulatory direction, combining all four layers described above: DNS manipulation, IP blocking, DPI-based protocol classification, and bandwidth throttling. The integration of these systems over many years makes it one of the most technically sophisticated censorship deployments in existence. The term is sometimes used loosely to refer to any large-scale national censorship system, but technically it refers to a specific deployment. Other countries have built analogous multi-layer systems; none are identical in architecture.
Why do streaming services block VPNs but messaging apps don’t?
Streaming services block VPNs because their content licenses are geographic — a provider might have rights to a show in one country but not another, and allowing VPN access defeats the license boundaries that their contracts require. Detecting VPN IP addresses and blocking them is a contractual compliance measure, not a security one. Messaging apps rarely block VPNs because they have no geographic licensing model — a message sent through a VPN is the same as any other message. The tension for streaming services is that blocking data-center IPs (where VPN servers live) also blocks legitimate business VPN users, which creates customer service problems. Most services accept that tradeoff; some are more aggressive than others.
Can I use a VPN over a mobile network too?
Yes. A VPN on a mobile device routes all traffic through the VPN tunnel regardless of whether you’re on WiFi or cellular. The mechanics are identical: your device establishes an encrypted connection to the VPN server, and all packets go through that connection. Mobile carriers can and do throttle or block specific VPN protocols in some regions, so the same considerations around transport choice apply. Battery and data usage are marginally higher with a VPN because of encryption overhead, but on modern devices the impact is small — typically under 5% additional battery use for a VPN running in the background.
Will a censor try to deanonymize me if they can’t block me?
Possibly, depending on your threat model and the adversary’s resources. If traffic analysis can identify VPN connections, an adversary who can observe both ends of the connection — your device’s traffic at the ISP level, and traffic arriving at the VPN server — can potentially correlate the timing and volume of packets to deanonymize you even through an encrypted tunnel. This is a realistic capability for national intelligence agencies. Tor’s multi-hop design makes this much harder — it requires controlling multiple independent nodes, each with independent visibility. For users whose threat model includes a state-level adversary willing to commit significant resources to identify them, operational security — separate devices, careful identity compartmentalization, physical security — matters as much as any technical tool.
ORION/VPN offers a free plan with 10 GB per month — enough for most regional unblocking and daily privacy use without a subscription. For networks that fingerprint and block conventional VPN traffic, Horizon transport makes every packet look like an ordinary website connection, providing DPI evasion by design. For open networks where raw speed is the priority, Wind transport skips the camouflage overhead for maximum throughput. Both transports use the same modern, AES-256-class authenticated encryption; the security properties are identical, only the camouflage differs. For deeper reading on the topics covered here, what is a VPN covers the underlying architecture in plain English, and deep packet inspection explained goes into detail on how DPI hardware identifies and classifies traffic.