According to OONI’s network measurement data, Wikipedia.org sub-domains are being blocked using DNS injection and SNI filtering in China.
Wikipedia domains have been tested since 2015 through the use of OONI Probe. The data collected has shown that since the blocking of Wikipedia’s Chinese edition on the 19th of May 2015, many other editions have been blocked.
OONI measurements suggest that the blocking is done by means of DNS injection, so it is possible to measure the DNS-based blocking from outside China as well.
An OONI Probe DNS injection test was run from a vantage point outside the Chinese territory and pointed towards an IP address in China.
The probe DNS injection test is very fast: it scans more than 2,000 Wikipedia domain names in less than a minute and determines which ones are blocked. The blocks appear to be targeting any sub-domain edition of Wikipedia.org, (i.e. *.wikipedia.org, en.wikipedia.org, etc.) including Wikipedia.org but do not affect other Wikimedia resources beyond from zh.wikinews.org.
The blocking applies to Wikipedia.org sub-domains, whether they exist or not – even the sub-domain ‘doesnotexist.wikipedia.org was blocked.
Other tests were run to check if the blocking could be breached by encrypting the DNS traffic.
If a TLS handshake is attempted using the SNI of wikipedia.org the connection is aborted immediately. Oppositely, if the SNI of kernel.org is used when doing a TLS handshake with wikipedia.org, the request is successful and the handshake finalizes.
The tests show that China’s Telecom is actively blocking all language editions of Wikipedia using DNS injection and SNI filtering. This network filtering tactic could be viewed as a “defense in depth” system similar to the type used for censorship in Egypt. By creating multiple censorship layers, Chinese telecom makes circumvention harder.
A potential way to work around the blocks could be to use an encrypted DNS resolver (such as DNS over HTTPS) in combination with Encrypted SNI. Whilst not currently supported by Wikipedia.org, the possibility of implementation is currently being discussed.
