How China's Great Firewall Works: Technical Methods Explained
Last updated: 四月 9, 2026
Learn how the Great Firewall censors the internet through DNS poisoning, IP blocking, DPI, and active probing. Understanding its techniques and limitations.
Imagine you're trying to send a letter to a friend overseas, but a government office intercepts every envelope. Some letters they simply throw away before they reach the post office. Others they open and read—and if the content displeases them, they destroy it. Others still, they watch carefully: when they see you repeatedly trying to mail letters to the same forbidden address, they note your name and watch you more closely next time. This is roughly how China's Great Firewall works. It is not a single wall, but a layered system of observation and intervention that operates at every level of how the internet functions.
The Great Firewall is the world's largest and most sophisticated internet censorship infrastructure. It blocks access to billions of websites, suppresses specific keywords in searches, and monitors the online behavior of hundreds of millions of people. Unlike censorship systems that work by simply switching things off, the GFW is designed to be selective: it allows most internet traffic to flow normally, then intercepts and disrupts only the traffic it identifies as problematic. This makes it harder to detect, and it preserves the appearance of an open internet while controlling what people can actually reach.
How the system intercepts your requests before they even leave China
When you type a website address into your browser—say, "bbc.com"—your computer does not immediately know where that website lives on the internet. Instead, it sends a question to a DNS (Domain Name System) server, asking "What is the IP address for bbc.com?" An IP address is a unique numerical identifier, like a home address on the internet. DNS is essentially the phone book of the internet.
China operates its own DNS servers, and most internet traffic inside China flows through them. When the GFW sees a query for a blocked domain, it does not simply ignore the question. Instead, it sends back a false answer—a bogus IP address that leads nowhere, or to a server controlled by the government. This technique is called DNS poisoning. It is extremely efficient because it stops the request before it even leaves Chinese territory.
But DNS poisoning only works if the user's device trusts the DNS server in the first place. Some users configure their devices to use international DNS servers (operated by other companies or nonprofits), which the GFW cannot directly control. This is why China also deploys the next layer of the system.
Blocking based on IP addresses and spotting suspicious encrypted traffic
If someone bypasses DNS poisoning and manages to find the real IP address of a blocked website through other means, the GFW has a second line of defense: it can block traffic to entire IP addresses. When an internet packet (a small unit of data traveling across the network) is addressed to a forbidden IP, the GFW's routers intercept it and simply drop it—or send back a forged message (an RST packet) that tells both sides the connection was closed. The user sees a timeout or an error: the page will not load.
This method is crude but effective. However, many websites share the same IP address. If the GFW blocks one forbidden site, it may accidentally block hundreds of legitimate sites hosted on the same server. This creates collateral damage, which the system operators try to minimize. But the tradeoff is deliberate: blocking some legitimate content is acceptable if it helps suppress forbidden content.
A more sophisticated technique involves watching encrypted traffic for patterns. When you connect to a website using HTTPS (the encrypted protocol that protects your data), the connection begins with a TLS handshake—an exchange of information that sets up the encryption. During this handshake, there is a moment when certain information is sent in plain text, including the Server Name Indication (SNI): the name of the website you are trying to visit. Even though the rest of your traffic is encrypted, the GFW can read this SNI value and block connections to forbidden domains by intercepting the handshake itself.
Identifying and disrupting proxy tools
When users inside China try to bypass the GFW using proxy servers or VPN tools (which route traffic through computers outside China), the GFW engages in active probing. Its systems send specially crafted test packets to suspected proxy servers, trying to identify their behavior. If the server responds in a way that suggests it is a proxy, the GFW marks it for blocking. This is detective work: the system is trying to fingerprint different proxy protocols and tools so it can recognize them by their "signature" in network traffic.
This is where Deep Packet Inspection (DPI) enters. The GFW does not just look at where packets are addressed; it examines the content inside them, looking for patterns that suggest the use of specific proxy or encryption tools. Many popular tools have recognizable patterns in how they structure their data. Once identified, the GFW can block them or throttle them (slow them down until they become unusable).
Why most circumvention fails, and what sometimes still works
The system works so effectively because it operates at multiple layers simultaneously. If you get past DNS poisoning, you hit IP blocking. If you use a proxy or VPN, DPI catches the fingerprint of the tool. If you evade the fingerprint, active probing identifies your proxy and blocks it.
But the system has blind spots. Tools that use obfuscation (disguising encrypted traffic to look like normal internet browsing) and those that rotate their infrastructure frequently—changing IP addresses and configurations constantly—are harder to block. Some newer techniques, like REALITY (a protocol obfuscation method) and Snowflake bridges (a system that relays traffic through volunteer computers, making it harder to block any single point), make censorship more difficult by distributing the infrastructure in ways the GFW cannot easily fingerprint or block wholesale. These solutions trade simplicity for resilience.
It is important to note that circumvention in China carries legal and personal risk. Using blocked content and tools is not a purely technical matter—it has political consequences.
The Great Firewall succeeds because it combines surveillance, pattern recognition, and network control at every layer where information flows. It is not unbreakable, but it is designed so that the effort and risk required to break it exceeds what most people are willing to undertake. To understand modern censorship, you should explore how DPI works in other countries, how encrypted protocols like TLS function, and how decentralized networks might resist state-level censorship in the future.
The Great Firewall is the world's largest and most sophisticated internet censorship infrastructure. It blocks access to billions of websites, suppresses specific keywords in searches, and monitors the online behavior of hundreds of millions of people. Unlike censorship systems that work by simply switching things off, the GFW is designed to be selective: it allows most internet traffic to flow normally, then intercepts and disrupts only the traffic it identifies as problematic. This makes it harder to detect, and it preserves the appearance of an open internet while controlling what people can actually reach.
How the system intercepts your requests before they even leave China
When you type a website address into your browser—say, "bbc.com"—your computer does not immediately know where that website lives on the internet. Instead, it sends a question to a DNS (Domain Name System) server, asking "What is the IP address for bbc.com?" An IP address is a unique numerical identifier, like a home address on the internet. DNS is essentially the phone book of the internet.
China operates its own DNS servers, and most internet traffic inside China flows through them. When the GFW sees a query for a blocked domain, it does not simply ignore the question. Instead, it sends back a false answer—a bogus IP address that leads nowhere, or to a server controlled by the government. This technique is called DNS poisoning. It is extremely efficient because it stops the request before it even leaves Chinese territory.
But DNS poisoning only works if the user's device trusts the DNS server in the first place. Some users configure their devices to use international DNS servers (operated by other companies or nonprofits), which the GFW cannot directly control. This is why China also deploys the next layer of the system.
Blocking based on IP addresses and spotting suspicious encrypted traffic
If someone bypasses DNS poisoning and manages to find the real IP address of a blocked website through other means, the GFW has a second line of defense: it can block traffic to entire IP addresses. When an internet packet (a small unit of data traveling across the network) is addressed to a forbidden IP, the GFW's routers intercept it and simply drop it—or send back a forged message (an RST packet) that tells both sides the connection was closed. The user sees a timeout or an error: the page will not load.
This method is crude but effective. However, many websites share the same IP address. If the GFW blocks one forbidden site, it may accidentally block hundreds of legitimate sites hosted on the same server. This creates collateral damage, which the system operators try to minimize. But the tradeoff is deliberate: blocking some legitimate content is acceptable if it helps suppress forbidden content.
A more sophisticated technique involves watching encrypted traffic for patterns. When you connect to a website using HTTPS (the encrypted protocol that protects your data), the connection begins with a TLS handshake—an exchange of information that sets up the encryption. During this handshake, there is a moment when certain information is sent in plain text, including the Server Name Indication (SNI): the name of the website you are trying to visit. Even though the rest of your traffic is encrypted, the GFW can read this SNI value and block connections to forbidden domains by intercepting the handshake itself.
Identifying and disrupting proxy tools
When users inside China try to bypass the GFW using proxy servers or VPN tools (which route traffic through computers outside China), the GFW engages in active probing. Its systems send specially crafted test packets to suspected proxy servers, trying to identify their behavior. If the server responds in a way that suggests it is a proxy, the GFW marks it for blocking. This is detective work: the system is trying to fingerprint different proxy protocols and tools so it can recognize them by their "signature" in network traffic.
This is where Deep Packet Inspection (DPI) enters. The GFW does not just look at where packets are addressed; it examines the content inside them, looking for patterns that suggest the use of specific proxy or encryption tools. Many popular tools have recognizable patterns in how they structure their data. Once identified, the GFW can block them or throttle them (slow them down until they become unusable).
Why most circumvention fails, and what sometimes still works
The system works so effectively because it operates at multiple layers simultaneously. If you get past DNS poisoning, you hit IP blocking. If you use a proxy or VPN, DPI catches the fingerprint of the tool. If you evade the fingerprint, active probing identifies your proxy and blocks it.
But the system has blind spots. Tools that use obfuscation (disguising encrypted traffic to look like normal internet browsing) and those that rotate their infrastructure frequently—changing IP addresses and configurations constantly—are harder to block. Some newer techniques, like REALITY (a protocol obfuscation method) and Snowflake bridges (a system that relays traffic through volunteer computers, making it harder to block any single point), make censorship more difficult by distributing the infrastructure in ways the GFW cannot easily fingerprint or block wholesale. These solutions trade simplicity for resilience.
It is important to note that circumvention in China carries legal and personal risk. Using blocked content and tools is not a purely technical matter—it has political consequences.
The Great Firewall succeeds because it combines surveillance, pattern recognition, and network control at every layer where information flows. It is not unbreakable, but it is designed so that the effort and risk required to break it exceeds what most people are willing to undertake. To understand modern censorship, you should explore how DPI works in other countries, how encrypted protocols like TLS function, and how decentralized networks might resist state-level censorship in the future.
🛡️
Recommended VPN Services
Top-rated VPNs trusted by millions
N
NordVPN
⭐ 编辑推荐
★★★★★ 9.5/10 · 6,000+ servers · 中国可用
$3.39/mo
View Deal →
S
Surfshark
BEST VALUE
★★★★★ 9.6/10 · Unlimited devices
$2.49/mo
View Deal →
E
ExpressVPN
PREMIUM
★★★★★ 9.4/10 · 94 countries
$6.67/mo
View Deal →
Disclosure: SaveClip may earn a commission when you sign up through our links. This helps us keep our tools free for everyone.