This is a play by play guide on how to unblock your website from visitors in Mainland China without efforts on their side.
Great FireWall of China is a complicated filtering system capable of blocking websites by a variety of methods. The commonly used ones are IP blocking, URL and Packet filtering by connection reset, TLS(SSL) certificate filtering by connection reset and DNS hijacking.
IP blocking
Use CDN(Count Delivery Network) to hide the real IP of your site from GFW.
I did a simple test myself. I created a google site and linked it with 4 subdomains as follows.
CNAME records: (ghs.google.com is currently not blocked in China)
test1.percy.in -> ghs.google.com CDN enabled
test2.percy.in -> ghs.google.com
A records:( 216.239.32.21 is subject to IP blocking in China)
test3.percy.in -> 216.239.32.21 CDN enabled
test4.percy.in -> 216.239.32.21
Test 1 and test 2 merely serves to confirm the website is up. Test 3 and test 4 simulates website with a blocked IP.
I enabled CDN on test1 and test 3. The CDN I choose is CloudFlare with a free account.( You can pay to go pro or find another CDN if you like, I prefer to stay free)
Here’re the test results.
test1 and test2 are both accessible in China. test 3 is accessible while test 4 is blocked.
When CDN is enabled, it serves as a reverse proxy. So test3 actually resolved to an IP address owned by CDN–CloudFlare in my case and thus bypassing IP blocking.
Unless GFW blocked CDN’s IP addresses, which will also block many other irrelevant websites[1], IP blocking is nothing to fear anymore.
[1] That doesn’t stop them before. The top-level domain co.cc and net.ru were all censored during some time.
URL/Packet filtering
If your domain is filtered as a restricted word and, full site encryption should be employed.
Countermeasure 1: get an SSL certificate and install it on your server or VPS. Some certificates are expensive while others are completely free for an unlimited time. StartSSL provides free certificates with the minimum requirement – only a validated email on your domain, which could also be obtained free of charge from Google Apps.
Countermeasure 2: Use Flexible SSL by CloudFlare, one of its SSL options
Visitor <-- SSL --> CloudFlare <-- non-SSL --> Origin
That way, you save the fuss installing the certificate and could enable SSL with a click. However, this requires a pro account of CloudFlare and costs $20/month.
Countermeasure 3: Change your subdomains. We start with www.example.com
www.example.com --"
www.example.com" is filtered
-->
change to www1(
www2,www3,etc)
.example.com
--".example.com"
is filtered
-->
change to example.com
--
"example.com
" is filtered
Filtering of naked domain is somewhat less likely, because, for example, if they filter oogl.com, google.com would also be inaccessible in China.
TLS(SSL) certificate filtering
This time GFW knows you are using encryption to evade censorship and decided to censor your certificate which is sent in plain text before encryption tunnel is established.
Two countermeasures as before:
1. Because your certificate is completely free and assigned automatically by robots, there’s nothing stopping you from changing it constantly while the filtering list of TLS(SSL) certificate updates rarely
2. Use the CloudFlare’s SSL option. CloudFlare replied to me that multiple sites may use the same certificate Each site has its own subject alternate name (SAN) And the Common name will be some variation of SSL#.cloudflare.com. So as the case of IP address, GFW can’t filter your certificates without blocking a bunch of innocent sites.
(Again that didn’t stop them before. They could block SSL connections of a bunch of sites and then filter only your domain. In that way, other sites could be reached via HTTP only)
DNS hijacking:
This is the toughest blocking measure which is seldom used. Known sites subjects to this kind of blocking are *.facebook.com(naked domain included), *.twitter.com(naked domain included), encrypted.google.com, www.kenengba.com. And possibly less than a hundred of sites are blocked in this way.
There’re two forms of DNS hijacking performed (Wikipedia only documents the first one)
form 1: When visitors use local DNS servers controlled by ISP, this inquiry would simply cause a connection timed out. This is performed by local DNS server.
form 2: When visitors use foreign DNS servers such as OpenDNS, Google Public DNS or even a random nonexistence foreign IP, GFW would return a blocked IP address of some random site to that DNS inquiry.
(Look up a nonexistence address aaa.twitter.com in a non-existent DNS server 1.1.1.1 in China)
nslookup aaa.twitter.com 1.1.1.1 Server: 1.1.1.1 Address: 1.1.1.1#53
Name: aaa.twitter.com Address: 78.16.49.15
How to counter:
Method 1: Change your subdomain. See the countermeasure 3 of URL/Packet filtering.
Method 2:
Do not use the domain. Use IP address directly e.g: http://12.34.56.78 or https://12.34.56.78
However, it will leave your site vulnerable to IP blocking because, without a domain, CDN can’t be used.
Since only prestigious sites are blocked this way, you sure have the money and server to build an encrypted reverse proxy or have tons of programmers to figure your move.