Chinese Firewall Test

Article Summary: This page lets you test whether a domain or IP address is blocked by China's Great Firewall by comparing DNS resolution results from inside and outside China. Understanding GFW blocking techniques helps developers, network engineers, and businesses plan their China accessibility strategy and determine whether ICP licensing or a CDN with China PoPs is necessary.

What Is the Great Firewall of China?

The Great Firewall of China (GFW) is the combination of legislative and technical mechanisms the Chinese government uses to regulate the domestic internet. Operated under the Golden Shield Project, it has been active in various forms since the early 2000s and is maintained by the Ministry of Public Security (MPS) alongside major state-owned telecommunications carriers such as China Telecom, China Unicom, and China Mobile.

The GFW is one of the most sophisticated national-level internet censorship systems in the world. It affects billions of page views per day and blocks thousands of foreign domains — including major platforms such as Google, YouTube, Facebook, Twitter/X, Instagram, Wikipedia (partially), and many international news sites. For businesses that want their websites and services to be accessible to users in mainland China, understanding how the GFW works is essential infrastructure knowledge.

Our Chinese Firewall Test tool performs a heuristic check by querying both Google Public DNS (8.8.8.8) and the Chinese resolver 114.114.114.114. If the Chinese resolver returns no result, a different IP, or a known GFW poison IP, the domain is flagged as potentially blocked.

How It Works

DNS Comparison Method

The simplest and most reliable heuristic for detecting GFW blocking is DNS response comparison. The tool sends an A record query for your domain to two different DNS resolvers: one operated internationally (Google 8.8.8.8) and one inside the Chinese network (114.114.114.114, operated by China Telecom). If the Chinese resolver returns a bogus IP address, an NXDOMAIN response, or a completely different IP from the real server, it is a strong indicator that DNS poisoning is in effect for that domain.

Limitations of the Test

DNS comparison is a strong signal but not a complete picture. The GFW also uses deep packet inspection (DPI), SNI filtering, and IP-level blocking, none of which are detectable by DNS queries alone. A domain might resolve correctly from a Chinese resolver yet still be unreachable due to IP filtering at the routing level. For definitive results, a probe server physically located inside mainland China is required. This tool provides a fast, no-setup preliminary check for domain-level DNS manipulation.

Why Is My Site Blocked in China?

There are several common reasons a domain or IP ends up blocked by the GFW:

Content violations are the most common cause. Any site that hosts political content critical of the Chinese government, content related to Falun Gong, Tibetan independence, or the Tiananmen Square events is virtually certain to be blocked. Social media platforms that allow uncensored user-generated content are blocked by default.

Shared IP address is another frequent cause. If your website shares a server or CDN edge IP with a blocked domain, your site may be collaterally blocked via IP filtering even if your own content is benign. This is especially common on shared hosting and large CDN networks.

Missing ICP license matters for businesses serving Chinese users directly. While not having an ICP (Internet Content Provider) license does not automatically trigger a GFW block, hosting a China-facing site without one makes it difficult to operate through legitimate China-based CDN providers, who require the license.

HTTPS without SNI bypass is increasingly relevant. The GFW has expanded its use of SNI-based filtering, meaning it can block specific hostnames within an HTTPS connection without blocking the entire IP. A site might be reachable via IP but blocked by domain via SNI inspection.

Common Use Cases

Pre-launch China Accessibility Audit

Before launching a product or service intended for a Chinese audience, running a GFW probe on your primary domain and CDN origins is a critical step. Discovering a block after launch can delay business operations by weeks while you restructure your infrastructure or apply for an ICP license.

Monitoring for Collateral Blocking

Infrastructure engineers at global companies use firewall tests to monitor whether shared infrastructure — such as a multi-tenant CDN or a cloud IP range — has been added to the GFW's IP filtering list. A sudden block can bring down China traffic without any change on the site owner's side.

Verifying CDN China PoP Effectiveness

CDN providers that offer China PoPs (Points of Presence) route traffic through servers with ICP-licensed origins. After configuring such a CDN, developers use this test to confirm that the domain resolves correctly from Chinese resolvers and that the CDN's China nodes are serving traffic without GFW interference.

Technical Reference

Frequently Asked Questions

How does the Great Firewall work?

The Great Firewall is a multi-layered system. At the DNS layer, Chinese resolvers return poisoned responses for blocked domains. At the IP layer, packets to blacklisted addresses are silently dropped. At the application layer, deep packet inspection scans HTTP content and TLS SNI fields to identify and block specific hostnames and URLs. These mechanisms work together and are updated continuously, which is why GFW testing requires ongoing monitoring rather than a one-time check.

Is it illegal to access blocked sites in China?

For individual users in China, accessing blocked sites via VPN exists in a legal grey area. There is no clear law criminalizing personal VPN use, but the Chinese government has cracked down on unauthorized VPN providers and periodically restricts VPN access. For businesses, operating an unapproved VPN or circumvention service is clearly illegal under Chinese telecommunications regulations.

Can I get my website unblocked in China?

It is generally not possible to petition the GFW to unblock a domain unless you operate a China-licensed entity. The most practical path for businesses is to host a separate China-facing site on infrastructure with an ICP license, served through a China-licensed CDN or ISP. This effectively provides a parallel presence rather than "unblocking" the international site.

Does using a CDN help with China accessibility?

Yes, but only CDNs that have ICP-licensed China PoPs. Major providers like Cloudflare's standard network does not have China PoPs by default. Providers such as AWS CloudFront (via Sinnet), Akamai, and Fastly offer China-specific delivery tiers that route through licensed infrastructure. Without this, even a CDN-fronted site will be subject to GFW blocking.

How often does the GFW update its block lists?

The GFW is updated continuously and dynamically. DNS poisoning updates can propagate within hours of a blocking decision. IP blocks are applied at the carrier level and can be implemented within minutes during politically sensitive periods. During major events such as national congresses or anniversaries of sensitive dates, the GFW is often significantly tightened, causing previously accessible sites to become temporarily unreachable.

Conclusion and Takeaways

Understanding the Great Firewall of China is essential for any developer, network engineer, or business with a global audience. The GFW is not a single switch but a layered, dynamic system that uses DNS manipulation, IP blocking, deep packet inspection, and SNI filtering simultaneously. A domain that passes one check may still be blocked by another mechanism. Use this tool as a fast first signal, and combine it with on-the-ground testing and China-specific CDN infrastructure for production environments.