Explainer

ISP Blocking: How Your Internet Provider Restricts Access

Your internet service provider sits between your device and every website you visit. That position gives it the technical ability — and sometimes the legal mandate — to prevent you from reaching specific sites. This article explains how ISP blocking works and what you can do about it.

Why do ISPs block websites?

Government orders: Courts or regulators direct ISPs to block specific domains — copyright-infringing sites, gambling, or politically sensitive content.
Child protection: Many countries require ISPs to block child sexual abuse material (CSAM) registries.
Copyright enforcement: Rights holders obtain court orders requiring ISPs to block torrent sites and streaming piracy services.
Voluntary filtering: Some ISPs offer optional or default "safe browsing" filters that block adult content, malware, or phishing sites.
Commercial throttling: An ISP may throttle or block competing VoIP or streaming services to protect its own offerings.

Technical methods ISPs use

DNS blocking / DNS poisoning

When you type a domain name, your device queries a DNS server to get the IP address. Your ISP operates the default DNS resolver for its customers. By returning a wrong or empty response for a blocked domain, the ISP prevents your browser from ever finding the server. This is the most common and cheapest method to implement — and the easiest to bypass.

dig example.com @1.1.1.1 → gets real IP
dig example.com @isp-dns → returns NXDOMAIN or ISP block page IP

IP address blocking

The ISP's routers drop all packets destined for blacklisted IP addresses. More thorough than DNS blocking, but causes collateral damage — many sites share IP addresses (CDNs, shared hosting), so blocking one IP may block dozens of innocent sites.

URL filtering (HTTP proxy)

Traffic is routed through a transparent proxy that inspects the URL in HTTP requests. Specific paths (e.g., /pirated-content/) can be blocked while the rest of the domain remains accessible. Only works for unencrypted HTTP; HTTPS traffic is opaque to this method.

Deep Packet Inspection (DPI)

DPI appliances examine packet payloads beyond headers — including the Server Name Indication (SNI) field in TLS handshakes, which reveals the hostname even over HTTPS. This allows ISPs to block HTTPS sites by domain name without needing to break encryption. DPI is expensive but used extensively in China, Russia, Iran, and some European ISPs under regulatory pressure.

BGP route withdrawal

In extreme cases, a government can instruct ISPs to withdraw BGP routes for entire IP ranges, making those address blocks completely unreachable. Russia used this method against Telegram in 2018, accidentally blocking millions of Amazon and Google cloud IPs in the process.

How to tell if your ISP is blocking a site

Check with IsDownOrBlocked.com — if we can reach it from our servers, the site is up globally.
Switch to mobile data (4G/5G) and retry — if it works, the block is on your fixed-line ISP.
Change your DNS to 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google) and retry.
Try a free VPN — if the site loads through a VPN, your ISP or country is blocking it.

How to bypass ISP blocking

Change your DNS resolver. Switch to Cloudflare's 1.1.1.1, Google's 8.8.8.8, or enable DNS-over-HTTPS (DoH) in your browser settings. This bypasses DNS-level blocks but not IP or DPI blocks.

Use a VPN. Encrypts all traffic before it leaves your device, making DPI ineffective. Your ISP sees encrypted traffic to a VPN server — it cannot see the destination domains. Most effective against all types of ISP blocking.

Use Tor. Routes traffic through multiple encrypted relays. Slower but very resistant to ISP-level blocking.

Encrypted SNI (ESNI/ECH). A newer TLS extension that hides the SNI field, defeating DPI-based SNI blocking. Supported by Cloudflare and modern Firefox/Chrome.