SNI Filtering
Blocking HTTPS connections by inspecting the Server Name Indication field.
Definition
SNI (Server Name Indication) filtering exploits the fact that during TLS handshakes, the destination hostname is transmitted in plaintext before encryption begins. Network equipment can inspect this field and terminate connections to blocked domains.
This technique is more sophisticated than DNS blocking because it works even when users use alternative DNS resolvers. It requires deep packet inspection (DPI) infrastructure and is commonly deployed in countries with advanced censorship capabilities.
How We Detect This
We attempt TLS handshakes to known endpoints and monitor for connection resets, timeouts, or injected responses during the handshake phase. When DNS resolves correctly but TLS connections fail specifically for certain domains while other domains on the same IP succeed, we identify SNI-based filtering.
Examples
- •TLS handshake reset after SNI is sent
- •Connection timeout during TLS negotiation
- •Successful connection when using encrypted SNI (ESNI)