Russia Expands Internet Restrictions with New Protocol Blocks and DNS Controls

Figure 1: Visual representation of the BeyondTrust vulnerability chain

RosKomNadzor published directive No. 2025-0612-PKT on June 12, 2025, adding DNS-over-HTTPS and ShadowSocks to the registry of prohibited protocols. The directive cites Federal Law No. 149-FZ "On Information, Information Technologies and Information Protection" as the legal basis for the blocking order.

According to the published directive, telecommunications operators must implement technical measures to identify and block the specified protocols within 72 hours of publication. The regulator stated that non-compliant operators face administrative penalties and potential license revocation.

OONI's network measurement probes detected the first blocking events at approximately 14:00 Moscow time on June 12, 2025. The organization's technical report documented that Russian ISPs implemented the blocks using deep packet inspection equipment to identify protocol signatures.

Major Russian telecommunications providers including Rostelecom, MTS, and Beeline confirmed implementation of the blocking measures in statements to Russian media outlets. The providers stated they were complying with regulatory requirements.

Protocol identification: According to OONI's technical analysis, Russian ISPs are using deep packet inspection to identify DoH traffic by detecting TLS connections to known DoH resolver IP addresses and examining Server Name Indication (SNI) fields. ShadowSocks traffic is identified through statistical analysis of packet sizes and timing patterns.

Blocking effectiveness: OONI measurements indicate that standard DoH connections to Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9) fail from Russian networks as of June 12, 2025. The organization noted that some obfuscated variants of these protocols remained functional at the time of testing.

Legal framework: RosKomNadzor cited existing telecommunications law rather than new legislation. The regulator characterized the protocols as "technical means for circumventing access restrictions to information prohibited in the Russian Federation."

ISP compliance: Statements from Russian telecommunications providers confirm active implementation. Rostelecom's statement indicated the company deployed blocking measures within six hours of the directive's publication.

Figure 2: How the authentication bypass vulnerability works

From the Russian government's stated perspective, the blocking measures serve several purposes:

Regulatory enforcement: The blocks strengthen the government's ability to enforce existing content restrictions by limiting circumvention options.

Domestic technology development: Russian officials have previously stated that restricting foreign protocols encourages development of domestic alternatives.

Network visibility: Blocking encrypted DNS restores ISP visibility into user browsing patterns, which the government characterizes as necessary for law enforcement.

For network measurement and digital rights organizations, the blocks provide:

Documentation opportunity: The implementation provides data for studying censorship techniques and their effectiveness.

Protocol development insights: Observing which circumvention methods remain functional informs development of more resilient protocols.

The blocking measures create significant challenges for various stakeholders:

Privacy degradation: Users lose access to encrypted DNS, exposing their browsing patterns to ISPs and potentially to government surveillance.

Security risks: DoH provides protection against DNS spoofing attacks. Blocking the protocol removes a security layer for Russian internet users.

Business impact: International companies operating in Russia face complications if their services rely on blocked protocols for security or functionality.

Circumvention arms race: History suggests that blocking specific protocols leads to development of new circumvention methods, creating an ongoing technical competition.

Collateral damage: Legitimate uses of the blocked protocols, including enterprise security applications, are affected alongside circumvention use cases.

Implementation inconsistency: OONI's measurements indicate varying blocking effectiveness across different ISPs and regions, suggesting uneven implementation.

Figure 3: Privilege escalation from user to SYSTEM level

DNS-over-HTTPS encrypts DNS queries by sending them over HTTPS connections to compatible resolvers. Traditional DNS sends queries in plaintext, allowing network operators to see which domain names users request. DoH wraps these queries in encrypted HTTPS traffic, making them indistinguishable from regular web browsing to network observers.

The blocking implementation targets DoH by identifying connections to known DoH resolver IP addresses. Deep packet inspection equipment examines the SNI field in TLS handshakes to confirm the connection is to a DoH service. Some implementations also use IP address blocklists of known DoH providers.

ShadowSocks operates as a SOCKS5 proxy with encryption and obfuscation features. The protocol was designed to resist detection by making traffic appear similar to normal HTTPS connections. However, statistical analysis of packet sizes, timing, and entropy can identify ShadowSocks traffic with varying accuracy.

Russian ISPs deploy deep packet inspection equipment at network boundaries to analyze traffic in real-time. The equipment maintains databases of protocol signatures and applies blocking rules when matches are detected. The technical implementation requires significant computational resources to analyze traffic at scale.

Technical context for expert readers: The blocking appears to use a combination of IP-based blocking for known DoH resolvers and heuristic detection for ShadowSocks. OONI's measurements suggest the ShadowSocks detection relies on entropy analysis and connection pattern matching rather than protocol-specific signatures, which explains the partial effectiveness against obfuscated variants.

Russia's protocol-level blocking represents an escalation in internet censorship techniques. While content blocking targets specific websites or services, protocol blocking affects entire categories of communication methods.

The approach follows patterns established by China's Great Firewall, which has blocked similar protocols for years. Russia's implementation provides another data point for understanding how authoritarian governments adapt censorship technology.

For protocol developers and privacy advocates, the blocks demonstrate the ongoing challenge of designing circumvention-resistant communication methods. Each new blocking technique prompts development of countermeasures, which in turn face new detection methods.

International technology companies face decisions about whether to develop Russia-specific workarounds or accept reduced functionality in the Russian market. The compliance burden adds to existing challenges from sanctions and data localization requirements.

The blocking also affects the broader internet standards community. Protocols designed with censorship resistance as a goal must now account for the specific detection methods Russia has deployed.

Confirmed facts:

• RosKomNadzor published directive No. 2025-0612-PKT on June 12, 2025
• The directive requires blocking of DoH and ShadowSocks protocols
• OONI confirmed blocking implementation beginning June 12, 2025
• Major Russian ISPs have stated compliance with the directive

Open questions:

• The full list of DoH providers affected by the blocks
• Whether obfuscated protocol variants will face additional blocking measures
• Enforcement actions against non-compliant ISPs
• Impact on enterprise VPN services that use similar protocols
• Whether additional protocols will be added to the blocked list

At the time of reporting, RosKomNadzor had not responded to requests for comment on implementation details or future plans.

Several developments will clarify the impact and evolution of these restrictions:

Circumvention adaptation: How quickly privacy tools adapt to bypass the new blocks, and whether those adaptations trigger additional blocking measures.

ISP compliance monitoring: Reports of enforcement actions against ISPs that fail to implement blocks effectively.

Protocol evolution: Updates to DoH and ShadowSocks implementations designed to evade the detection methods Russia has deployed.

International response: Statements from technology companies and governments regarding the blocking measures.

OONI measurements: Ongoing network measurement data documenting blocking effectiveness and any changes in implementation.

Additional restrictions: Whether RosKomNadzor adds other protocols to the blocked list, such as WireGuard or other VPN protocols.

1. RosKomNadzor Registry Update, Directive No. 2025-0612-PKT, June 12, 2025. https://rkn.gov.ru/news/rsoc/news74521.htm

2. OONI Network Measurement Report, "Russia Blocks DoH and ShadowSocks Protocols," June 12, 2025. https://ooni.org/post/2025-russia-protocol-blocking/

3. The Record, "Russia blocks DNS-over-HTTPS and ShadowSocks protocols nationwide," June 12, 2025. https://therecord.media/russia-blocks-doh-shadowsocks-protocols