For those wondering: it's DNS blocks, so only affecting those using ISP DNS.

If this is the case, someone running their own recursive DNS server (like Bind9 or Unbound) can trivially bypass these restrictions. Doing this is a sensible step towards more privacy, regardless of censorship.

Interesting. UK ISPs have had a similar block/filter list for many years (mostly covering copyright-infringing torrent websites and the like). But it’s more robust than a simple DNS block. A VPN can bypass the block, but changing DNS providers will not.

As a reward for freeing yourself from the de facto government DNS, you will now be gifted free movies for eternity

Worth mentioning NextDNS and ControlD under this! I migrated from the former to the latter about six months ago, but both are a solid choice.

I am curious why SNI-based block isn't used.

An excellent point!

Yes, any given domain name (or as non-technical people would think about it, "website" -- any website) could be "blocked" (re-routed to a non-functioning IP, claimed to not exist, other DNS error or malfunction, ?, ???) at any level of DNS (ISP, Local, Regional, Country, ?, ???)

A question your statement so excellently potentially suggests, is:

What's the true extent of the block?

Is it merely a DNS failure -- or are inbound/outbound packets to an IP address actively suppressed and/or modified to prevent TCP/IP connections? (i.e., The Great Firewall Of China, etc.)

You have "Bad Faith Actors" (let's not call them "governments", "countries", "nation states" or even "deep states" -- those terms are so 2024-ish, and as I write this, it's almost 2026! :-) )

Observation: Let's suppose a "Bad Faith Actor" (local or nationwide, foreign or domestic) attempts to block a website. They can accomplish this in one of 3 ways:

1) DNS Block

2) TCP/IP Block, i.e., block TCP/IP4/6 address(es), address ranges, etc.

3) Combination of 1 and 2.

#3 is what would be used if a "Bad Faith Actor" absolutely had to block the "offending" website, no ifs ands or buts!

But... unfortunately for them (and fortunately for us "wee folk"! :-) ), each of these types of blocks comes with problems, problems for them, which I shall heretofore enumerate!

From the perspective of a "Bad Faith Actor":

1) DNS Block -- a mere DNS block of a single domain name is great for granularity that is, it targets that domain name and that domain name alone, and something like this works great when a given company's products and services are directly tied to their website as their brand name (i.e., google.com being blocked in China), but it doesn't work well for fly-by-night websites -- that's because a new domain name pointing to the old IP address can simply be registered...

2) TCP/IP Address / Address Range Block -- The problem with this approach is that while it is more thorough than a simple DNS block, it may also (illegally and unlawfully, I might add!) block legitimate other users, websites and services and businesses which share the same IP or IP address range!

Think about it like this... A long time ago, all of the mail traffic for AOL (America Online), about 600,000 users or so, was coming from a single IP address. Block that IP address, and yes, you've stopped spam from the single user who is annoying you, but you've also (equal-and-oppositely!) blocked 599,999 legitimate users!

So "Bad Faith Actors" -- are "damned if they use the first method, and really damned if they use the second or third methods"... the first method is easily circumventable for non-brand name dependent websites and web services, while the second and third methods risk causing harm to legitimate users, sometimes huge amounts of them... which should be illegal and unlawful by any country's legal standards...

In other words, Countries should read their own sets of laws(!) before contemplating Internet blocks on their Citizens... :-) And not just one country either, all of them!!! :-)

Anyway, an excellent point!

Very thought stimulating -- as you can see by my ramblings! :-)