What Is OONI Probe? A Beginner’s Guide to Internet Censorship Measurement

Interpreting OONI Probe Results: Common Findings and What They Mean

1. Overview

OONI Probe runs active network measurements to detect censorship, traffic manipulation, and performance anomalies. Results are a mix of test-specific metrics, probe- and network-level metadata, and evidence (e.g., packet captures, HTTP bodies, TLS fingerprints). Interpret results by focusing on test type, consistency across vantage points, and corroborating evidence in related tests.

2. Common findings and meanings

DNS tampering / DNS injection

• What you’ll see: mismatched DNS responses, NXDOMAIN returned when a domain should resolve, multiple different IPs, or responses from unexpected DNS servers.
• Meaning: A DNS resolver (ISP, middlebox) is altering or blocking DNS lookups—often used to block domains or redirect users to block pages or ads.
• Confidence indicators: repeated failures from different resolvers, presence of synthetic NXDOMAINs, and HTTP tests showing redirect/block pages.

HTTP blocking and keyword-based filtering

• What you’ll see: HTTP requests returning blockpages (clear block content), injected TCP RST or FIN, consistent ⁄₄₅₁ responses, or responses with known blockpage signatures.
• Meaning: Active HTTP censorship—either direct blocking, redirecting to a notice page, or content filtering by the network or ISP.
• Confidence indicators: identical blockpage HTML across multiple requests, matching blockpage fingerprints, and correlated DNS anomalies.

TCP/IP interference (injection, RSTs)

• What you’ll see: Unexpected TCP resets (RST packets), torn-down connections, or forged packets with timestamps/sequence anomalies. Packet capture evidence can show injected RSTs.
• Meaning: A middlebox is actively disrupting TCP sessions to stop connections to certain hosts/ports. Common for blocking VPNs, proxies, or particular services.
• Confidence indicators: injected RSTs that don’t match server-originated packets, repeated failures at specific ports, and corroborating SNI/TLS anomalies.

TLS interception or downgrade

• What you’ll see: Certificate mismatches (certificates not chain-valid to expected CA), self-signed certs, different certificate fingerprints than public vantage points, or TLS handshake failures.
• Meaning: Man-in-the-middle TLS interception (often using a local proxy) or active blocking by interfering with TLS handshakes. Could indicate enterprise filtering, ISP interception, or malicious middleboxes.
• Confidence indicators: differing cert chains when tested from multiple networks, presence of captive portal or visible proxy headers, and matching names on replacement certs.

SNI / domain fronting interference

• What you’ll see: Failures or redirections when accessing domains using SNI-based routing; resources accessible when using direct IP but blocked when SNI provided.
• Meaning: Network blocks based on the TLS SNI field or enforcement of SNI filtering to block specific hostnames.
• Confidence indicators: successful IP access but failed SNI hostname access; consistent behavior across TLS tests.

Circumvention tool blocking (VPNs, Tor, proxies)

• What you’ll see: Failed connections to known circumvention service endpoints (packets dropped, connection timeouts), or services returning blockpages.
• Meaning: Targeted blocking of tools used to evade censorship. Often combined with DPI signatures looking for protocol fingerprints.
• Confidence indicators: failures specific to circumvention ports/protocols, packet-level signs of DPI, and consistent results across multiple runs.

Server-side errors and transient issues

• What you’ll see: Sporadic timeouts, 5xx server errors, packet loss without clear manipulation evidence.
• Meaning: Not all failures indicate censorship—some are normal network congestion, server downtime, or routing problems.
• Confidence indicators: inconsistent results across repeated tests or other vantage points succeed; lack of tampering signatures.

Middlebox or ISP debugging artefacts

• What you’ll see: Added headers (e.g., X-Proxy), consistent proxies in traceroutes, or modified HTML for compression/ad injection.
• Meaning: Legitimate or commercial traffic management (caching, compression, ad insertion) rather than censorship.
• Confidence indicators: presence of known proxy headers, reduced content size, or explanatory ISP pages.

False positives and measurement pitfalls

• What you’ll see: One-off anomalies, inconsistent evidence across tests, or differences caused by local device configurations (hosts file, VPN).
• Meaning: Measurement artifacts rather than deliberate interference.
• How to reduce risk: repeat tests at different times, test from other networks, check local settings, and correlate multiple tests (DNS + HTTP + TLS).

3. How to reach confidence levels

• Corroborate across tests: matching DNS + HTTP/TLS anomalies increase confidence.
• Repeat and compare: run tests at different times and from other vantage points.
• Check evidence: look at packet captures, blockpage fingerprints, certificate chains, and traceroutes.
• Use metadata: same AS/ISP producing consistent results is a strong signal.

4. Quick interpretation checklist

• Was DNS altered? If yes, likely domain-level blocking.
• Is there an identifiable blockpage or injected RST? If yes, active blocking.
• Are TLS certs different? If yes, MITM or interception.
• Do issues persist across networks? If yes, likely deliberate filtering; if not, likely transient or local.

5. Next steps after confirming interference

• Document: save OONI raw evidence (body captures, pcap, certs).
• Compare: run tests from a different network or time.
• Share: use OONI Explorer or research reports to compare historical/other-vantage data.
• Consider mitigation: use trusted circumvention tools, secure DNS (DoT/DoH), or VPNs — only where legal and safe.

If you want, I can analyze a specific OONI Probe result you have and summarize likely causes and confidence.