If the DNS server is configured to block access, it consults a blacklist of banned domain names. When a browser requests the IP address for one of these domain names, the DNS server gives a wrong answer or no answer at all.
When the DNS server gives a meaningless answer or no answer, the requesting computer fails to learn the correct IP address for the service it wanted to contact. Without the correct IP address, the requesting computer cannot continue, and it displays an error message. Since the browser does not learn the Web site's correct IP address, it is not able to contact the site to request a page. The result is that all of the services under a particular domain name, such as all of the pages on a particular Web server, are unavailable. In this case, deliberate blocking may wrongly appear as a technical problem or random failure. Similarly, a censor could force a DNS entry to point to an incorrect IP address, thus redirecting Internet users to incorrect Web sites. This technique is called DNS spoofing, and censors can use it to hijack the identity of a particular server and display forged Web sites or reroute the users' traffic to unauthorized servers that could intercept their data. (In some networks, the wrong answer would lead to a different Web server that clearly explains the nature of the blocking that has occurred. This technique is used by censors who don't mind admitting that they are engaged in censorship and who don't want users to be confused about what has taken place.)
IP filtering When data is sent over the Internet, it is grouped into small units, called packets. A packet contains both the data being sent and information about how to send the packet, such as the IP addresses of the computer it came from and the one it should go to. Routers are computers that relay packets on their way from a sender to a receiver, determining where they go next. If censors wants to prevent users from accessing specific servers, they can configure routers that they control to drop (ignore and fail to transmit) data destined for IP addresses on a blacklist or to return an error message for them. Filtering based solely on IP addresses blocks all services provided by a particular server, such as both Web sites and e-mail servers. Since only the IP address is inspected, multiple domain names that share the same IP address are also blocked, even if only one was originally meant to be prohibited. Keyword filtering
24