Site blocked in China? Netlify and the Chinese Great Firewall (GFW)

Hello, I just relaunched my site on Netlify and I noticed that I can’t connect to my site without using a VPN while in China. I checked using the Great Firewall Test and they confirmed my site doesn’t work in China. Any way around this?

1 Like

Having the same issue:

Hi folks! As I’m sure you know, we don’t have any control over what is blocked by the Great Firewall. However, most of the testing tools out there don’t do a good job of testing “is your Netlify website unloadable in China”, but instead do something like this:

  1. do an outside-of-China DNS lookup of your site. All DNS lookups come from one location, so one answer is received by the tool from “outside the firewall”.
  2. If you have dns configured optimally (see this article for more details on the topic), a DNS lookup for your site will return different IP addresses from different locations, based on their geographic nearness to our various data centers. Immediate problem: a lookup in the US or South America or Australia would basically NEVER match a result from Asia. So, there is that initial confounding factor to this methodology.
  3. While our list of data centers can and does change frequently and without announcement, this post is a relatively up to date list that we made recently.

Further complicating factor: we have several CDN nodes in most locations, and so even from e.g. Singapore, you could get one of several IP addresses for even lookups performed at the same time, as our DNS intentionally returns first one and then a different IP for the same lookup to help distribute load.

There may be checking tools that do something more sophisticated, but last time I spent (several hours) looking into this for a customer, I could not find one that wasn’t a DNS-based test, and the conclusion we came to was that their site was generally available in China which was only determinable via testing from within China.

If you have some specific reports from within China of site unreachable, it would be great to know two things to help us debug:

  1. what nslookup your.customdoma.in returns from a computer that experiences the problem AT THE TIME IT EXPERIENCES THE PROBLEM, so we can see if that IP is one of our nodes or not.
  2. a HAR file of the loading experience, in case it is “site loads poorly” rather than “site doesn’t load at all”. This is the place to instruct folks about how to grab a HAR file: https://toolbox.googleapps.com/apps/har_analyzer/

Once we’ve seen that data, we would be happy to investigate and speak to what is actually happening (accepting of course that if China blocks your website, we can’t really stop them from doing so), but at a high level, most of the tools I could find were not a good test based on how our CDN handles routing.

3 Likes

I’m within China I just used the tool to double-check, but thanks for the clarification about your CDN nodes. Anyway, interesting thing it would seem they block sites by default until crawled by their search engine, as soon as I went through the process the site was working normally.

that’s interesting :thinking: thanks for sharing.

Hope that Netlify DNS could update a new feature which allows us to enable different routes for visitors in China. Just like DNSPod, visitors from different regions can visit the same domain from different servers, not just different CDN nodes.

even netlify.com is blocked

@flinhong: not sure what that service does? Certainly we have the ability to route to any CDN node from any geolocation ; that’s how our CDN works. Could you elaborate a bit more on what that solution might look like, and particularly my next point? I think it doesn’t matter what CDN node we route to if the firewall wants to block our content, but obviously, this is largely a guess since I don’t know everything about how it is implemented.

@Njegos: Can you give us more details about what is blocked from where (I assume you are testing from within China?), using the guidelines I mentioned above?

If you have some specific reports from within China of site unreachable, it would be great to know two things to help us debug:

  1. what nslookup your.customdoma.in returns from a computer that experiences the problem AT THE TIME IT EXPERIENCES THE PROBLEM, so we can see if that IP is one of our nodes or not.
  2. a HAR file of the loading experience, in case it is “site loads poorly” rather than “site doesn’t load at all”. This is the place to instruct folks about how to grab a HAR file: https://toolbox.googleapps.com/apps/har_analyzer/

That will hopefully help us quantify a bit what the failure is :slight_smile:

Yeah tested within China (Shenzhen and Beijing).

Here’s the nslookup:
Non-authoritative answer:
njegos.dev nameserver = dns4.p07.nsone.net.
njegos.dev nameserver = dns3.p07.nsone.net.
njegos.dev nameserver = dns2.p07.nsone.net.
njegos.dev nameserver = dns1.p07.nsone.net.
njegos.dev nameserver = dns2.p07.nsone.net.
njegos.dev nameserver = dns1.p07.nsone.net.
njegos.dev nameserver = dns4.p07.nsone.net.
njegos.dev nameserver = dns3.p07.nsone.net.

`Authoritative answers can be found from:`

With VPN on:

Non-authoritative answer:
njegos.dev
        origin = dns1.p07.nsone.net
        mail addr = njegos.gmx.us
        serial = 1571711553
        refresh = 43200
        retry = 7200
        expire = 1209600
        minimum = 3600
njegos.dev      mail exchanger = 10 mx.zoho.com.
njegos.dev      mail exchanger = 50 mx3.zoho.com.
njegos.dev      mail exchanger = 20 mx2.zoho.com.
njegos.dev      nameserver = dns4.p07.nsone.net.
njegos.dev      nameserver = dns3.p07.nsone.net.
njegos.dev      nameserver = dns2.p07.nsone.net.
njegos.dev      nameserver = dns1.p07.nsone.net.

Authoritative answers can be found from:
njegos.dev      nameserver = dns4.p07.nsone.net.
njegos.dev      nameserver = dns2.p07.nsone.net.
njegos.dev      nameserver = dns1.p07.nsone.net.
njegos.dev      nameserver = dns3.p07.nsone.net.

none of that seems wrong. What is the IP address that is resolved to? if none, then China is blocking the dns traffic and nothing we can do there.

From my understanding, Netlify DNS could add an additional function like this:

Then, the site owner can config the traffic line for Chinese visitors to another available server address other than Netlify CDNs.

Our DNS functionality does not work in that way and we don’t have any plans to extend it. Namely: we don’t have any “other” DNS servers to point folks to. You’d need to use external DNS hosting, that has that functionality if you’d like it.