Good news, everybody. We've worked out a simpler solution to unblock websites in China. Visit unblock.cn.com for more detail
This is a play by play guide on how to unblocked your website from visitors in Mainland China without efforts on their side.
Great FireWall of China is a complicated filtering system capable of blocking websites by a variety of methods. The common used ones are IP blocking, URL and Packet filtering by connection reset, TLS(SSL) certificate filtering by connection reset and DNS hijacking.
The method of distinguishing IP blocking and URL filtering is at the end of this post.
IP blockingUse CDN(Count Delivery Network) to hide the real IP of your site from GFW.
I did a simple test myself. I created a google site and linked it with 4 subdomains as follows.
CNAME records: (ghs.google.com is currently not blocked in China)
test1.percy.in -> ghs.google.com CDN enabled
test2.percy.in -> ghs.google.com
A records:( 220.127.116.11 is subject to IP blocking in China)
test3.percy.in -> 18.104.22.168 CDN enabled
test4.percy.in -> 22.214.171.124
Test 1 and test 2 merely serves to confirm the website is up. Test 3 and test 4 simulates website with a blocked IP.
I enabled CDN on test1 and test 3. The CDN I choose is CloudFlare with a free account.( You can pay to go pro or find another CDN if you like, I prefer to stay free)
Here're the test results.
test1 and test2 are both accessible in China. test 3 is accessible while test 4 is blocked.
When CDN is enabled, it serves as a reverse proxy. So test3 actually resolved to an IP address owned by CDN--CloudFlare in my case and thus bypassing IP blocking.
Unless GFW blocked CDN's IP addresses, which will also blocked many other irrelevant websites, IP blocking is nothing to fear anymore.Even if they did so, you can easily register a new account on CloudFlare and get a new set of IPs.
 That doesn't stop them before. The top level domain co.cc and net.ru were all censored during some time.
URL/Packet filteringFor example, your domain is example.com. They will fiter ".example.com"both in content and header; "host:example.com"only in http header. So that example.com is blocked while aaaexample.com is accessible in China.
If your domain is filtered as a restricted word , full site encryption should be employed.
Counter measure 1: Install a SSL certificate on your server or VPS. Some certificates are expensive while others are completely free for an unlimited time. StartSSL provide free certificates with minimum requirement --only a validated email on your domain, which could also be obtained free of charge from Google Apps.
Counter measure 2: Use Flexible SSL by CloudFlare, one of its SSL options
That way, you save the fuss installing certificate and could enable SSL with a click. However, this requires a pro account of CloudFlare and costs $20/month.
Visitor <-- SSL --> CloudFlare <-- non-SSL --> Origin
TLS(SSL) certificate filteringThis time GFW knows you are using encryption to evade censorship and decided to censor your certificate which is sent in plain text before encryption tunnel is established.
Two counter measures as before:
1. Because your certificate is completely free and assigned automatically by robots, there's nothing stopping you from changing it constantly while the filtering list of TLS(SSL) certificate updates rarely
2. Use the CloudFlare's SSL option. CloudFlare replied to me that multiple sites may use the same certificate Each site has its own subject alternate name (SAN) And Common name will be some variation of SSL#.cloudflare.com. So as the case of IP address, GFW can't filter your certificates without blocking a bunch of innocent sites.
(Again that didn't stop them before. They could blocked SSL connections of a bunch of sites and then filter only your domain. In that way, other sites could be reached via http only)
DNS hijacking:This is the toughest blocking measure which is seldom used. Known sites subjects to this kind of blocking are *facebook.com(facebook.com included), *twitter.com(twitter.com included), *youtube.com(youtube.com included), encrypted.google.com, www.kenengba.com. And possibly less than a hundred of sites are blocked in this way.
There're two forms of DNS hijacking performed (Wikipedia only documents the first one)
form 1: When visitors uses local DNS servers controlled by ISP, this inquiry would simply cause a connection timed out. This is performed by local DNS server.
form 2: When visitors uses foreign DNS servers such as OpenDns, Google Public DNS or even a random nonexistence foreign IP, GFW would return a blocked IP address of some random site to that DNS inquiry or block the real response.
(Look up a nonexistence address aaa.bbbtwitter.com in a nonexistent DNS server 126.96.36.199 in China)--form 2 hijacking
nslookup aaa.bbbtwitter.com 188.8.131.52 Server: 184.108.40.206 Address: 220.127.116.11#53
Name: aaa.twitter.com Address: 18.104.22.168
(Look up an existed address encrypted.google.com in an existed foreign DNS server 22.214.171.124 in China)--form 2 hijacking
nslookup encrypted.google.com 126.96.36.199 Server: 188.8.131.52 Address: 184.108.40.206#53 Non-authoritative answer: *** Can't find encrypted.google.com: No answer
The youtube case is very interesting. *.youtube.com and youtube.com return a fake IP address while *youtube.com return No answer (it should be NXDOMAIN )
How to counter:
Method 1: Change your subdomains. We start with
www.example.com" is filtered
change to www1(
Filtering of naked domain is somewhat less likely, because, for example, if they filter oogl.com, google.com would also be inaccessible in China.[Note that this is different from filtering of naked domain in URL/packet filtering described in section 2]
change to example.com
" is filtered
Do not use domain. Use IP address directly e.g: http://220.127.116.11 or https://18.104.22.168
However, it will leave your site vulnerable to IP blocking because without a domain, CDN can't be used.
Since only prestigious sites are blocked this way, you sure have the money and server to build a encrypted reverse proxy or have tons of programmers to figure your move.
The method of distinguishing IP blocking and URL filtering(or both)
If only part of your sites is inaccessible then it's URL filtering only(assume your site is located in one server only)
If your site(www.example.com) is totally inaccessible, visit
respectively in China.
Please wait a few minutes before visiting the next address, because GFW would block all traffic to www.msn.com from your computer for a short time when restricted words is triggered. So wait until you can see www.msn.com(usually a minute) before you try the next one.
If any URL above is unreachable, your site is subject to URL filtering.
(Those who can't run test in China, visit https://en.greatfire.org and enter URLs above)
Do a ping test in China to determine whether your IP is blocked.
Cross posted on https://en.greatfire.org/blog/2012/may/how-unblock-websites-china-web-owners