The research section of DomainTools released a long-read three-part series taking a look at the Great Firewall of China. This was based on some highly detailed leaked material that outlines both the technical and strategic purpose of a such a highly controlled internet.

DomainTools released three separate articles which are well worth reading (it will take a good 45 mins or so) but they do provide an end to end view of the scale and completeness of the solution.

1. Inside the Great Firewall Part 1: The Dump

2. Inside the Great Firewall Part 2: Technical Infrastructure

3. Inside the Great Firewall Part 3: Geopolitical and Societal Ramifications

What is the Great Firewall?

The Great Firewall (GFW) of China is a vast and sophisticated system of digital control that goes far beyond simple website filtering. It is the centerpiece of China’s digital repression strategy, designed not only to block content but also to control user behavior, shape perceptions, and enforce ideological conformity.

Core Purpose and Strategy

• Ideological Containment: The GFW’s primary domestic function is to preempt the circulation of narratives, symbols, or software deemed threatening to the Chinese Communist Party (CCP) legitimacy. It enforces a state-defined version of reality by algorithmically suppressing politically sensitive terms, foreign platforms, and civil society organizing.

• Digital Sovereignty: It is the digital expression of a strategic doctrine rooted in state control, asserting that information space is equivalent to territorial space. It insulates the domestic population from foreign influence and enables centralized surveillance.

• Economic Engineering: The GFW systematically blocks foreign software (like Google Docs, Zoom, and Dropbox), which nurtures a domestic ecosystem and accelerates the adoption of Chinese-developed alternatives (e.g., Tencent Docs, DingTalk) that are integrated with state surveillance requirements.

Technical Components

The GFW operates as a modular and hierarchical system that combines central orchestration with distributed enforcement nodes, built on cooperation between state-run ISPs, telecom vendors, and research labs. Key technical components include:

• Traffic Secure Gateway (TSG) System: This is a core modular, exportable Deep Packet Inspection (DPI) platform capable of application-layer proxying, SSL/TLS interception, and centralized policy enforcement across national ISP backbones and regional access points.

• Layered Filtering:

  • DPI: Deep Packet Inspection processes TCP streams in real-time to inspect HTTP headers, TLS handshakes, and apply keyword filtering.

  • SNI-based TLS Detection: Filters encrypted circumvention traffic (e.g., Psiphon, Shadowsocks, V2Ray) based on patterns in the TLS handshake process without decrypting content.

  • URL, Host Header, and DNS Hijack Strategies: Used to block, redirect, or monitor suspect endpoints.

• Monitoring and Logging: Systems like MAAT (Modular Automated Analysis Tool) and Gohangout (a log processing framework) are used for pervasive visibility, continuous telemetry, and real-time policy enforcement. Logs reveal fine-grained behavioral fingerprinting, tying user sessions to device IDs and remote IP patterns.

• Behavioral Prediction Engines: These systems go beyond static rules to flag and act on traffic that deviates from normal patterns, assigning a risk score to sessions in real-time and preemptively routing or terminating sessions (e.g., injecting artificial latency).

• Vendor Integration: The GFW is a distributed ecosystem of hardware and software from Chinese technology companies, such as A Hamson Technology Co., Ltd., Venustech, Topsec, and Huaxin, which supply customized routers, DPI cards, and orchestration platforms.

It is pretty clear that to get the level of interoperability and management, a state level top-down approach to control is needed. The vast breadth and depth of both the physical infrastructure components and the technical skills needed to design and maintain such components has to be directed from a strategic point of view.

Of course, having so many moving parts (including the hiring, validating and training of staff) requires a strong set of security controls.

However, the vast scale and size of such an operation is likely to house opportunities for information leakage, subversion and insider threat.

Geopolitical and Societal Impact

The leaked material clearly has an emphasis on the technical bits and bytes and architectural choices that have been made. Whilst that is interesting, perhaps the more long term analysis such ends up asking more about the “why” than the “how”.

1. What is the aim?

2. What does success look like?

3. How closely does this policy interact with both domestic and foreign policy?

From a technology point of view there are some conceptual and architectural design patterns that can be “exported” - either for monetary gain or ideological expansion and support of countries that have similar ethics and ethos.

• Global Fragmentation (”Splinter-net”): China’s model is exported to other authoritarian regimes, such as Iran, Vietnam, and Russia, often through initiatives like the Digital Silk Road. This promotes the idea of “cyber sovereignty”—the right of states to regulate information flows within their borders—contributing to the fragmentation of the global internet.

• Transnational Repression: The GFW’s cyber capabilities are used to monitor and harass groups that the PRC views as security threats, including Falun Gong practitioners, Uyghurs, Tibetans, supporters of Taiwanese independence, and pro-democracy activists, even those living in diaspora communities abroad.

• Arms Race with Resistance: Despite the GFW’s sophistication, resistance is persistent. The system’s countermeasures provoke an ongoing arms race with developers creating new circumvention tools like Shadowsocks, V2Ray, and Trojan, which continuously iterate to evade detection. Dissent also manifests in creative, coded cultural forms (satire, homophones) to evade keyword filters.

The model is clearly not one for simple technical experimentation. It is a strategic implementation based on a controlling narrative - that supports internal information manipulation and the removal of external and counterpoint sources of opinion.

Whilst not necessarily in line with Russia’s view of a separate sovereign network that can limit technical denial of service to ISP and network access, the GFW could provide similar functions.