The Architecture of Iran’s Digital Repression

With the rise of global digital technology, digital communication has enabled rapid mobilization of protests and the bypassing of traditional state-controlled media channels. To counter this, authoritarian regimes have increasingly deployed sophisticated internet interception, filtering, and shutdown capabilities to suppress political dissent and control information flows. From China’s Great Firewall to Russia’s deep packet inspection systems, which can track internet users, reconstruct email messages, block internet traffic, and deliver manipulated web pages, governments have invested billions in technology designed to monitor citizens, censor content, and isolate populations during periods of unrest. Iran stands among the most aggressive practitioners of digital repression, having developed a comprehensive censorship apparatus using multiple technical methods of internet monitoring and digital surveillance to control access to information.

These tactics have been used during Iran’s most recent wave of protests that erupted in December 2025. The Iranian government has responded with one of its most severe crackdowns yet, imposing a complete internet blackout across the country that has left the population digitally isolated from the outside world. For nearly a week, international phone lines were also severed, making it extraordinarily difficult for anyone outside Iran to reach family, friends, or sources inside the country. This communications blackout has served a dual purpose: It has prevented protesters from coordinating their activities and documenting regime violence, while simultaneously creating an information vacuum making it nearly impossible for international observers to verify reports of state brutality. The shutdown has demonstrated how digital repression has evolved into an essential tool of authoritarian survival in Iran. It has been be deployed to cut the population’s connection not just to each other but to the rest of the world.

DNS Spoofing

The Domain Name System functions as the internet’s phone book. When a user types a URL, for example “facebook.com,” into a browser, DNS servers translate the domain name into a numerical address that computers use to find a website.

When Iranian users try to visit a blocked website, Iranian authorities can configure DNS servers to redirect them to fake addresses that either show an error page or just do not work. Iranian users can bypass DNS spoofing by using virtual private networks that send DNS requests through an encrypted VPN tunnel to DNS servers outside Iran. Instead of asking Iranian DNS servers, the computer asks the VPN provider’s DNS servers for the real address.

HTTP Filtering

Hypertext Transfer Protocol is the basic protocol that computer browsers use to request web pages. When users click on a link or type a URL, the browser sends an HTTP request that includes information about which website they are trying to reach. Iran’s deep packet inspection system acts like a security guard reading every letter the users post. It examines each request by every user and checks if they are trying to access blocked content. If the system detects the browser is trying to reach blocked content, it can send an error page instead of the real website or simply cut the connection, making it look like the website is not responding.

Iranian users can bypass this with a VPN that encrypts internet traffic before it leaves a user’s system. The government deep packet inspection system can see that there is data flowing to the VPN server, but it cannot read the encrypted content inside.

TLS and SNI Filtering

Transport Layer Security is the encryption that protects users’ data. When a user first connects to a secure website, the browser sends a message that includes the website name in clear text. This is called the Server Name Indication. Even though the rest of the connection is encrypted and private, the deep packet inspection system can still read the website name in that initial message. It is like sending a sealed envelope through the mail, but the address on the outside is visible to anyone handling it.

When Iranian users try to connect to banned sites (such as Instagram, X, or Telegram) using encryption, their browser first sends a message that includes the name of the website. Iran’s internet monitoring system reads that and can immediately cut their connection.

When a user connects to a secure HTTPS website, the SNI is visible even though the rest is encrypted. But when using a VPN, the entire connection to the website – including that initial message – is wrapped in another layer of encryption to the VPN server. Iran’s system can still detect that the system is connecting to a VPN server but not which websites are accessed through it.

Protocol Whitelisting

Different internet applications use different protocols, or sets of rules for communication. Web browsing uses HTTP or HTTPS, email uses Simple Mail Transfer Protocol, and video calls and VPNs use their own specific protocols. Iran’s system uses a whitelist approach that only allows three types of traffic to pass through: DNS (to look up website addresses), HTTP (for regular websites), and HTTPS (for secure websites). Everything else is blocked. This includes Secure Shell connections for remote computer access, custom applications or gaming protocols, peer-to-peer file sharing, and most encrypted communication tools. Protocol whitelisting is also Iran’s most effective measure to disable VPNs.

Traditional VPNs are largely ineffective because of protocol whitelisting at the centralized border gateway. The government does not need to decrypt VPN traffic or identify which websites users are visiting. It simply can block all VPN protocols from connecting in the first place. This is why internet shutdowns by the Iranian government are so effective. By combining multiple filtering layers with protocol whitelisting, the government neutralizes most circumvention tools without having to break encryption.

Border Gateway Protocol Control

Instead of each internet service provider implementing blocking measures separately, Iran has a single control point that all internet traffic passes through. The state-owned Telecommunication Company of Iran designed a system through which all internet traffic must travel through one channel – owned and operated by the state – to leave Iran and reach the global internet. That point of exit is the “border gateway.”

This means every internet provider in Iran essentially blocks the same content in the same way, because it is all being filtered at one central location. The government can instantly tighten or loosen restrictions across the entire country by adjusting one system, not thousands. Even using a different internet provider doesn’t help avoid the censorship, because all traffic eventually passes through this same checkpoint.

Imagine a country with only one international airport. No matter which taxi company is used to get there, everyone has to pass through the same security checkpoint where bags are searched and certain items are confiscated. Iran’s internet works the same way, all traffic funnels through one inspection point before leaving the country.

Building Digital Repression

Iran has not developed its censorship infrastructure in isolation. The regime has received assistance from China, the world’s most experienced practitioner of internet control. Over recent decades, Iran has paid hundreds of millions of dollars to Chinese telecommunication contractors to provide monitoring of landline, mobile, and internet communications. This includes deep packet inspection technology that can track internet users, reconstruct email messages, block internet traffic, and deliver manipulated web pages. As part of their 25 year strategic partnership agreement, the two countries have committed to expand their cooperation in cyberspace. Iran has been able to turn to China’s model of information control while adapting it to local requirements. Notably, Chinese experts have assisted Iran with building its National Information Network, a domestic internet infrastructure designed to function independently of the global internet. Marketed as conforming to Islamic values, the network includes domestic alternatives to search engines, messaging services, social media platforms, email systems, and even smartphone operating systems. For the regime, it provides the technical foundation for isolating Iranian citizens from global information during crises, while simultaneously developing domestic technological expertise that can be deployed for surveillance and control.

Beyond acquiring foreign technology, the Iranian government has pursued a deliberate strategy of building indigenous digital capabilities through what is referred to by local officials as the “jihad of knowledge.” Iran’s strategy for developing the country’s knowledge-based sector and efforts toward the “purification of higher education” have helped the government advance its cyber capabilities. This strategic framework involves training ideologically loyal Iranian tech experts and scientists to advance government projects, investing heavily in developing indigenous cyber capabilities through domestic research institutions and tech companies and collaborating with like-minded authoritarian states to acquire advanced surveillance and censorship technologies.

Internet Shutdowns as Weapons Against Protest

These investments in foreign collaboration and domestic technological development have borne fruit in several internet shutdowns since 2019, deployed primarily to suppress popular uprisings and cut off protesters from organizing tools and global attention.

In 2019, authorities ordered internet service providers and mobile operators to withdraw border gateway protocol routes, which tell the internet how to reach Iranian networks. Following Mahsa Amini’s death and subsequent protests in 2022, Iran adopted a slightly different approach. Rather than a complete blackout, authorities imposed recurring “digital curfews” on mobile networks during evening protest hours. For 13 consecutive days in September and October, mobile providers, such as Irancell and the Mobile Communications Company of Iran, were repeatedly disconnected from international traffic, and then the connections were restored overnight. This targeted strategy allowed the regime to disrupt real-time protest coordination while maintaining connectivity for domestic services and reducing economic damage. It also created psychological uncertainty, as users never knew exactly when access would disappear.

In 2025, following the outbreak of the June conflict with Israel, Iran preserved its global internet presence while using centralized filtering at the national border to block actual access. This “stealth blackout” fooled traditional monitoring tools that rely on routing data. Authorities deployed multiple censorship layers simultaneously: DNS spoofing redirected requests to fake addresses, protocol whitelisting blocked all traffic except basic web browsing, and deep packet inspection examined and filtered individual data packets. The government justified these measures as necessary to protect the country’s digital infrastructure from Israeli cyberattacks. While this claim may have had some legitimacy, the timing and comprehensiveness of the restrictions also revealed fears of popular uprising at a moment when the regime was militarily and politically vulnerable.

Internet shutdowns serve multiple strategic objectives for the Iranian regime. By severing digital connections during protests, authorities prevent real-time mobilization and coordination among demonstrators, making organized resistance far more difficult. The psychological impact on protesters is equally significant. Isolated from global attention and unable to share evidence of state violence, protesters face demoralization and doubt about whether their struggles matter to the outside world. These digital blackouts also create strategic ambiguity for the international community: When journalists, human rights organizations, and policymakers cannot verify what is happening on the ground, they may – in essence be forced to – accept regime narratives that minimize atrocities or justify crackdowns as necessary security measures, given that all nonregime information is shut off. As average citizens remain cut off, senior regime officials, state-owned news agencies, and government propagandists continue to operate online with full access, bypassing the very filtering systems imposed on the population, to give interviews to international media and shape narratives on social platforms. Internet shutdowns also sever the vital connection between protesters inside Iran and opposition diaspora communities. It is useful in slowing down, or dismantling, the formation of effective international solidarity campaigns that can amplify Iranian protesters’ voices and put pressure on foreign governments to respond. The Iranian regime’s internet censorship and shutdowns, therefore, function as comprehensive weapons of political warfare, designed to isolate, demoralize, and ultimately suppress dissent by controlling not just information flows but the very possibility of collective action and international witness.

The views represented herein are the author's or speaker's own and do not necessarily reflect the views of AGSI, its staff, or its board of directors.