Roskomnadzor blocks websites through a state-run traffic filtering system. A resource is added to the Unified Register of Prohibited Information (EAIS) based on a court ruling or an order from an authorized government body, after which telecom operators are required to restrict access to it. Technically, blocking is enforced at the IP address, domain (DNS), or packet-content (DPI) level via TSPU equipment installed at internet providers.
This article explains how a site ends up in the register, the roles of Roskomnadzor, the hosting provider and the ISP, the difference between EAIS and TSPU, how DPI filtering works, and why innocent "neighbors" sharing an IP on shared hosting suffer too. The material is diagnostic and aimed at site owners who need to understand the availability status of their own resource under Russian laws 149-FZ and 90-FZ. It contains no instructions for circumventing restrictions.
How a site ends up in the register of prohibited information
Adding a resource to the register is a legal procedure, not a single technical button. The basis is one of the documents provided for by Federal Law No. 149-FZ "On Information, Information Technologies and Information Protection". Until such grounds exist, there is no lawful reason to restrict access.
Grounds for blocking
- Court ruling. The most common basis. A court declares information prohibited from distribution, and the ruling is forwarded to Roskomnadzor for enforcement.
- Order of an authorized government body. Several agencies (Prosecutor General's Office, Ministry of Internal Affairs, Rospotrebnadzor, the Federal Tax Service, Roszdravnadzor, Roskomnadzor) may demand access restriction out of court within their categories — extremism, narcotics, gambling, self-harm and others.
- Violation of personal data law. Processing Russian citizens' data in breach of localization requirements can also lead to registry inclusion.
- Failure to remove unlawful content. If the owner does not remove flagged material after notice, the whole resource may be restricted.
You can check the current status of any address on the official verification service blocklist.rkn.gov.ru, and appeal forms on the eais.rkn.gov.ru portal.
The roles of Roskomnadzor, the host and the ISP
Three parties take part in the blocking chain, and their functions are strictly separated. Understanding this split helps a site owner determine exactly whom to approach in a disputed situation.
Who is responsible for what
- Roskomnadzor maintains the register, distributes exports to telecom operators and oversees enforcement. It is the operator of EAIS.
- The hosting provider receives the notice and must inform the owner within the set period about the need to remove content. If the owner takes no action, the host may restrict the resource on its side.
- The telecom operator (ISP) technically enforces the access restriction for end users — through its own equipment or via TSPU.
Site owners should remember: removing the specific prohibited page and filing a request for exclusion from the register often lifts the restriction faster than waiting. The register is not static — entries are added and removed constantly.
What EAIS — the Unified Register — is
EAIS (Unified Automated Information System) is a state database of domain names, URLs and network addresses whose access is subject to restriction. The register was created to enforce Article 15.1 of Law 149-FZ. Technically it is a machine-readable export that telecom operators regularly download and load into their filtering equipment.
An entry in the register may concern a single URL, an entire domain or an IP address. The entry level determines how "wide" the block will be and whether it affects unrelated resources. You can verify whether your address is listed on the official service blocklist.rkn.gov.ru.
What TSPU and Law 90-FZ are
TSPU stands for "technical means of countering threats." This is equipment that telecom operators install in their networks as required by law; Roskomnadzor manages it centrally. The legal foundation is Federal Law No. 90-FZ (2019), known as the "sovereign RuNet" law, which amended the laws "On Communications" and "On Information."
The key difference of TSPU from the earlier scheme is that filtering is performed centrally on the operator's side, and the ISP does not always see the content of the rules. This allows finer methods than simply dropping packets by IP — above all deep packet inspection (DPI).
How DPI filtering works
DPI (Deep Packet Inspection) is a technology in which equipment analyzes not only the destination address but the content of network packets: the requested host name in the SNI field during the TLS handshake, the Host header in HTTP, characteristic protocol signatures. Based on this analysis, a connection to a specific resource can be throttled or dropped, while the rest of the traffic to the same server keeps working.
It is DPI that makes blocking "granular": in theory one domain on a shared IP can be restricted without affecting neighboring sites. In practice, accuracy depends on rule configuration and equipment version, so side effects still occur.
IP blocking, DNS blocking and DPI: what's the difference
There are three main technical ways to restrict access. They differ in the level of impact, the reach across "neighbors," and how the owner can detect the problem.
| Method | How it works | Who is affected | How to detect |
|---|---|---|---|
| By IP address | All traffic to the server's network address is dropped regardless of domain | Every site on that IP, including unrelated ones on shared hosting | Site unreachable from all of the ISP's devices; Ping/traceroute do not complete; register cross-check helps |
| By domain (DNS) | The ISP substitutes or withholds the DNS answer for the prohibited domain | Only the specific domain; other sites on the same IP keep working | Domain fails to resolve or leads to a stub page; changing the DNS resolver changes the picture |
| DPI | Equipment inspects SNI/Host and drops the connection to a specific resource | The target domain; IP neighbors are usually unaffected | DNS resolves, IP pings, but the connection breaks at the handshake stage; behavior depends on the operator |
Why IP "neighbors" suffer on shared hosting
On virtual (shared) hosting, dozens or hundreds of sites share a single IP address. If a register entry is made at the IP level rather than the domain level, the operator blocks the entire address during enforcement. As a result, law-abiding sites physically located on the same server lose availability along with the offender. This is the classic side effect of "blunt" IP blocking.
An owner facing this situation should: check whether their own domain is in the register; ask the host whether the shared IP is blocked because of a neighboring resource; and, if needed, consider a dedicated IP address. Read more about causes of lost access in the article on website availability in Russia.
How an owner can check their own site
Diagnostics should start with the official source and be confirmed by technical checks. This approach separates a genuine block from an ordinary network error, a DNS failure or a hosting-side problem.
- Cross-check the official register at blocklist.rkn.gov.ru — it is the primary legal source.
- Check domain and IP availability with the enterno.io tool: the free RKN block checker shows status across several sources and the type of restriction.
- If there is an entry — remove the grounds (delete content, bring data processing into compliance) and file a request for exclusion.
- If there is no entry but the site is unreachable — look for the cause in DNS, the certificate or server configuration.
A step-by-step walkthrough is in the article how to check RKN blocking, and typical network errors are covered in the piece on the "this site can't be reached" error.
Frequently Asked Questions
How quickly is a site added to the register after a court ruling?
Once the ruling takes effect and reaches Roskomnadzor, the entry usually appears in the register within a few business days. Exact timing depends on the category and grounds. Telecom operators apply the restriction after the next export, which they download from EAIS regularly, so the actual outage comes slightly after the listing.
Can I find out exactly why a site was blocked?
The official blocklist.rkn.gov.ru service shows the fact that an address is in the register and the body that initiated the restriction. The detailed grounds — the number of a court ruling or agency act — can be requested by the owner through the appeal form on the EAIS portal by stating the domain and confirming rights to the resource.
How does IP blocking differ from domain blocking?
With IP blocking the entire network address is restricted, so all sites on that IP suffer, including unrelated ones on shared hosting. With domain (DNS) blocking only the specific name is restricted, and other resources on the same server keep working. The IP method is blunter; the domain method is more granular.
How do I get a site removed from the register?
First you must remove the grounds: delete the unlawful content or bring personal-data processing into compliance. Then file a request for exclusion through the eais.rkn.gov.ru portal. Roskomnadzor verifies that the violation has been resolved and, upon confirmation, removes the entry, after which operators lift the restriction.
Why is my site unreachable even though it is not in the register?
Unavailability is not always caused by blocking. Common reasons are a DNS failure, an expired or invalid SSL certificate, a server configuration error, a hosting-provider issue, or a shared IP blocked because of a neighboring resource. Start by checking the register, then rule out technical causes one by one with diagnostic tools.
Is it legal to check the blocking status of my own site?
Yes. Checking a resource's status in the official register and running technical availability diagnostics are lawful actions by the owner under 149-FZ. This is about monitoring your own site and understanding its condition, not about circumventing restrictions. Diagnostic services help you detect and fix the cause in time.