Does anyone know how this works in Iran? All the way from the decision making to the question of: who do you call? What commands do they execute? I would naively start with physical ingress points and add routing rules that stop traffic to service IP blocks (obtained by examining DNS records). Depending on how DNS is deployed (like, is there a national law to only use government run name servers?) you could freeze DNS records from updating.
That would be MY back-of-the-envelope approach to doing internet censorship in a totalitarian dictatorship. But I'm not convinced it's the best way.
I imagine SNI too - which is in cleartext. There is encrypted SNI but I don't know how far that is along in terms of deployment.
But really for a company like FB you could just blackhole their entire IP range(s) and/or AS (AS32934?) which would take everything offline very quickly.
Cloudflare supports ESNI. AFAIK none of the mainstream browsers support ESNI by default. I believe the latest build of Firefox [1] may have an option in about:config to enable it. One could check if a website supports ESNI with [2] ESNICheck. Support for ESNI is still subject to change. [3]
That would be MY back-of-the-envelope approach to doing internet censorship in a totalitarian dictatorship. But I'm not convinced it's the best way.