What Is RKN Block Checker?
RKN Block Checker is a Python CLI tool built by MayersScott that checks whether your current network is being filtered by RKN/TSPU-style controls, and it is one of the best Network Diagnostics CLI Tools for sysadmins and developers on censored networks. It probes roughly 21 control sites and 15 restricted targets, then labels failures as DNS poisoning, TCP reset, TLS DPI on SNI, or an ISP stub page instead of giving a generic unreachable error.
The value is not simple reachability. RKN Block Checker tells you which layer broke, which is the difference between a local outage, an ISP block, and a site-side failure.
Quick Overview
| Attribute | Details |
|---|---|
| Type | Network Diagnostics CLI Tools |
| Best For | sysadmins and developers on censored networks |
| Language/Stack | Python 3.10+, DNS/TCP/TLS/HTTP probes, Cloudflare DoH, JSON output |
| License | MIT |
| GitHub Stars | N/A |
| Pricing | Open-Source |
| Last Release | N/A |
Who Should Use RKN Block Checker?
- Operators in censored regions who need to know whether a failure is DNS poisoning, SNI-based TLS filtering, or a stub page served by the ISP.
- Incident responders who want a fast triage signal before opening tickets, filing abuse reports, or switching traffic paths.
- Privacy-conscious engineers who need a terminal-first diagnostic that can run from cron and emit JSON for later analysis.
- Indie hackers and SREs validating whether their app is reachable from hostile or policy-restricted networks.
Not ideal for:
- Teams that need packet captures or deep forensics; RKN Block Checker is a classifier, not a full traffic recorder.
- People looking for active circumvention; it diagnoses the block type, but it does not bypass the block for you.
- Pure latency benchmarking; if you only want RTT graphs, a network path tool is a better fit.
Key Features of RKN Block Checker
- Layer-by-layer probing — RKN Block Checker walks DNS, TCP, TLS, and HTTP in order, then stops at the first failing layer. That gives you a concrete verdict instead of a vague timeout.
- Control group vs target group logic — The built-in whitelist and blacklist let the tool compare known-good sites against known-restricted sites. That design makes the summary meaningful because it has a baseline, not just a pile of dead URLs.
- Confidence-aware verdicts — Labels such as
✗,~ LIKELY, and?encode certainty. A confirmed DNS mismatch is treated differently from a TLS pattern that could still be caused by a server-side issue. - Machine-readable JSON —
--jsonturns the report into structured output that works withjq, cron, and CI logs. That matters when you want to track censorship trends over time instead of eyeballing terminal colors. - Custom target lists —
--white-fileand--black-filelet you swap in your own.txtor.jsonlists. That is useful when your threat model is country-specific or when your organization maintains a private set of targets. - Parallelized probing —
--workerscontrols the thread pool and--timeoutsets per-probe limits. The defaults are tuned for fast triage, not exhaustive forensics. - Privacy controls —
--no-self-infoskips the public-IP lookup, and--identifyswitches to a self-identifying User-Agent. Those flags let you choose between anonymity, debuggability, and repeatability.
RKN Block Checker vs Alternatives
| Tool | Best For | Key Differentiator | Pricing |
|---|---|---|---|
| RKN Block Checker | Diagnosing censorship patterns on a live connection | Classifies failures by layer and confidence, not just reachability | Open-Source |
| curl | One-off HTTP checks and scripted requests | Flexible request control, but no DNS/TCP/TLS classification model | Free |
| dig | DNS record lookup and resolver debugging | Excellent for DNS visibility, but it stops before TCP, TLS, and HTTP | Free |
| OpenTrace | Network path observability and trace-style diagnostics | Better for route and hop analysis than censorship fingerprinting | Open-Source |
Pick curl when you only care whether a URL returns bytes and status codes. Pick dig when the problem looks like resolver behavior and you want to inspect DNS directly.
Pick OpenTrace when you need path-level visibility or latency analysis across hops. Pick RKN Block Checker when the question is specifically, which layer is being interfered with, and can the pattern be tied to RKN-style blocking.
For broader terminal workflows around diagnostics, also see browse all CLI Tools.
How RKN Block Checker Works
RKN Block Checker is built around a simple state machine: resolve names, open TCP sockets, start TLS, then fetch HTTP. Each step emits a signal, and the tool maps that signal to a verdict by comparing the observed behavior against known censorship fingerprints.
For DNS, it compares system resolution against Cloudflare DoH and checks whether the address sets disagree in a way that points to poisoning. For TLS, it looks for failures immediately after the ClientHello, which is the classic shape of SNI-based DPI on modern TSPU deployments.
rkn-check --url https://example.com --timeout 5 --workers 10
That command probes a single target with the default timing and concurrency settings. If the DNS step succeeds but TLS dies right after the handshake starts, you will usually get a ~ LIKELY TLS DPI style verdict rather than a generic failure.
The design is intentionally conservative. The summary only claims high confidence when the evidence is strong, and it falls back to medium confidence or inconclusive when the same symptom could still come from a server outage, bad certificate chain, or transient network fault.
The JSON mode is the other major architectural choice. It turns the CLI from a one-off diagnostic into a repeatable measurement source, which makes it easy to diff yesterday's rkn-check --json output against today's run in a shell script or CI job.
Pros and Cons of RKN Block Checker
Pros:
- Layer-aware diagnostics give you DNS, TCP, TLS, and HTTP separation in one run.
- Control and blacklist comparison makes the summary far more useful than a single URL test.
- Confidence labels reduce false certainty and make ambiguous results explicit.
- JSON output is easy to pipe into
jq, store in cron snapshots, or archive in logs. - Custom lists let you adapt the tool to a country, ISP, or internal test matrix.
- Minimal setup means
pip installand one command is enough for a first pass.
Cons:
- It is diagnostic only; RKN Block Checker does not tunnel around censorship or fix connectivity.
- It depends on heuristics; server-side failures can look similar to blocking in edge cases.
- Its best results need both groups;
--urlmode is useful, but it cannot produce the same comparative verdict as whitelist plus blacklist runs. - Coverage is regional; the labels are tuned for RKN/TSPU-style behavior, so other censorship systems may not map cleanly.
- It still needs network access to the test endpoints, which means offline analysis is out of scope.
Getting Started with RKN Block Checker
Install the package from PyPI, then run the default scan against the built-in target lists.
pip install rkn-block-checker
rkn-check
The first command installs the CLI, and the second command probes the bundled whitelist and blacklist sets. If you plan to automate it, add --json for machine output and --no-self-info to avoid the public-IP lookup on every run.
A common next step is to store snapshots over time or narrow the probe set with your own files. For example, you can point the tool at a custom control list and a custom target list when you want a repeatable test matrix for a specific ISP or region.
Verdict
RKN Block Checker is the strongest option for diagnosing censorship-style failures when you need to separate DNS poisoning from TLS DPI without building a lab. Its layered probes and confidence-aware output are the real strengths, but the heuristics can still be confused by upstream outages. Use it when you need evidence, not guesses.
