What technical methods do ISPs use to detect visits to illegal porn sites (DNS logs, IPs, deep packet inspection)?

1. DNS and domain-level signals: the simplest, most widespread tool

ISPs routinely see DNS requests (which translate URLs to IP addresses) and can block or redirect domains at that layer; several consumer guides note DNS-level blocking as a straightforward approach ISPs use to prevent access to banned or age-restricted sites ^{[2] [5]}. Because DNS lookups are often handled by an ISP’s resolvers, those requests are visible to the provider and can be used to build blocking lists or to log which domains a household queried ^[5].

2. IP and routing blocks: stop the packets, not the names

When a domain or site is targeted, ISPs may block traffic to the site’s IP addresses or use routing rules to blackhole connections; this is a step beyond DNS blocking and is referenced in how ISPs implement blocks in jurisdictions that order site-level restrictions ^{[2] [6]}. Blocking by IP is blunt: multiple domains can share an IP (increasing collateral blocking), and sites can change hosting or CDN providers to evade such measures ^{[2] [6]}.

3. HTTPS hides payloads but not endpoints — a critical limitation for ISPs

Encryption via HTTPS wraps page loads in a “very, very super-strong sheath,” meaning ISPs cannot see the precise pages or videos a user views, only the domain name and metadata such as SNI (server name) and IP address ^{[1] [7]}. Multiple explainers emphasize that while ISPs can tell you visited a given domain, they cannot see which video or exact resource you fetched when HTTPS is used ^{[1] [7]}.

4. Deep packet inspection (DPI): possible but constrained by encryption and policy

DPI can inspect packet contents and classify traffic flows, and historically it’s been deployed for censorship and traffic management; however, with pervasive HTTPS and other transport-layer protections, DPI cannot read encrypted payloads without active interception (not fully described in current sources). Available sources do not mention detailed modern DPI deployment for porn detection, but they note ISPs’ broader capacity to “monitor and sell” browsing histories in policy debates ^[1]. Where governments demand content control, DPI has been used elsewhere as part of broader censorship toolkits ^[4].

5. Lists, reporting regimes, and legal orders: operationalizing detection and blocking

For clearly illegal material — for example child sexual abuse imagery — specialized organizations and legal frameworks feed ISPs curated lists and reporting requirements: the Internet Watch Foundation (IWF) circulates blocklists to UK ISPs and US law requires providers to report suspected child sexual exploitation to authorities ^{[3] [8]}. Web‑blocking programs in the UK show that enforcement often relies on external lists and orders rather than ISPs independently deciding content is illegal ^{[4] [3]}.

6. Evasion and privacy tools change the calculus

VPNs and Tor encrypt traffic and route DNS outside the ISP’s ordinary resolvers, hiding visited domains and IP endpoints from the local ISP; guides repeatedly recommend VPNs to bypass age verification or ISP blocks ^{[9] [10] [11]}. Consumer-facing reporting stresses that these tools make ISP-level detection and blocking far less effective unless the ISP blocks VPN/Tor traffic wholesale — which some can attempt but which also disrupts many legitimate services ^{[12] [11]}.

7. Transparency, collateral effects, and political context

Blocking programs have produced collateral censorship and limited public scrutiny: analysis of UK practice shows opaque lists and concerns that blocking infrastructure could be expanded beyond illegal content ^[4]. Historic reporting also notes ISPs’ reluctance to promise perfect effectiveness — governments and ISPs warn that “blocking at source” is difficult and can be overbroad ^{[3] [4]}.

8. What the available sources do not say or settle

Available sources do not provide a comprehensive technical audit of modern DPI usage specifically for porn detection, nor do they detail how often ISPs log and retain DNS or IP-level records for prosecution or civil uses; they also do not quantify how many ISPs globally use each method. For those specifics, targeted technical reports or ISP transparency disclosures would be required (not found in current reporting).

Bottom line: ISPs primarily rely on DNS and IP/domain-level blocking and curated blocklists for illegal sites, while HTTPS and privacy tools limit their ability to see exact content; DPI is a possible capability but is constrained by encryption and varies by legal and technical context ^{[1] [2] [3] [4]}.